News Stay informed about the latest enterprise technology news and product updates.

CurrentC breach raises questions about mobile-payment security

CurrentC, the retailer-backed mobile-payment platform, admitted to the breach shortly after the Apple Pay competitor was blamed for shutting down other NFC-based payment options.

CurrentC, an emerging mobile-payment platform backed by a number of high-profile retailers, has suffered a security breach, sources confirmed Wednesday.

Merchant Customer Exchange, the developer behind CurrentC, told The Wall Street Journal that attackers had compromised the email addresses of an unknown number of participants in the CurrentC pilot program, but that the payment application itself was not affected. The incident is being investigated, and the retailers that had email addresses compromised have been notified.

CurrentC, set to launch next year, is being developed as an alternative to Google Wallet, Apple Pay and other mobile-payment options that generally rely on near-field communication (NFC) technology. CurrentC instead utilizes QR codes that are displayed on a cashier's screen or payment terminal, with consumers using their phones to scan the codes and initiate transactions.

The incident comes just days after CurrentC was cited as the reason why Wal-Mart, Rite-Aid, CVS and other retailers had ceased accepting NFC-based payments from rivals, which led Reddit users to call for a boycott of CurrentC and to a flood of negative reviews on the Apple App Store and Google Play Store.

CurrentC security approach questioned

Industry observers say the CurrentC mobile-payment approach is not only more complicated for consumers -- Apple Pay users need only place their phones next to an NFC-enabled payment terminal and place their thumbs on their phone's TouchID scanner -- but CurrentC could also pose serious security problems.

Unlike its competitors, CurrentC requires users to add bank account information rather than a credit or debit card number -- a move that allows retailers to avoid the payment card processing fees that Wal-Mart and others have fought for years in favor of direct access to customers' bank accounts. CurrentC also applies discounts from retailers' loyalty programs, meaning that even more customer data could potentially be exposed in the case of a breach.

In contrast, the recently launched Apple Pay platform won plaudits from security experts as a safer alternative to traditional card-based payment systems in the U.S., as its token-based approach utilizes onetime-use Device Account Numbers instead of card numbers and doesn't store any customer information either on Apple devices or servers. According to Apple, its mobile payment platform was so well received that it reportedly overtook the likes of Google Wallet and others as the leader in the space just days after its release.

Adrian Lane, senior security strategist and chief technology officer for Phoenix-based security consultancy Securoris LLC, explained in a blog post that CurrentC's approach should worry consumers because they will lose the fraud protections that are a key feature for credit cards. When retailers such as Home Depot and Target have suffered massive breaches, for example, customers that had card data stolen were not responsible for any fraudulent purchases and would have all funds returned in such cases.

Bank accounts, on the other hand, provide no such protections for consumers, according to Lane, meaning criminals could drain an account entirely and the victim would have no recourse for action.

"CurrentC promises to deliver the merchants from credit card transaction fees, PCI-DSS security requirements and liability -- all with direct access to your money," said Lane on the Securoris website. "Customers get all the liability, most of the hassle (the checkout process promises to be painful for both purchases and clerks), and less security.

"Somewhere Darth Sidious is laughing at the fiendish genius of it all," Lane added.

Next Steps

Apple may have figured out a more secure option for consumers making payments, but has the tech giant solved the mobile security needs of enterprises? Resident platform security expert Michael Cobb discusses.

Dig Deeper on Data security breaches

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

What issues is your organization struggling with regarding CurrentC or mobile payment security in general?
How secure is Apple Pay? Apple is expected do something about the vulnerability that their Touch ID brings: Biometrics operated with a password in the OR/disjunction way (as in the case of iPhone) offers a lower security than when only the password is used. Biometrics can theoretically be operated together with passwords in two ways, (1) by AND/conjunction or (2) by OR/disjunction. I would appreciate to hear if someone knows of a biometric product operated by (1). The users of such products must have been notified that, when falsely rejected by the biometric sensor with the devices finally locked, they would have to see the device reset.  It is the same with the biometrics operated without passwords altogether. Biometric products like Apple's Touch ID are generally operated by (2) so that users can unlock the devices by passwords when falsely rejected by the biometric sensors. This means that the overall vulnerability of the product is the sum of the vulnerability of biometrics (x) and that of a password (y). The sum (x + y - xy) is necessarily larger than the vulnerability of a password (y), say, the devices with Touch ID and other biometric sensors are less secure than the devices protected only by a password. It is very worrying to see so many ICT people being indifferent to the difference between AND/conjunction and OR/disjunction when talking about “using two factors together”.
Yeah, I'm going to give my bank account information to retailers in order to use a system that is insecure, hard to use, and allows them (or anyone compromising their system) to reach directly into my bank and withdraw money. Sure. Anyone offering a good deal on a bridge, too? I'll stick with Apple Pay and boycott merchants that attempt to force me to use CurrenentC.