Skip to main content

MCX’s CurrentC, the infamous Apple Pay competitor, says its already been hacked

Screenshot 2014-10-29 11.47.09

CurrentC, the much discussed infamous competitor to the Apple Pay mobile payments platform, has some more bad press coming its way. According to an email sent out this morning to its pilot program customers, the MCX service has already been hacked. According to the notice, “unauthorized third parties” obtained email address information for an unannounced number of users:

Thank you for your interest in CurrentC. You are receiving this message because you are either a participant in our pilot program or requested information about CurrentC. Within the last 36 hours, we learned that unauthorized third parties obtained the e-mail addresses of some of you. Based on investigations conducted by MCX security personnel, only these e-mail addresses were involved and no other information.

In an abundance of caution, we wanted to make you aware of this incident and urge you not to open links or attachments from unknown third parties. Also know that neither CurrentC nor Merchant Customer Exchange (MCX) will ever send you emails asking for your financial account, social security number or other personally identifiable information. So if you are ever asked for this information in an email, you can be confident it is not from us and you should not respond.

MCX is continuing to investigate this situation and will provide updates as necessary. We take the security of your information extremely seriously, apologize for any inconvenience and thank you for your support of CurrentC.

For those not following the MCX vs. Apple Pay saga, MCX powers a payments platform utilized by key retailers such as WalMart, CVS, and RiteAid. After initially supporting NFC-based payments via Apple Pay and Google Wallet, those aforementioned retailers shut down their industry standard NFC-based payment processing systems in favor of the CurrentC app from MCX.

MCX has since responded to this controversy on its website, and Apple CEO Tim Cook referred to the entire situation as a “skirmish.” Meanwhile, reports have indicated that retailers are playing along with MCX in order to avoid fines discussed in early contractual agreements. Nonetheless, Apple Pay has already amassed over a million activations, becoming the most ubiquitous mobile payments platform in just about a week.

MCX has confirmed that the email to customers is legitimate and said the following:

“Within the last 36 hours, we learned that unauthorized third parties obtained the e-mail addresses of some of our CurrentC pilot program participants and individuals who had expressed interest in the app. Many of these email addresses are dummy accounts used for testing purposes only. The CurrentC app itself was not affected.

We have notified our merchant partners about this incident and directly communicated with each of the individuals whose email addresses were involved. We take the security of our users’ information extremely seriously. MCX is continuing to investigate this situation and will provide updates as necessary.”

Screenshot 2014-10-29 11.36.50

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Comments

  1. I retract my comment on the previous CurrentC article. NOW they’ve put their foot in it.

  2. Overlord - 9 years ago

    The shit hit the fan

  3. Ben Lovejoy - 9 years ago

    It just gets better …

  4. xprmntr - 9 years ago

    Lame

  5. William Hook - 9 years ago

    LOL

  6. oxfdblue - 9 years ago

    The only thing that comes to mind…

    https://www.youtube.com/watch?v=rX7wtNOkuHo

  7. Paul Findsen - 9 years ago

    HA! HA! /Nelson

  8. Do we know if Apple Pay has actually been tested by the hacking community? Until we know if hackers can access the NFC chip sans fingerprint access in the iPhone, we are still vulnerable. Let us not forget that the Titanic was unsinkable… Enough said!

    • Alborz Heydaryan - 9 years ago

      the finger print sensor has been tried. the only way to bypass it is to make a silicon finger print.
      if you steal someone’s phone, and re-create their finger print, would you be able to access their credit card information? the part in settings that you can edit/add cards and it shows the information of previous cards. is it only secured by finger print?

      • The phone never shows a full CC number either for cards in Passbook (For Apple Pay) or cards linked to iTunes. So even if you phone was stolen and unlocked in this manner or via social engineering, you still couldn’t get the CC number.

        Now if you had the phone & tore it down, you MIGHT be able to get the CC number off the Secure Element chip, but the whole idea of Secure Element is that the CC numbers are encrypted, so you’d have to hack that too.

