Hackers have stolen email addresses from pilot users of the mobile payment platform CurrentC, just as the merchansts supporting the application begun to take clear steps to shut out the rival Apple Pay.
The alliance of retailers behind CurrentC, the Merchant Customer Exchange (MCX), revealed the system had been accessed by unauthorised third parties who “obtained the e-mail addresses of some of our CurrentC pilot program participants and individuals who had expressed interest in the app.”
MCX noted that many of the addresses were "dummy accounts used for testing purposes only” and that “the CurrentC app itself was not affected.”
The alliance said it had notified its merchant members and “directly communicated with each of the individuals whose email addresses were involved.”
MCX said it was committed to “the security of our users' information” and promised continued investigation of the hack.
But in the wake of an ever-growing number of data breaches that have hit Target, Dairy Queen, Kmart and other retailers, it won't take much to send consumers running scared.
“The ‘average' consumer hears the word breach and immediately thinks 'Again? Another one?'" John Zurawski, vice president at Authentify, said.
“And the cumulative effect on their feeling of safety online is dented and diminished once again.”
That might not be what MCX wants to hear. Members of the alliance like Walmart and Best Buy have thrown their weight behind CurrentC, which is still in beta, in an effort to shut out Apple Pay and, as a result, other forms of mobile payment like the established Google Wallet.
Zurawski and others were quick to point out that the CurrentC app itself had not been breached.
“The service was hacked and emails were lost. That distinction is important as a breach contains access to financial data and this hack contains mostly just personal information,” Chris Morales, practice manager of architecture and infrastructure at NSS Labs, said in a statement.
While Zurawski contended that “the best time to be hacked is while your product is in beta,” he advocated for stronger security and noted that the incident shouldn't be minimised simply because the hackers just accessed email.
“The real worry gets to be what ability do they have to cross-match (emails) to other data,” he said.
Chris Wysopal, CTO at Veracode, said the “breached email addresses will likely be used for phishing and other targeted attacks.”
Wysopal sees the hack as a wakeup call for businesses, saying they “need to secure all of their applications and infrastructure, not just the parts they deem highest risk.”
He also noted that companies often focus their efforts “on the crown jewels” and leave “lower risk websites such as customer and vendor portals” unsecured.
“Attackers take advantage of this. They find places where security has been de-emphasised and leverage those weak points as stepping stones to further attacks,” he said. “A payment processor really needs pervasive security.”
It may be too early to tell if the breach will have any long-term impact on CurrentC's future, but it does add to the mobile payment's growing list of woes - among them a lack of standards and regulation, the exchange merchants' attempts to shut out Apple, the valid perception that the mobile payment system is more of benefit to retailers and now security issues.
“CurrentC was devised years ago, long before Apple even hinted at the idea of Apple Pay, by the retail merchants as a way to bypass the banks. So, what we are seeing here is a non-regulated, non-compliant, non-standardised market for money exchange,” Morales said.
“CurrentC collects an extensive amount of personal information, including social security numbers and health information, and has a policy of sharing this information with retail partners along with user location information and buying habits. It is very intrusive and the app is clearly designed in the retailers' best interests, not the consumers'.
“The shut out of Apple, which was due to existing contracts that deny the acceptance of any competing standards, also only makes the retailers and CurrentC look worse."
But is that enough to turn consumers and merchants to ApplePay? Only time will tell.
Zurawski noted that Apple Pay and CurrentC are "barely past infancy,” though Apple has a base of 800 million iTunes accounts to appeal to.
“That's kind of a built-in population to target for Apple Pay,” he said. But he predicted the flood of breach announcements “will slow the adoption rate” of mobile payment in general.