Security

Apple Pay competitor CurrentC hacked before service launch

The hack of Apple Pay competitor CurrentC, combined with its primary objective of using insecure ACH transfers to sidestep the credit cards, is a setup for disaster, says James Sanders.

currentcheromcx.jpg
CurrentC
Image: MCX

CurrentC, a phone-based payment system designed to compete with the recently launched Apple Pay, has experienced a major data breach, as the email addresses of beta testers and interested potential users were extracted from a database this week. CurrentC sent an email on October 30, 2014 to the users who were affected. (Apple Pay is also off to a bumpy start.)

Why CurrentC was created

CurrentC is a project undertaken by Merchant Customer Exchange (MCX), which is backed by a group of retail giants, including 7-Eleven, Best Buy, Darden Restaurants (which owns Olive Garden and Longhorn Steakhouse), Gap, Inc. (owners of Old Navy and Banana Republic), Lowe's Inc., Sears Holdings Corporation (owners of the troubled and rapidly closing Sears and Kmart), Target, and Walmart Stores, Inc. (which also operates Sam's Club stores). The drugstore chains Rite Aid and CVS are also members of MCX, and have made a preemptive strike against Apple Pay by disabling the near-field communications (NFC) readers in their stores to block the use of Apple Pay.

currentc.png
The impetus for creating MCX and CurrentC is to cut out the credit card companies from transactions at these stores. The credit card companies typically charge 3% of a given transaction to the merchant, and this fee is impacting the bottom lines of companies, particularly general retailers such as Target, Walmart, and Kmart, where profit margins are already razor thin. This association also allows retailers to collect information about consumers' purchasing habits, and potentially sell this information to third parties.

CurrentC is not yet available in most of the US. The app went into beta in some stores in Minnesota on September 3, 2014. Although general availability is planned for early 2015, backlash has already started against the app following the aforementioned ban at CVS and Rite Aid. The CurrentC app beta contains opt-in location-based advertising, though what will become of that upon general release is yet to be seen.

How CurrentC differs from Apple Pay

Apple Pay is intended to digitize and replace the magnetic stripe on your credit card, and instead authorize payments using NFC. Users take a picture of their credit cards, storing this information on their iPhone. When checking out, users hold their iPhone to an NFC terminal, such as Visa's payWave, MasterCard's PayPass, and American Express's ExpressPay terminals, and authenticate the transaction by holding their finger to the iPhone's Touch ID sensor.

CurrentC takes all of the convenience of NFC payments through a mobile phone, and completely discards it. Instead, the payment app links not to your credit card, but to your checking account — in effect circumventing the transaction fee levied by credit card companies. In order to pay for items using CurrentC, the customer scans a QR code using her phone, or, in certain circumstances, the cashier scans a QR code generated on the customer's phone.

According to the press release:

CurrentC will provide a more secure payment experience than traditional methods by storing users' sensitive financial information in its cloud vault rather than locally on the mobile device. Furthermore, the application uses a token placeholder to facilitate transactions instead of constantly passing the data between the user, merchant and financial institution. These innovative approaches to security are only a sample of industry-leading tools used by CurrentC to create a comprehensive, layered approach to information security.

The problem with this model

The primary problem with this model is the abject lack of security accompanied with Automated Clearing House (ACH) payments. If account information was stolen from CurrentC, the end user has little to no recourse, as CurrentC was already authorized to initiate ACH transactions with your account. Federal law provides a number of protections for consumers against credit card fraud, which ACH payments lack.

As a point of caution, consider the number of data leaks and security breaches at businesses in the US thus far this year. Retailers and restaurants have already shown an abysmal record on data security. Storing banking information in the cloud and using that cloud-connected data in stores poses an unnecessary risk with little obvious benefit to the consumer.

What's your opinion?

Do you plan to use Apple Pay, Google Wallet, or another phone-based payment solution for your transactions? Were you affected by the CurrentC hack? Let us know in the comments.

Also see

Disclaimer: TechRepublic, ZDNet, and CNET are CBS Interactive properties.

About James Sanders

James Sanders is a Java programmer specializing in software as a service and thin client design, and virtualizing legacy programs for modern hardware.

Editor's Picks

Free Newsletters, In your Inbox