CurrentC Developer Confirms BreachMobile Wallet Company Says App Itself Wasn't Breached
The developer of CurrentC, a mobile wallet application that competes with Apple Pay, has confirmed a breach at its e-mail provider, which has resulted in the compromise of e-mail addresses for those participating in a pilot program or who requested information about it.
"The CurrentC app itself was not affected," says Linda Walsh, a spokesperson for the developer, Merchant Customer Exchange, which was formed by a group of merchants. She also says many of the e-mail addresses compromised were dummy accounts used for testing purposes only.
Dekkers Davidson, CEO of MCX, in a conference call on Oct. 29 declined to name the e-mail provider that was hacked. "We take responsibility at CurrentC for everything that occurs here. I own it. CurrentC owns it."
Davidson declined to speculate about the motivations behind the attack. "It's unfortunate that some people think it's cool to hack or steal information," he says. "But we have built our systems and anticipated we would have our systems attacked. Our vendor is examining where the weakness occurred in their system."
In an e-mail sent out to an undisclosed number of affected individuals, which was obtained by Information Security Media Group, MCX says that unauthorized third parties were able to obtain the e-mail addresses. "In an abundance of caution, we wanted to make you aware of this incident and urge you not to open links or attachments from unknown third parties," the company says.
Merchants partners have been notified about the incident, and the company is directly communicating with each of the individuals who were impacted by the breach, Walsh says.
In recent days, several retailers, including CVS and Rite Aid, have disabled access to Apple Pay to support the CurrentC product, according to USA Today.
CurrentC is a free mobile wallet app that can be downloaded from both Apple's and Google's application stores. It utilizes unique QR codes, known as Paycodes, to transact each purchase.
"Considering that CurrentC hasn't even officially launched, having a data compromise already is problematic," says Nathalie Reinelt, an analyst at the consultancy Aite Group.
One challenge MCX faces is making consumers aware of its product. "Even with the backing of all their big-box merchants, CurrentC is not a brand consumers recognize, much less automatically trust," Reinelt says. "Creating an application consumers adopt and use consistently is challenging enough, but having a security issue before it even launches is a pretty big black eye."
Another concern is whether the impacted e-mail addresses are also the same as the username used to access the application, says John Zurawski, vice president of authentication services firm Authentify. "If that is true, how are the CurrentC accounts protected from brute-force password/dictionary attacks?"