      • Mike Knopp (@mknopp) - 9 years ago

        I am not positive, but if I remember correctly the CCN isn’t even stored in the NFC chip. When you enter a card a token is sent from the credit card company which is stored on the phone in the secure element and tied to the device. This token is then utilized to create other one-time use tokens which are what is passed to the retailer and to the credit card company for verification.

        The only place that your credit card number is stored is on your card and at the credit card company. So, the only way that a hacker could get your credit card number is to hack the credit card company.

        At least that is my understanding of it and it is backed up by several articles on major tech news sources.

      • Fallenjt JT - 9 years ago

        This’s asking too much to hack something that you’re not guarantee to get: CCN. You have to steal the phone, recreate a finger print (how? and what finger, right/left, thumb/index/ring/middle?) and try to unlock the iPhone…by the time you can get through that, that iPhone has long been wipe remotely using Find My iPhone. If you can do all that within minutes, you’d better off to hack Bellagio in Vegas.

    • daitenshe - 9 years ago

      I’m fairly positive the four digit code that’s created at the same time as Apple Pay is able to be used to make the payment if the fingerprint isn’t accepted after a couple tries. So if they know that code it’s a potential danger

      • Mike Knopp (@mknopp) - 9 years ago

        I have never heard that. Where did you read that?

      • Apple pay can only authorize through the use of the Touch ID scanner.

      • Fallenjt JT - 9 years ago

        4-digit PIN is the worst implementation for ePayment because you have to enter it at POS with bunch people around you. NO, NO, NO. If Touch ID fails (very unlikely), then use real cards. However, Touch ID failure is unlikely because it’s been tested for years. I never had an issue with Touch ID on 5S so far.

      • daitenshe - 9 years ago

        I didn’t read it, I’m pretty sure I did it personally. An aunt of mine was trying to use it but has an issue where her fingers peel so scans are hard. She tried a couple times with the finger and then the code was prompted. I typed it in for her and it was accepted. I don’t know if it was because it knew her fingerprint was close or what but it worked for her. Never heard about that being a feature though

      • Jim - 9 years ago

        daitenshe, I’m guessing that, when your aunt couldn’t authenticate using her fingerprint, iPhone prompted her to enter her security code. Most of us used to have 4-digit security codes, if we bothered to have a code at all. But with TouchID, it’s foolish to have such a simple security code! iOS gives you the option of using a long, complex password instead of the simple 4-digit code.

    • Apple Pay does not store your credit card number(s) anywhere on the phone, and you can remotely wipe the cards with Find My iPhone.

    • Alex (@Metascover) - 9 years ago

      NFC sends the OS a query for the token number.

      The OS asks access to the ‘enclave’ where data is encrypted. Access is impossible without the authorization code from TouchID.

      Even if you could magically get the token, what would you do with it? You can’t use it to buy stuff, it won’t work, VISA or MASTERCARD won’t accept it. You could try using a hacked merchant terminal but it would need to be registered and you’d need to send a request to the iPhone so that it can send you back another code that’s generated from the first one and the merchant data.

      No, it seem to me it’s impossible to hack. After all, VISA, MASTERCARD and all others have accepted it.

      http://www.kirklennon.com/a/applepay.html

  9. b9bot - 9 years ago

    Now there’s more proof that Apple Pay is the better choice. They aren’t even fully up and running and they have already been hacked. And you are supposed to give them your bank account number, social security number? This is why Apple Pay will be the best choice for consumers. MCX quit now and allow consumers to pay they way they want too!

  10. Ethan Morgan (@duepeak) - 9 years ago

    Can’t wait to see if merchants start jumping ship. No reason to stay aboard a sinking ship.

  11. Sebastian Rasch - 9 years ago

    LOL this is pure comedy.

  12. Ry L - 9 years ago

    This is just too awesome

  13. Hilarious. Make sure to share this article far and wide so people can see this company crumble. I, for one, welcome the arrival of our Apple Pay overlords.

