CurrentC, the much discussed infamous competitor to the Apple Pay mobile payments platform, has some more bad press coming its way. According to an email sent out this morning to its pilot program customers, the MCX service has already been hacked. According to the notice, “unauthorized third parties” obtained email address information for an unannounced number of users:
Thank you for your interest in CurrentC. You are receiving this message because you are either a participant in our pilot program or requested information about CurrentC. Within the last 36 hours, we learned that unauthorized third parties obtained the e-mail addresses of some of you. Based on investigations conducted by MCX security personnel, only these e-mail addresses were involved and no other information.
In an abundance of caution, we wanted to make you aware of this incident and urge you not to open links or attachments from unknown third parties. Also know that neither CurrentC nor Merchant Customer Exchange (MCX) will ever send you emails asking for your financial account, social security number or other personally identifiable information. So if you are ever asked for this information in an email, you can be confident it is not from us and you should not respond.
MCX is continuing to investigate this situation and will provide updates as necessary. We take the security of your information extremely seriously, apologize for any inconvenience and thank you for your support of CurrentC.
For those not following the MCX vs. Apple Pay saga, MCX powers a payments platform utilized by key retailers such as WalMart, CVS, and RiteAid. After initially supporting NFC-based payments via Apple Pay and Google Wallet, those aforementioned retailers shut down their industry standard NFC-based payment processing systems in favor of the CurrentC app from MCX.
MCX has since responded to this controversy on its website, and Apple CEO Tim Cook referred to the entire situation as a “skirmish.” Meanwhile, reports have indicated that retailers are playing along with MCX in order to avoid fines discussed in early contractual agreements. Nonetheless, Apple Pay has already amassed over a million activations, becoming the most ubiquitous mobile payments platform in just about a week.
MCX has confirmed that the email to customers is legitimate and said the following:
“Within the last 36 hours, we learned that unauthorized third parties obtained the e-mail addresses of some of our CurrentC pilot program participants and individuals who had expressed interest in the app. Many of these email addresses are dummy accounts used for testing purposes only. The CurrentC app itself was not affected.
We have notified our merchant partners about this incident and directly communicated with each of the individuals whose email addresses were involved. We take the security of our users’ information extremely seriously. MCX is continuing to investigate this situation and will provide updates as necessary.”
FTC: We use income earning auto affiliate links. More.
I retract my comment on the previous CurrentC article. NOW they’ve put their foot in it.
The shit hit the fan
Yes, the faecal missile impacted the overhead rotary ventilator, big-time!
This needs visualization…
http://i.imgur.com/CHmBhqM.gif
Haha!
It just gets better …
Someone at CurrentC is getting fired today, that’s for sure.
Lame
LOL
The only thing that comes to mind…
https://www.youtube.com/watch?v=rX7wtNOkuHo
HA! HA! /Nelson
Do we know if Apple Pay has actually been tested by the hacking community? Until we know if hackers can access the NFC chip sans fingerprint access in the iPhone, we are still vulnerable. Let us not forget that the Titanic was unsinkable… Enough said!
the finger print sensor has been tried. the only way to bypass it is to make a silicon finger print.
if you steal someone’s phone, and re-create their finger print, would you be able to access their credit card information? the part in settings that you can edit/add cards and it shows the information of previous cards. is it only secured by finger print?
The phone never shows a full CC number either for cards in Passbook (For Apple Pay) or cards linked to iTunes. So even if you phone was stolen and unlocked in this manner or via social engineering, you still couldn’t get the CC number.
Now if you had the phone & tore it down, you MIGHT be able to get the CC number off the Secure Element chip, but the whole idea of Secure Element is that the CC numbers are encrypted, so you’d have to hack that too.
I am not positive, but if I remember correctly the CCN isn’t even stored in the NFC chip. When you enter a card a token is sent from the credit card company which is stored on the phone in the secure element and tied to the device. This token is then utilized to create other one-time use tokens which are what is passed to the retailer and to the credit card company for verification.
The only place that your credit card number is stored is on your card and at the credit card company. So, the only way that a hacker could get your credit card number is to hack the credit card company.
At least that is my understanding of it and it is backed up by several articles on major tech news sources.
This’s asking too much to hack something that you’re not guarantee to get: CCN. You have to steal the phone, recreate a finger print (how? and what finger, right/left, thumb/index/ring/middle?) and try to unlock the iPhone…by the time you can get through that, that iPhone has long been wipe remotely using Find My iPhone. If you can do all that within minutes, you’d better off to hack Bellagio in Vegas.
