back to article Big Retail's Apple Pay killer CurrentC HACKED, tester info nicked

CurrentC, the mobile payments system being pushed by some of the biggest retailers in the US, has been hacked – before the system is even fully up and running. "Within the last 36 hours, we learned that unauthorized third parties obtained the e-mail addresses of some of our CurrentC pilot program participants and individuals …

  1. Glenn 6

    This will continue to happen so long as we don't have laws that forbid retailers from warehousing our credit card information. That's the only reason why they came up with their own system in the first place.

    1. Bullseyed

      If "revealed the email addresses of users" counts as hacking... hasn't iTunes been hacked a bunch of times? I've seen lists of email addresses associated to Apple devices leaked online many times.

      Not to mention that this is being reported misleadingly, as the headlines for this story imply credit card data was taken.

      1. Anonymous Coward
        Anonymous Coward

        "...hasn't iTunes been hacked a bunch of times?"

        Yes, but Apple really has nothing to do with this story unless they are responsible for the hack. The editor, unsurprisingly, tied them on. However sensitive the data may or may not be, CurrentC was hacked. If anything, this doesn't increase trust with CurrentC or ANY other player attempting the same payment scam scheme.

      2. SuccessCase

        "hasn't iTunes been hacked a bunch of times? I've seen lists of email addresses associated to Apple devices leaked online many times."

        No. Itunes user accounts have been hacked, but that's an entirely different thing and is most usually the consequence of using weak passwords, or because the associated email account has been hacked.

        1. Anonymous Coward
          Anonymous Coward

          >Yes, but Apple really has nothing to do with this story unless they are responsible for the hack.

          True, but:

          CurrentC is only of interest to us because it is part of the larger, ongoing question of 'how will we be paying for stuff in the future?', and Apple may have a role shaping the eventual answer. Google's business moded, ased on advertising as it is, has some trust issues.

          I haven't heard much about Bitcoin for a while... I was kind of seeing it as a first draft of what a decentralised currency might be, since it itself was fluctuating in value too much to be widely adopted as a means of buying chocolate bars and train tickets.

  2. Shane Sturrock

    CurrentC dead on arrival

    Apple in particular has a policy of not allowing apps in their store which compete with functionality provided by the phone. Apple Pay is in the phone so CurrentC won't be able to get their app into the Apple Store. Google would be well within their rights to do the same and block it. If no-one can install the app on iOS, or they have to side load it on Android, then the whole thing will fail.

    Dumb idea anyway to let merchants have access to your bank account. Credit cards exist for a reason, and the one time use token systems that Apple and Google have are safer than a plastic card any day.

    1. DougS Silver badge

      Re: CurrentC dead on arrival

      I don't think it would matter much if Apple does approve the app. What's in it for the customer? They don't save money, they don't gain privacy (they probably lose some, actually) and they don't gain convenience (how is paying with an app easier than swiping a card?)

      Unless you (stupidly, IMHO) believe Walmart will go so far as to stop accepting credit/debit cards and only accept Walmart cards, CurrentC and cash there's no way this gains acceptance from consumers because the advantages are only on the side of Walmart, with nothing for the consumer. If they try like the old web based Google Pay and whatever that copycat effort from Microsoft/Bing was called to bribe people into using it with discounts, it'll be used so long as the discounts are there. I haven't paid with Google Pay for years (I don't know if it even exists anymore, actually) since I stopped when the discounts ended. Ditto for that Bing payment thing.

      If Walmart gave me 10% off buying with the CurrentC app sure I'll download and use it. The minute the discounts stop, that app will begin gathering virtual dust and tumbleweeds on my phone.

    2. Joe 35
      FAIL

      Re: CurrentC dead on arrival

      "Apple in particular has a policy of not allowing apps in their store which compete with functionality provided by the phone. Apple Pay is in the phone so CurrentC won't be able to get their app into the Apple Store."

      Nope its already in there (US store only for obvious reasons). As you might guess its attracted rather a lot of 1 star scores (1 being the minimum) over the past day or two.

      The Android version in the Google Play store was at about 1300 1 star reviews when i looked yesterday.

      Apple have no need to ban this app since its a complete dogs dinner of usability with added security issues, in particular the potential for a hacker to hoover your bank account dry.

      Add to that, it will probably add about a minute to your check out process with its clunky "scan a QR code" process.

  3. Anonymous Coward
    Anonymous Coward

    Concerns

    It looks like Walmart, so upset with Visa, have formed this alliance and consumers won't have any choice - pay using CurrentC or cash. There are so many in the alliance that it's going to be hard to take your business elsewhere and, unlike Apple Pay, these guys want your data. For this reason alone I hope they experience difficulties.

    1. petur

      Re: Concerns

      You probably will have a choice:

      a) let CurrentC (shop) handle the transaction with your bank

      b) let Apple/Google know all about your purchases while they handle the payment and oh by the way there's a nice percentage going in their pockets.