    • Edison Wrzosek - 9 years ago

      Have you seen Twitter? It’s lit up like a Christmas tree right, all major networks picking this up! IT’S PARTY TIME!

  14. bboysupaman - 9 years ago

    I am shamelessly plugging my own page here… But I made a little website for reference for those that want to avoid all MCX merchants… http://boycott-mcx.com

    • Edison Wrzosek - 9 years ago

      Plug away my friend :-D

    • bboysupaman - 9 years ago

      It can also be added to your home screen with a nice little icon! Lol. I made this site less than an hour ago and I’ve already had hundreds of hits! I think people are pretty annoyed about this whole CurrentC thing… Lol.

      • Edison Wrzosek - 9 years ago

        The you very much for the site! Now instead of having to type out all the store names into a new iOS Note for stores I will not shop at, I’ll just out a link to the site on a home screen and I’m done :-D

    • Agree plug away but just a note. Meijer actually accepts Apple Pay and is listed as one of Apples partners.

      • bboysupaman - 9 years ago

        Thanks for the heads up. I have updated the page to reflect that and have also added a link at the bottom for people to send feedback.

    • Target is an Apple Pay partner, they accept AP even though they’re part of MCX (and Apple Pay is integrated into their new iOS app).

      • Edison Wrzosek - 9 years ago

        Online in their online store; brick-and-mortar locations do not accept Pay, as do none of the MCX participants.

    • kathycorby - 9 years ago

      Bookmarked on my iPhone 6+. Thanks for the effort. Hope your site is monetized so you get something back for the work. Also, nice ui. Simple, clean, very Applesque

      • bboysupaman - 9 years ago

        Google wouldn’t let me add ads… But I added a little “Donate” button. Who knows? Maybe someone will treat my wife and I to a movie! Lol.

    • You’re my new best friend. And I agree, you need ads on this thing so you can make some money back. I’m gonna refer everyone I know that’s interested in mobile payments to this site.

      Outstanding work!!

      • bboysupaman - 9 years ago

        I tried, but Google rejected my site for ads saying that it doesn’t have enough content..? So I’m just putting it out there for everyone to benefit. I do it for the love anyway… =) I’ll probably add some kind of donate button or something at some point.

      • iSRS - 9 years ago

        But will you accept ApplePay? ;)

        Thanks for the work. Nice looking site, even better from an iPhone. I like the alternatives.

    • 89p13 - 9 years ago

      Add my thanks for the clean look and valuable information. Just remember – even if they don’t take ApplePay, they do still take physical Credit Cards . . . . for now. ;)

    • Jesse Supaman Nichols - 9 years ago

      Thanks for all the compliments guys! I’ll keep it going as long as there is a need…

      • iSRS - 9 years ago

        Which hopefully won’t be long

    • r00fus1 - 9 years ago

      Holy crap – Had no idea there were than many MCX member vendors. Apple is really up against a massive (if somewhat dysfunctional) group of retailers here.

      I mean, Southwest airlines, WTF – I thought I knew you!

    • darks2k - 9 years ago

      You sir are awesome. This is now on my homescreen.

  15. Samuel A. Maffei - 9 years ago

    This may be grounds for the members to leave the consortium and recoup their investment (because the system is in fact insecure) as a breach of contract.

  16. digizeo - 9 years ago

    lmao, think currentc is gonna be shut down before it get started

    • iSRS - 9 years ago

      You might be right. It might live on in another fashion through some stubborn retailer(s) (like Walmart), but I have a feeling that by Christmas? The MCX current path will be greatly changed.

      I am not one to encourage this hacking/illeagal activity. But since MCX/CurrentC is so smug about shutting everyone else out, when they don’t have a product available to the public yet, I have a feeling this is just the beginning. It’s been less than a week since this started boiling. They’ve already been breached. Just wait until hackers get to the point that banks start needing to reissue bank account numbers. Then the banks will prevent CurrentC from connecting to them, and this experiment will be over.

  17. patthecarnut - 9 years ago

    Oh boy….

