CurrentC, an emerging mobile-payment platform backed by a number of high-profile retailers, has suffered a security breach, sources confirmed Wednesday.
Merchant Customer Exchange, the developer behind CurrentC, told The Wall Street Journal that attackers had compromised the email addresses of an unknown number of participants in the CurrentC pilot program, but that the payment application itself was not affected. The incident is being investigated, and the retailers that had email addresses compromised have been notified.
CurrentC, set to launch next year, is being developed as an alternative to Google Wallet, Apple Pay and other mobile-payment options that generally rely on near-field communication (NFC) technology. CurrentC instead utilizes QR codes that are displayed on a cashier's screen or payment terminal, with consumers using their phones to scan the codes and initiate transactions.
The incident comes just days after CurrentC was cited as the reason why Wal-Mart, Rite-Aid, CVS and other retailers had ceased accepting NFC-based payments from rivals, which led Reddit users to call for a boycott of CurrentC and to a flood of negative reviews on the Apple App Store and Google Play Store.
CurrentC security approach questioned
Industry observers say the CurrentC mobile-payment approach is not only more complicated for consumers -- Apple Pay users need only place their phones next to an NFC-enabled payment terminal and place their thumbs on their phone's TouchID scanner -- but CurrentC could also pose serious security problems.
Unlike its competitors, CurrentC requires users to add bank account information rather than a credit or debit card number -- a move that allows retailers to avoid the payment card processing fees that Wal-Mart and others have fought for years in favor of direct access to customers' bank accounts. CurrentC also applies discounts from retailers' loyalty programs, meaning that even more customer data could potentially be exposed in the case of a breach.
In contrast, the recently launched Apple Pay platform won plaudits from security experts as a safer alternative to traditional card-based payment systems in the U.S., as its token-based approach utilizes onetime-use Device Account Numbers instead of card numbers and doesn't store any customer information either on Apple devices or servers. According to Apple, its mobile payment platform was so well received that it reportedly overtook the likes of Google Wallet and others as the leader in the space just days after its release.
Adrian Lane, senior security strategist and chief technology officer for Phoenix-based security consultancy Securoris LLC, explained in a blog post that CurrentC's approach should worry consumers because they will lose the fraud protections that are a key feature for credit cards. When retailers such as Home Depot and Target have suffered massive breaches, for example, customers that had card data stolen were not responsible for any fraudulent purchases and would have all funds returned in such cases.
Bank accounts, on the other hand, provide no such protections for consumers, according to Lane, meaning criminals could drain an account entirely and the victim would have no recourse for action.
"CurrentC promises to deliver the merchants from credit card transaction fees, PCI-DSS security requirements and liability -- all with direct access to your money," said Lane on the Securoris website. "Customers get all the liability, most of the hassle (the checkout process promises to be painful for both purchases and clerks), and less security.
"Somewhere Darth Sidious is laughing at the fiendish genius of it all," Lane added.
Apple may have figured out a more secure option for consumers making payments, but has the tech giant solved the mobile security needs of enterprises? Resident platform security expert Michael Cobb discusses.