Just as the merchants supporting CurrentC had began to take clear steps to shut out recently unveiled rival Apple Pay, hackers stole email addresses from the mobile payment app, leaving some to speculate that consumer confidence will drop and Apple could gain an advantage.
In a statement on its website, the Merchant Customer Exchange (MCX), the alliance of retailers behind CurrentC, acknowledged the hack by unauthorized third parties who “obtained the e-mail addresses of some of our CurrentC pilot program participants and individuals who had expressed interest in the app.”
MCX noted that many of the addresses “are dummy accounts used for testing purposes only” and that “the CurrentC app itself was not affected.”
The alliance said it has notified its merchant members and “directly communicated with each of the individuals whose email addresses were involved.” The statement reiterated MCX’s commitment to “the security of our users’ information” and promised continued investigation of the hack.
But in the wake of an ever-growing number of data breaches that have hit Target, Dairy Queen, Kmart and other retailers, it won’t take much to send consumers running scared, away from mobile payment options altogether or into the arms of another method, such as Google Wallet or Apple Pay.
“The ‘average’ consumer hears the word breach and immediately thinks ‘Again? Another one?'” John Zurawski, vice president at Authentify, told SCMagazine.com in a Wednesday interview. “And the cumulative effect on their feeling of safety online is dented and diminished once again.”
That might not be what MCX wants to hear. Members of the alliance like Walmart and Best Buy, have thrown their weight behind CurrentC, which is still in beta, and have effectively tried to shut out Apple Pay and, as a result, other forms of mobile payment like the established Google Wallet.
Zurawski and others were quick to point out that the CurrentC app itself had not been breached. “The service was hacked and emails were lost. That distinction is important as a breach contains access to financial data and this hack contains mostly just personal information,” Chris Morales, practice manager of architecture and infrastructure at NSS Labs, said in a statement sent to SCMagazine.com.
While Zurawski contended that “the best time to be hacked is while your product is in beta,” he advocated for stronger security and noted that the incident shouldn’t be minimized simply because the hackers just accessed email. “The real worry gets to be what ability do they have to cross-match (emails) to other data,” he said.
And Chris Wysopal, CTO at Veracode, said in a statement emailed to SCMagazine.com that the“breached email addresses will likely be used for phishing and other targeted attacks.”
Wysopal sees the hack as a wakeup call for businesses, saying that they “need to secure all of their applications and infrastructure, not just the parts they deem highest risk.”
He also noted that companies often focus their efforts “on the crown jewels” and leave “lower risk websites such as customer and vendor portals” unsecured.
“Attackers take advantage of this. They find places where security has been de-emphasized and leverage those weak points as stepping stones to further attacks,” he said. “A payment processor really needs pervasive security.”
It may be too early to tell if the breach will have any long-term impact on CurrentC’s future, but it does add to the mobile payment’s growing list of woes, among them a lack of standards and regulation, the exchange merchants’ attempts to shut out Apple, the valid perception that the mobile payment system is more of benefit to retailers and now security issues.
“CurrentC was devised years ago, long before Apple even hinted at the idea of Apple Pay, by the retail merchants as a way to bypass the banks. So, what we are seeing here is a non-regulated, non-compliant, non-standardized market for money exchange,” said Morales. “CurrentC collects an extensive amount of personal information, including social security numbers and health information, and has a policy of sharing this information with retail partners along with user location information and buying habits. It is very intrusive and the app is clearly designed in the retailers’ best interests, not the consumers’.”
“The shut out of Apple, which was due to existing contracts that deny the acceptance of any competing standards, also only makes the retailers and CurrentC look worse,” said Morales. But is that enough to turn consumers and merchants to ApplePay? Only time will tell.
Zurawski noted that “Apple Pay and CurrentC are barely past infancy,” though Apple has a base of 800 million iTune accounts to appeal to. “That’s kind of a built-in population to target for Apple Pay,” he said. But he predicted the flood of breach announcements “will slow the adoption rate” of mobile payment in general.