Merchant Customer Exchange (MCX) says that CurrentC, a mobile payment offering backed by giant retailers like Wal-Mart, Best Buy, Old Navy, Target, CVS, and more, has been compromised.
The breach only affects email addresses, some of them dummy accounts used for testing, but this is another mark against the Apple Pay rival, already facing a backlash for their mobile payment solution. On Google Play, the invite only application has several pages of negative reviews and opinions, mostly warning uses away from the application itself.
In an email to users, MCX says that attackers compromised email addresses, but the CurrentC application itself was not targeted:
"Thank you for your interest in CurrentC. You are receiving this message because you are either a participant in our pilot program or requested information about CurrentC. Within the last 36 hours, we learned that unauthorized third parties obtained the e-mail addresses of some of you. Based on investigations conducted by MCX security personnel, only these e-mail addresses were involved and no other information..."
The alert goes on to warn against social engineering, reminding users that MCX will never seek personally identifiable details or financial information via email. MCX didn't explain how the email addresses were compromised, but stressed that the CurrentC application itself was not impacted.
Given the company's stated remarks on data protection, the likely target was the "secure cloud-hosted network" used by MCX to store payment information and other data used by CurrentC.
It isn't clear how data is segmented and stored on the MCX network, assuming there is a separation at all.
"It's entirely possible that the Web site at which parties interested in CurrentC had a registration database connected to it. The CurrentC announcement time boxed the announcement somewhat to those who expressed interest in the last 36 hours. It's entirely possible that the marketing function and the CurrentC product/service function are separate. That style of partitioning should be a best practice for any online service with customer facing property," said John Zurawski, VP of Authentify, in a statement.
"A more salient question to ask [relative to the hack] would be, are the user email addresses the same as the username? If that is true, how are the CurrentC accounts protected from brute force password/dictionary attacks?" he asked.
MCX has essentially downplayed the incident, something Zurawski doesn't fully agree with. He said that this is not something users of CurrentC should take lightly.
It's misleading, he asserted, to downplay the threat – especially if the email addresses in question are also tied to user's financial accounts or other online identities that contain sensitive personal information.
"In this case, CurrentC is claiming that some of the accounts were dummy accounts – but, if that’s not true of all users, then they should be immediately changing passwords and making certain they have multiple authentication factors set up to mitigate their risks."
Will this incident have a damaging impact to MCX and their offering?
"I believe CurrentC is classified as a beta system right now, and systems as complex as these will have issues when they rollout to wider test audiences. That's why you beta test. From a consumer perspective, I'm not sure how high profile CurrentC is right now, but I do believe any "hit" to the consumer adoption rate [of any new form of digital payment] by breach announcements will have a cumulative effect," Zurawski said.
So what about Apple Pay? What if the tables were turned and Apple was the company breached?
"Apple Pay is in a category all its own. Their brand is strong enough that a good percentage of their disciples, and I use that word purposefully, will use anything Apple because it's Apple. On the other hand, less than 5% of the retailers are equipped to handle NFC payments. A breach of Apple Pay would not impact a significant portion of shoppers. But a breach of their payment system would be highly publicized. I suspect the average consumer would begin to think that if this can happen to Apple nothing is safe," he added.
"The more frequently breach announcements come, the more aware of the problem the consumer becomes. For instance, if another major retailer were to announce another credit card information breach, were you to interview shoppers on the street about how they plan to pay for their holiday gifts, a significant number would answer 'with cash because it's the safest.'"
Update:
On a somewhat related privacy / security note, Nick Arnott raised some interesting questions about the data that's collected and transmitted by the CurrentC application. His report is here.