      Pick the least evil one?

      1. Andrew Hodgkinson

        Re: Concerns

        > b) let Apple/Google know all about your purchases

        That's exactly what Apple Pay doesn't do, since Apple don't make money off user data unlike Google. They were able to bypass any notion of storing information about the purchase as part of a unique selling point - and point scoring! - against Google, which does make money off this sort of thing and does collect data.

        Apple often seem behave in a nasty way but the interesting part is that with Apple Pay, they have a vested commercial interest in *not* collecting your data. They're financially motivated to be the least evil in this particular case.

        CurrentC is a waste of time because it's such a myopic US-centric mess anyway; social security number? In 2014? Chortle. Meanwhile, Apple Pay might struggle outside the US just because the rest of the world was already onto Chip & Pin, and now PayWave etc. anyway. The US transaction market has always seemed pretty "quaint" to much of the rest of the world.

        1. Franklin

          Re: Concerns

          "The US transaction market has always seemed pretty "quaint" to much of the rest of the world."

          Yeah. One of my girlfriends lives in Canada, and I feel like a barbarian when I visit her and pay for anything with my debit card. There's always this awkward moment when the cashier looks for the chip, then looks at me like "what is this primitive stone-knives-and-bearskins payment technology you've provided me with? How does this archaic thing even work, anyway?"

        2. BasicChimpTheory

          Re: Concerns

          @Andrew Hodgkinson

          "Apple often seem behave in a nasty way but the interesting part is that with Apple Pay, they have a vested commercial interest in *not* collecting your data. They're financially motivated to be the least evil in this particular case."

          This is completely false. Apple have already been making noise about APIs that tie Apple Pay and iBeacon together (in conjunction with pushing iAds) so that customer purchase habits and advertising effectiveness can be monitored.

          They are collecting huge amounts of data. Why do people believe that Apple doesn't collect data? How do people think a technology company can do anything without user data? Their business model is different to Google's but that doesn't make the data any less useful to them.

          1. DougS Silver badge

            @BasicChimpTheory

            Where has Apple been "making noise" about tying the two together?

            Apple has a vested interest in NOT collecting data because they don't make their money pushing ads at you, that's Google and Facebook, they make their money on hardware.

            iBeacon is not forced you on, it is intended to be something (some) people will want, because if you visit a store it can alert you to specials, direct you to a specific area (if you want to know where the light bulbs are, or whatever)

            If Apple devalues the customer experience by pushing ads in your face or selling your data, fewer people will want to buy iPhones. Given the margin they make on those there's no way they could make up for that shortfall by pushing ads or selling data. Google, by contrast, loses money on Android sales (they have the cost of developing it, but get no royalties from Android sales) so the only way it is profitable for them is all the data they collect on its users, and ads they can shove in the face of users of Google services.

            1. Dave 126 Silver badge

              Re: @BasicChimpTheory

              Thank you chr0m4t1c

            2. BasicChimpTheory

              Re: @BasicChimpTheory

              "Where has Apple been "making noise" about tying the two together?"

              Clover already have hardware in actual shops doing this (using Apple APIs). You seem to think you have some knowledge in the space so I'll leave to do your own research.

              I will address one of your points, however - Apple does NOT have a vested interest in not collecting data, they simply have a vested interest in appearing less interested in collecting data than other industry players. You don't need a terribly long memory to recall iPhones that phoned home about device location (cell tower based) without the owner's permission or knowledge. Apple collects data.

              Apple collects data.

              Just because iAds has been a near complete failure doesn't the ambition has evaporated.

              1. DougS Silver badge

                Re: @BasicChimpTheory

                I guess you're the one with the short memory because Apple devices DID NOT phone home with cell tower based device location. It was kept on a file in the phone, but never sent back to Apple. It isn't clear why it was being kept at all, but it was fixed back in iOS 4.0.

                Funny how many people were willing to accept Google's lame explanation for why they were SNIFFING PEOPLE'S WIFI TRAFFIC with their roving streetview vehicles (when just getting their SSID would have sufficed if it only had to do with location) but assume that because iOS logged data to an iOS device but never uploaded it, Apple must have been up to no good.

      2. Franklin

        Re: Concerns

        "Pick the least evil one?"

        Given the difficulty in gauging the relative evil of, say, Apple vs. Walmart vs. Google vs. any of the other players, I'd rather say "pick the more secure one."

        Given that both Apple and Google system involve exchanging a single-use token that's necessary for the retailer to hook the cash out of my bank account, whereas (as I understand it, anyway) the CurrentC scheme allows the retailer direct access to my bank account, I know which of the two I prefer...

      3. gnasher729 Silver badge

        Re: Concerns

        I don't know where you have been in the last weeks, but the way that Apple Pay works is documented rather well, and one of the most important points of it is that Apple has no access to your purchase data or to your card data whatsoever.