I’m fairly positive the four digit code that’s created at the same time as Apple Pay is able to be used to make the payment if the fingerprint isn’t accepted after a couple tries. So if they know that code it’s a potential danger
I have never heard that. Where did you read that?
Apple pay can only authorize through the use of the Touch ID scanner.
4-digit PIN is the worst implementation for ePayment because you have to enter it at POS with bunch people around you. NO, NO, NO. If Touch ID fails (very unlikely), then use real cards. However, Touch ID failure is unlikely because it’s been tested for years. I never had an issue with Touch ID on 5S so far.
I didn’t read it, I’m pretty sure I did it personally. An aunt of mine was trying to use it but has an issue where her fingers peel so scans are hard. She tried a couple times with the finger and then the code was prompted. I typed it in for her and it was accepted. I don’t know if it was because it knew her fingerprint was close or what but it worked for her. Never heard about that being a feature though
daitenshe, I’m guessing that, when your aunt couldn’t authenticate using her fingerprint, iPhone prompted her to enter her security code. Most of us used to have 4-digit security codes, if we bothered to have a code at all. But with TouchID, it’s foolish to have such a simple security code! iOS gives you the option of using a long, complex password instead of the simple 4-digit code.
Apple Pay does not store your credit card number(s) anywhere on the phone, and you can remotely wipe the cards with Find My iPhone.
NFC sends the OS a query for the token number.
The OS asks access to the ‘enclave’ where data is encrypted. Access is impossible without the authorization code from TouchID.
Even if you could magically get the token, what would you do with it? You can’t use it to buy stuff, it won’t work, VISA or MASTERCARD won’t accept it. You could try using a hacked merchant terminal but it would need to be registered and you’d need to send a request to the iPhone so that it can send you back another code that’s generated from the first one and the merchant data.
No, it seem to me it’s impossible to hack. After all, VISA, MASTERCARD and all others have accepted it.
http://www.kirklennon.com/a/applepay.html
Now there’s more proof that Apple Pay is the better choice. They aren’t even fully up and running and they have already been hacked. And you are supposed to give them your bank account number, social security number? This is why Apple Pay will be the best choice for consumers. MCX quit now and allow consumers to pay they way they want too!
MCX cannot quite. Otherwise, what will Windows devices use? /S
Can’t wait to see if merchants start jumping ship. No reason to stay aboard a sinking ship.
LOL this is pure comedy.
This is just too awesome
Hilarious. Make sure to share this article far and wide so people can see this company crumble. I, for one, welcome the arrival of our Apple Pay overlords.
Have you seen Twitter? It’s lit up like a Christmas tree right, all major networks picking this up! IT’S PARTY TIME!
I am shamelessly plugging my own page here… But I made a little website for reference for those that want to avoid all MCX merchants… http://boycott-mcx.com
Plug away my friend :-D
It can also be added to your home screen with a nice little icon! Lol. I made this site less than an hour ago and I’ve already had hundreds of hits! I think people are pretty annoyed about this whole CurrentC thing… Lol.
The you very much for the site! Now instead of having to type out all the store names into a new iOS Note for stores I will not shop at, I’ll just out a link to the site on a home screen and I’m done :-D
Agree plug away but just a note. Meijer actually accepts Apple Pay and is listed as one of Apples partners.
Thanks for the heads up. I have updated the page to reflect that and have also added a link at the bottom for people to send feedback.
Target is an Apple Pay partner, they accept AP even though they’re part of MCX (and Apple Pay is integrated into their new iOS app).
Online in their online store; brick-and-mortar locations do not accept Pay, as do none of the MCX participants.
Bookmarked on my iPhone 6+. Thanks for the effort. Hope your site is monetized so you get something back for the work. Also, nice ui. Simple, clean, very Applesque
Google wouldn’t let me add ads… But I added a little “Donate” button. Who knows? Maybe someone will treat my wife and I to a movie! Lol.
You’re my new best friend. And I agree, you need ads on this thing so you can make some money back. I’m gonna refer everyone I know that’s interested in mobile payments to this site.
Outstanding work!!
I tried, but Google rejected my site for ads saying that it doesn’t have enough content..? So I’m just putting it out there for everyone to benefit. I do it for the love anyway… =) I’ll probably add some kind of donate button or something at some point.
