Slashdot Mirror
Apple Pay Competitor CurrentC Breached
tranquilidad writes "As previously discussed on Slashdot, CurrentC is a consortium of merchants attempting to create a "more secure" payment system. Some controversy surrounds CurrentC's requirements regarding the personal information required, their purchase-tracking intentions and retail stores blocking NFC in apparent support of CurrentC. Now news breaks that CurrentC has already been breached. CurrentC has issued the standard response, "We take the security of our users' information extremely seriously."
I guess Google Wallet is not in this app space any longer?
Ironic that as we move towards a cashless society, cash remains the most secure form of payment.
If only we had a mobile payment system that does not require storage of personal information by merchants. Oh wait, we just blocked that one.
When these retailers started turning off NFC.
LOL, they
...do we get to see Jennifer Lawrence's "account balance"?
I hope it fails miserably. If they can't get credit cards right, why the heck would I give them my bank account?
They're blocking Apply Pay and Google Wallet. They aren't competing, they're assholes.
From the article it said email addresses were obtained. Not much of a breach is it?
This time.
In my time we used to wait for a full roll out to break a system. Kids today lack the common courtesy to wait for the big payoff, and now we see the real price. It gives these folks the time to put another band-aid on their hack of a system and try again. You kids should have the decency to wait until it is rolled out to enough places to make a big score. It saddens me to see what has happened to this once great country.
"We take the security of our users' information extremely seriously, but in this particular case, you're all screwed!"
How is that ironic? It would be ironic if the goal of going cashless was improved security, but that is not the goal. The goal is so that the system and the state can track all financial transactions by the masses. There is also a fake "goal" of improved convenience, but that is just lies and spin to garner support towards the real goal.
"We take the security of our users' information extremely seriously."
"We're just no good at it."
(random text here because a smiley on its own line after the above line was losing its newlines and being moved onto the same line as the previous text - i.e. how the page looks in the editor is not how the page looks when rendered, and that's why the smiley is still on this line now and not its own) :-)
This is the problem with a new system like this. Especially one designed to make more money for the retailers, and give them more access to consumer data.
They simply haven't been at this long enough to be trustworthy or competent at it.
And, historically, many of the vendors involved in the creation of this system have been fairly inept at implementing security, and fairly moronic about reporting it when it happens. Or understanding the severity of it when it happens.
So, sorry guys, I'll trust my bank -- because I know they're operating under at least some laws, and I'll trust VISA more than I'll trust you (because they've been at this for a while) ... but I will never use this system if I have a choice.
This is a payment system which is designed to make them more money, and give them more information to consumer information at point of sale. Which means they've primarily focused on those things, and have proven themselves to have done a terrible job at security.
So, what's in it for us consumers? I'd say nothing at all which provides value to us, other than the shiny baubles and discounts they're offering in return for them getting higher profits, and a much more detailed look at how and where you spend your money -- which they don't currently have since the CC processors don't let them have it.
The people making this new system are interested in it for entirely different reasons. Which means everything they do is for their benefit, and not ours.
Lost at C:>. Found at C.
"Security through angry projection"? It ain't workin'.
lost effort, close CurrentC down. this is like LoserMotors buying all the newscast ads on the day the big news is recall of all LoserMotors cars ever made as flimsy firetraps with 100% fatalities within the first 200 miles.
if this is supposed to be a new economy, how come they still want my old fashioned money?
And I imagine it'll suffer the same fate.
Sorry about the mess.
These types of payment systems and cloud computing are just ridiculously insecure. I trust NO ONE but my bank with my bank account details. I trust NO ONE with my data to store it online. I'll gladly pay cash until such time it is no longer legal to do so. I also like screwing the marketers with no tracking data as well. I'm the rude guy who refuses to provide ANY information at the till. You don't need it for cash to change hands.
In this case, I am waiting for CurrentC ;-)
For years, these MCX folks allowed NFC payments, meaning potentially Google Wallet payments. Apple Pay comes out with an EMV based solution, and instantly block all NFC, taking Apple Pay and Wallet down together. So, Google was never seen as a threat, or at least never passing the threshold of needing-to-ban, even after years of use, but Apple is seen as a potential threat from literally Day One.