        Everything is handled inside a chip in the iPhone that is designed by the banks, that works completely outside the control of the iPhone, and that only produces encrypted messages which Apple cannot read and which are forwarded to the bank.

        So not only does Apple not have any of the purchase data, but they wouldn't be able to get any of the data even if they tried.

        1. Dave 126 Silver badge

          Re: Concerns

          >Apple Pay might struggle outside the US just because the rest of the world was already onto Chip & Pin, and now PayWave etc. anyway.

          I dunno, but can the 'tap to pay' merchant terminals in the UK be adapted to work with Apple Pay - or a Google NFC system?

          (A friend asked me why his Nexus5 phone was intermittently beeping but was displaying no notifications... it turned out his 'tap to pay' credit card was in his phone's wallet case, and he had accidentally turned its NFC a few days before whilst fumbling in the settings).

          1. chr0m4t1c

            Re: Concerns

            >I dunno, but can the 'tap to pay' merchant terminals in the UK be adapted to work with Apple Pay - or a Google NFC system?

            Yes. Apple Pay is an implementation of the standard currently in use for these transactions.

            Currently the primary limitation in the UK is that there's no way to load your card onto the phone because no banks have the systems in place to generate the tokens (yet).

            If you have a supported US credit or debit card you can set your iPhone region to the US, which will enable the OS support, and then load your card into the phone. After that you can use it at any PayWave terminal, but (of course) you will have the currency conversion charges to pay on any transaction.

            A few people around the world, not just the UK, have already tried and found everything works as you would like.

            From what I have heard Visa and MasterCard are already working with the banks to bring the functionality to the UK next year.

            There's an interesting article here if you want something more in-depth:

            http://bankinnovation.net/2014/09/heres-how-the-security-behind-apple-pay-will-really-work/

      4. Anonymous Coward
        Anonymous Coward

        Re: Concerns

        Cash - excepted everywhere and protects my privacy

        1. TheRealRoland
          Thumb Up

          Re: Concerns

          >Cash - excepted everywhere

          I take acception to that!

    2. DougS Silver badge

      Re: Concerns

      I don't think there's any chance Walmart stops accepting credit cards and only accepts CurrentC or cash. Probably the vast majority of their customers use credit/debit cards today, and while they could surely induce some of them to switch via a Walmart branded charge card or CurrentC app, many people will be unwilling to do so and would simply shop at Costco or Target if they preferred not to have to carry in cash to shop Walmart.

      Not accepting Apple Pay or Google Wallet is not a problem, since no one is shopping there that way today. Cutting off use of credit/debit cards that most of their customers use would be a huge deal, and there's no way they'd take that risk no matter how much they want to gather data on customers. They can always use the tried and true loyalty program to gather the data regardless of how their customers pay.

    3. Joe 35

      Re: Concerns

      Is not just those two options. They will still accept credit cards but plan to entice customers to use it with coupons and discounts.

  4. Anonymous Coward
    Anonymous Coward

    In my head...

    ...i've always viewed 'pilot programs', like forcing a bunch of poor souls through a mine field in the vain hope that they won't set one off.......BOOM!!!!!

  5. Someone Else Silver badge
    FAIL

    There's that throwaway line again

    "[...] We take the security of our users’ information extremely seriously."

    Although not really, because, even if this is only a "pilot", you'd think that security in a process that handles actual users' money would have had security built in at the git-go, not something that "we'll get to in version 2.3.0".

    CurrentC, the Walmart of electronic pay schemes.

    1. Invidious Aardvark

      Re: There's that throwaway line again

      Indeed, it's amazing how many companies will tell you how seriously they take the security of your information after it's been compromised. I expect they'll be "putting procedures in place to ensure that this can never happen again".

      Funnily enough, I expect companies that do take the security of my information seriously to have procedures in place already so that such breaches don't actually occur...

  6. -tim
    Thumb Down

    QRCodes are magic to most people. Sort of like a magstripe was 3 decades ago. One cool thing about QRcodes is they can be read a huge distances with the right old school optics yet tap and go is evil because it can be read at a few meters at best.

  7. Henry Wertz 1 Gold badge

    Google's not Apple

    "Google would be well within their rights to do the same and block it."

    Except Google is not Apple and does not go around banning whole classes of apps.

    1. Handy Plough

      Re: Google's not Apple

      Yes Henry, because that's the bigger issue here.

    2. Anonymous Coward
      Anonymous Coward

      Re: Google's not Apple

      "Except Google is not Apple and does not go around banning whole classes of apps."

      no, you're absolutely right, Google has never attempted to protect their core business model by banning android apps...

      https://www.eff.org/deeplinks/2014/08/blocking-consumer-choice-googles-dangerous-ban-privacy-security-app

      https://www.eff.org/deeplinks/2013/03/google-censoring-android-apps

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019