But will you accept ApplePay? ;)
Thanks for the work. Nice looking site, even better from an iPhone. I like the alternatives.
Add my thanks for the clean look and valuable information. Just remember – even if they don’t take ApplePay, they do still take physical Credit Cards . . . . for now. ;)
Thanks for all the compliments guys! I’ll keep it going as long as there is a need…
Which hopefully won’t be long
Holy crap – Had no idea there were than many MCX member vendors. Apple is really up against a massive (if somewhat dysfunctional) group of retailers here.
I mean, Southwest airlines, WTF – I thought I knew you!
You sir are awesome. This is now on my homescreen.
This may be grounds for the members to leave the consortium and recoup their investment (because the system is in fact insecure) as a breach of contract.
Great point. I wonder what their contract looked like…
lmao, think currentc is gonna be shut down before it get started
You might be right. It might live on in another fashion through some stubborn retailer(s) (like Walmart), but I have a feeling that by Christmas? The MCX current path will be greatly changed.
I am not one to encourage this hacking/illeagal activity. But since MCX/CurrentC is so smug about shutting everyone else out, when they don’t have a product available to the public yet, I have a feeling this is just the beginning. It’s been less than a week since this started boiling. They’ve already been breached. Just wait until hackers get to the point that banks start needing to reissue bank account numbers. Then the banks will prevent CurrentC from connecting to them, and this experiment will be over.
Oh boy….
It has been less then a week and CurrentC has had more attention than it has ever had for all the wrong reasons. This would not have been the case if they had let people choose.
Streissand Effect, anyone?
It’s starting to seem like CurrentCee is just a fake company set up to make Google Wallet, Apple Pay and others look even more appealing. Wow
I just find it funny that the Subway(s) inside of Walmart take Apply Pay, but yet Walmart doesn’t. Seems a little awkward.
Hahaha I agree with everyone else, this is the funniest thing I’ve read all month! Just keep it coming!
HA HA!!!
[youtube http://www.youtube.com/watch?v=MDtSf9pseOw&w=420&h=315%5D
I can’t stop laughing right now!!! IT security 101, never, EVER, challenge the hackers to anything made by bean counter IT personnel, you’ll lose every time!
“Says its already been hacked…”? Really? Are there no proofreaders, editors at 9to5mac to correct a glaring typo???? It’s embarrassing.
Wow I mean this is like MCX wanted to troll consumers and now the hackers are trolling them. This is beyond hilarious.
Why would anyone even consider using this CurrentCrap?! Seeing how simple Apple Pay is, and even Google Wallet!
If I were a CurrentC retailer, I’d be taking another look at Pay again. Who’s gonna trust CurrentC now? I sure am not giving them my banking info!
Could someone please make the print on here darker!
I emailed most of the companies that support MCX yesterday. Got a couple of responses that were the same, “we will continue to review all…” blah blah blah, “but we are part of a group, exciting app coming” blah blah blah.
Well, Best Buy actually responded. So I just, politely, shared my opinion, and updated my stand based on all the MCS news today. Can’t wait to see if that gets a response.
righht so now we are suppose to trust you with our bank account?!?!?
hahahahahahahahahahahahahahahahahahahahahahahaha!
“MCX’s CurrentC, the infamous Apple Pay competitor, says its already been hacked.”
If you would like to be a journalist, Mark, it is important that you learn the difference between “its” and “it’s.”
I don’t think he has such aspirations. He’s a hard-hitting investigative blogger with no time for grammar or critical thinking. He works for clicks and giggles.
He refers to himself being a journalist on his website, for some reason.
I’m all for hating CurrentC, but all the hackers got was email addresses. That’s it.
If CurrentC says all they got is email addresses, its gotta be true! I mean, with such a long track record of reliability, transparence and accountability, of course they are telling the truth! Actually, wouldn’t surprise me they don’t even know what was actually stolen right now.
>”MCX powers a payments platform utilized by key retailers such as WalMart, CVS, and RiteAid.”
The quote above from the article seems a bit misleading. As far as I know, CurrentC is entirely vaporware at this time. I did see one article that claimed an alpha test was going on somewhere in the mosquito-infested wilds of the upper mid-west, but I have seen nothing from anyone that has actually seen a working model.
“some of you.”
maybe these hackers are iphone users and wanted to prove a point to MCX, thus the hack even before launch.. what a mess
At least everybody knows now that it’s super secure, so you can safely trust them with your data :D