I wonder why Apple is seen as a threat more? Their network of friends? Number of potential users can't be it - many more Android phones than iPhone 6s. Number of cards already in iTunes? Ease of use (i never even tried Google Wallet)? Did Google leak some of the info back to the retailers where Apple is balking at that info leak?
Just wondering.
The vast majority of coverage on CurrentC is negative – now this. It will be interesting to see how long they keep this thing on life support before pulling the plug. Anything after this would seem like good money after bad.
Everybody in the tech community was already worried about direct access to bank accounts and no fraud protection. How will the consortium behind CurrentC answer the already swirling security concerns when this happens so quickly after members give Apple Pay (and it's biometric locks) the boot?
Letter To Iran
We should demand similar protection against ALL electronic charges, whether or not credit was involved. Telephone slamming should be included too. Our bank accounts need protection too. The burden of proof should be on those who are responsible for the installing and maintaining the system. Not the little guys who are users of the system.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
CurrentC is NOT aiming to create a "more secure" payment system. That is obvious!
CurrentC wants a link right into your checking account. Sounds real safe. What happens when there is an issue? How long does it take to fixed botched transactions? What liability is there? How happy are the banks going to be working with them?
I'll stick to Apple and Google's model.
It hasn't been breached... they just got a hold of their email mailing list! This is the crappiest bad summary of all crappy bad summaries.
I believe for Google Wallet, it's just an NFC transaction with your credit card. Apple Pay encrypts and transmits the information directly to the banks, so retailers don't get any of that info.
cool frameworks and Languages too!
When are programmers going to wake up and smell the coffee!
You are screwing around with peoples money. You cannot just slap the latest cool frameworks together, write 50 lines of connection code and call it a system.
I would be willing to bet that there is a single database credential that has rights to insert/update/delete/select on all the tables in the system and its is stored in some xml file that the web application has access to and if the web application has access to it so do all the people trying to break in.
I cannot begin to count just how many times I have seen the following:
select * from users where id=? and password=?
and that returns everything about the user. Every modern database supports either functions or procedures to do something like:
validate_user(uname,upass);
and it simply returns true or false, 1 or 0 nothing more, nothing less.
Far far to often I hear, lets use [ fill in the blank ] framework because that is what everyone else uses and besides look how much more productive we are! And so it is taken upon nothing more than faith and 90% of the time the people saying vehemently that that is the way to go, understand perhaps 10% of the framework code and don't investigate any further. When you are considering a framework that is 100's of thousands of lines of code that more then likely wouldn't pass the particular languages version of Lint or Bounds or any other validation tool you have already lost the security war.
The people who are actively trying to break into large systems do their homework! They spend weeks or months looking at your generated web code looking for patterns that reveal the underlying frameworks and then comb through that code looking for even the most subtle vulnerabilities and then they make a plan and execute it.
When you are building systems like this if you don't start with security as priority #1, for the entire stack you will lose, it is just a matter of time.
Hey KID! Yeah you, get the fuck off my lawn!
Hmmm, if DivX is to Xvid, then CurrentC is CtnerruC? Doesn't have the same ring.
the 1990's DiVX pushed by circuit city with the play once DVD's you can rent
Just CHIP-IN-PIN and be done with it. Tech is amazing at making a mountain out of shit and calling it a better alternative.
Chip-in-pin works with basically every merchant systems, credit card processor, and Bank (or will sooner or later). The fees are dependent on the credit source.
- If the merchant accepts credit cards at all, the credit card fees are built into the cost of the product NO MATTER WHAT (unless they're defrauding the contract of the CC by offering discounts)
- If you pay with debit cards / cash, you pay for the CC fees and its just more net profit for company
- Liability for CC's are on retailers, and at least recourse, buying limits, and some government insurance on checking accounts
- I'd like my bank / CC provider to send notifications on every purchase made either through email (login to actually view info) or SMS / application
All that's left is the new vacuum of change that is flooding into the credit market to fill their pockets during the current industry volatility caused by the death of magstrip / signature and the rise of internet based buying patterns (significantly increasing). Google/Apple/CurrentC/Amazon/PayPal/etc.. all want their hedge into the market so that they can make money from your purchases. They're not altruistic, and their sole benefit for SOME are convenience (but not for me. I like chip-in-pin).