  18. Mosha - 9 years ago

    It has been less then a week and CurrentC has had more attention than it has ever had for all the wrong reasons. This would not have been the case if they had let people choose.

  19. Darrin (@DarSea2) - 9 years ago

    It’s starting to seem like CurrentCee is just a fake company set up to make Google Wallet, Apple Pay and others look even more appealing. Wow

  20. Sterling Miller - 9 years ago

    I just find it funny that the Subway(s) inside of Walmart take Apply Pay, but yet Walmart doesn’t. Seems a little awkward.

  21. theagentmike - 9 years ago

    Hahaha I agree with everyone else, this is the funniest thing I’ve read all month! Just keep it coming!

  22. Edison Wrzosek - 9 years ago

    HA HA!!!

    [youtube http://www.youtube.com/watch?v=MDtSf9pseOw&w=420&h=315%5D

    I can’t stop laughing right now!!! IT security 101, never, EVER, challenge the hackers to anything made by bean counter IT personnel, you’ll lose every time!

  23. Elfenkonig (@elfenkonig) - 9 years ago

    “Says its already been hacked…”? Really? Are there no proofreaders, editors at 9to5mac to correct a glaring typo???? It’s embarrassing.

  24. Rontavius Snipes - 9 years ago

    Wow I mean this is like MCX wanted to troll consumers and now the hackers are trolling them. This is beyond hilarious.

  25. archie0527 - 9 years ago

    Why would anyone even consider using this CurrentCrap?! Seeing how simple Apple Pay is, and even Google Wallet!

  26. ledsteplin - 9 years ago

    If I were a CurrentC retailer, I’d be taking another look at Pay again. Who’s gonna trust CurrentC now? I sure am not giving them my banking info!
    Could someone please make the print on here darker!

    • iSRS - 9 years ago

      I emailed most of the companies that support MCX yesterday. Got a couple of responses that were the same, “we will continue to review all…” blah blah blah, “but we are part of a group, exciting app coming” blah blah blah.

      Well, Best Buy actually responded. So I just, politely, shared my opinion, and updated my stand based on all the MCS news today. Can’t wait to see if that gets a response.

  27. Francis Wernet - 9 years ago

    righht so now we are suppose to trust you with our bank account?!?!?

  28. dennyc69 - 9 years ago

    hahahahahahahahahahahahahahahahahahahahahahahaha!

  29. dcj001 - 9 years ago

    “MCX’s CurrentC, the infamous Apple Pay competitor, says its already been hacked.”

    If you would like to be a journalist, Mark, it is important that you learn the difference between “its” and “it’s.”

    • rahhbriley - 9 years ago

      I don’t think he has such aspirations. He’s a hard-hitting investigative blogger with no time for grammar or critical thinking. He works for clicks and giggles.

      • dcj001 - 9 years ago

        He refers to himself being a journalist on his website, for some reason.

  30. I’m all for hating CurrentC, but all the hackers got was email addresses. That’s it.

    • If CurrentC says all they got is email addresses, its gotta be true! I mean, with such a long track record of reliability, transparence and accountability, of course they are telling the truth! Actually, wouldn’t surprise me they don’t even know what was actually stolen right now.

  31. Brent Howatt - 9 years ago

    >”MCX powers a payments platform utilized by key retailers such as WalMart, CVS, and RiteAid.”

    The quote above from the article seems a bit misleading. As far as I know, CurrentC is entirely vaporware at this time. I did see one article that claimed an alpha test was going on somewhere in the mosquito-infested wilds of the upper mid-west, but I have seen nothing from anyone that has actually seen a working model.

  32. rob nienburg (@robogobo) - 9 years ago

    “some of you.”

  33. Dizzy Dame - 9 years ago

    maybe these hackers are iphone users and wanted to prove a point to MCX, thus the hack even before launch.. what a mess

  34. hijaszu - 9 years ago

    At least everybody knows now that it’s super secure, so you can safely trust them with your data :D