Thursday, 30 October 2014

CurrentC Mobile Payment System Hacked, User Info Stolen

CurrentC, the mobile payment service backed by the Merchant Customer Exchange (MCX), has suffered a data breach.

"Within the last 36 hours, we learned that unauthorized third parties obtained the e-mail addresses of some of our CurrentC pilot program participants and individuals who had expressed interest in the app," the company stated in a blog post.

"We have notified our merchant partners about this incident and directly communicated with each of the individuals whose email addresses were involved. We take the security of our users’ information extremely seriously. MCX is continuing to investigate this situation and will provide updates as necessary."

The CurrentC app itself was not affected, they said, and many of the compromised email addresses are dummy accounts set up by the company for testing purposes only.

The CurrentC app functions like this: users scan QR codes to pay for items, and the app uploads a token placeholder tied to their bank account to effect the purchases. No actual financial data is transmitted - the customer's financial institution converts the code into the information needed to initiate the payment directly from the account. The app also collects information about the users' purchases and shares it with merchants.

This mobile payment system is backed by a consortium of US retail companies such as Best Buy, CVS, Sears, Target, Walmart and many others, and it allows them to do away with the traditional credit card transaction fees.

CurrentC is a direct competitor to Google Wallet and Apple Pay, and is at the moment in the pilot stage. The full roll-out is scheduled for next year.

"MCX does not store sensitive customer information in the app. Users’ payment information is instead stored in our secure cloud-hosted network. Removing this sensitive information from the mobile device significantly lowers the risk of it being inappropriately disclosed in a case that the mobile device is hacked, stolen or otherwise compromised," the company shared on the same day of the breach announcement, but said they are still investigating how it happened.

However it happened, I guess it's a good thing it did happen now, while the project is still in its infancy. Hopefully this will spur the company to concentrate even more on creating a secure system.

Source:
netsecurity.org