CurrentC Developer Confirms Breach

Mobile Wallet Company Says App Itself Wasn't Breached
CurrentC Developer Confirms Breach

The developer of CurrentC, a mobile wallet application that competes with Apple Pay, has confirmed a breach at its e-mail provider, which has resulted in the compromise of e-mail addresses for those participating in a pilot program or who requested information about it.

See Also: Webinar | The Future of Adaptive Authentication in Financial Services

"The CurrentC app itself was not affected," says Linda Walsh, a spokesperson for the developer, Merchant Customer Exchange, which was formed by a group of merchants. She also says many of the e-mail addresses compromised were dummy accounts used for testing purposes only.

Dekkers Davidson, CEO of MCX, in a conference call on Oct. 29 declined to name the e-mail provider that was hacked. "We take responsibility at CurrentC for everything that occurs here. I own it. CurrentC owns it."

Davidson declined to speculate about the motivations behind the attack. "It's unfortunate that some people think it's cool to hack or steal information," he says. "But we have built our systems and anticipated we would have our systems attacked. Our vendor is examining where the weakness occurred in their system."

Breach Notification

In an e-mail sent out to an undisclosed number of affected individuals, which was obtained by Information Security Media Group, MCX says that unauthorized third parties were able to obtain the e-mail addresses. "In an abundance of caution, we wanted to make you aware of this incident and urge you not to open links or attachments from unknown third parties," the company says.

Merchants partners have been notified about the incident, and the company is directly communicating with each of the individuals who were impacted by the breach, Walsh says.

In recent days, several retailers, including CVS and Rite Aid, have disabled access to Apple Pay to support the CurrentC product, according to USA Today.

CurrentC is a free mobile wallet app that can be downloaded from both Apple's and Google's application stores. It utilizes unique QR codes, known as Paycodes, to transact each purchase.

Bad Timing?

"Considering that CurrentC hasn't even officially launched, having a data compromise already is problematic," says Nathalie Reinelt, an analyst at the consultancy Aite Group.

One challenge MCX faces is making consumers aware of its product. "Even with the backing of all their big-box merchants, CurrentC is not a brand consumers recognize, much less automatically trust," Reinelt says. "Creating an application consumers adopt and use consistently is challenging enough, but having a security issue before it even launches is a pretty big black eye."

Another concern is whether the impacted e-mail addresses are also the same as the username used to access the application, says John Zurawski, vice president of authentication services firm Authentify. "If that is true, how are the CurrentC accounts protected from brute-force password/dictionary attacks?"


About the Author

Jeffrey Roman

Jeffrey Roman

News Writer, ISMG

Roman is the former News Writer for Information Security Media Group. Having worked for multiple publications at The College of New Jersey, including the College's newspaper "The Signal" and alumni magazine, Roman has experience in journalism, copy editing and communications.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.co.uk, you agree to our use of cookies.