I see room for existing technologies to evolve (mostly to fix the broken internet buying based security limitations) but I don't see myself using google, apple or anyone else in a retail setting besides a recognized merchant service/(credit card for insullation maybe)/bank because hell, the fees are already there and built in, so I may as well use what I'm being charged for anyways, plus I get the reassurance that I know it works (and has for a very long time).
Bye!
CurrentC Spokesman: Hello everyone, We're CurrentC. Screw Apple Pay and it's 1 million users! We're gonna go head-to-head with a major technology company using our tried and true 40 year old technology. Sure, all of our members have had huge data breaches in the past year but we're serious about it now and we're doing it right, for you, our customer. Trust us!
Spectator: Umm, you dropped something there -points at ground-
CurrentC Spokesman: Awww, Mother Pussbucket #*@^% #$)!( , @*!))(!
Warning: Teh poster of this messaeg is lysdexic
They are exactly the same thing. As are the NFC transponders directly in many credit cards.
Those hackers could have been sitting on a gold mine if they could just keep it in their pants. ah well, better luck next time. hope you left some decent rootkits to get back in.
CurrentC: I'd suggest you format all machines and reload all modable firmware. curious, does it suck more this way? or if and when you have customers?
Apple: it's time to crush this insolence while the iron is hot, play up your security, i hear it's ironclad, better than android.
Visa: when the hell are those pin based cards coming?! don't you hear the horde of startups clamoring up your walls?
Was referring to DIVX, instead of DivX, how confusing.... http://en.wikipedia.org/wiki/D...
Sorry about the mess.
Right... the Apple Marketing machine is in overdrive.
Yes, that is what I was referring to... http://en.wikipedia.org/wiki/D...
Sorry about the mess.
My understanding is that even on NFC-equipped Android phones, Google never had a proper deployment strategy; they only partnered with a few card issuers, they didn't really work with any merchants to get them on board, Verizon blocked their app on their phones, it was only limited to the US, etc.
Over that first weekend, we know now that ApplePay adoption was in the millions, and in those first few days CVS probably saw this deluge of NFC transactions and were like, the jig is up, the train is leaving the station, and if we continue to allow NFC transactions through the 2014 Christmas season the Payments War will be over and CurrenC won't have even been a contender.
Don't blame me, I voted for Baltar.
The credit card companies don't allow stores to charge more for a cc transaction.
At least here in North Carolina, as well as in Virgina, and in Kansas, I've seen chains of gas stations that have a "cash price" (also the price that you get if you use the chain's own brand credit card) and a higher price (usually about 8 to 10 cents higher per gallon) if you use a major Credit Card. I don't see Visa doing anything to prevent this. In fact, the law was changed recently at the federal level to explicitly allow merchants to tack on a credit card processing fee, although many major merchants such as WalMart have said so far that they will not do that (although one has to suspect that the politicians who passed this were motivated to do so by someone with an interest in doing it).
I'm an American. I love this country and the freedoms that we used to have.
Yeah I have actually been asked why I was being an asshole about not providing my phone number every time I went to lowes. I turned that right around on them and asked why they were being an asshole and attempting to track my purchases.
Inconceivable!
That is all.
they just got a hold of their email mailing list
From registered email addresses, you can get things like home address/phone number, and lots more data that may be of interest.
Basically the breach got a bunch of primary keys they can use to get something more juicy later.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Would you consider home address, and phone number also to be a bit of a breach?
Because you can get those and a lot more with just the email address and a call to the CurrentC web service.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Ease of use.
Especially one designed to make more money for the retailers, and give them more access to consumer data.
Retailers are not making money from this service. In fairness, a retailer does not make more money from a credit card company either. The people making money from these services are in essence middlemen acting as the proverbial money changer and money lender.
That's not to claim retailers get nothing from the arrangement. They don't have to carry cash every day to deposit in the bank, and "skimming" is much less of an issue. For a retailer, it's probably worth the few percent on every transaction to be paid.
Retailers, for the most part don't care about the data aspects either. Sure, the mega stores do.. but.. they tend to creep people out already.
How this works with these secondary services is not the same arrangement, and as you claim "their benefit' is all that's considered. Making the issue more severe it the fact that these newer services lack the protections of the established services.
-The wise argue that there are few absolutes, the fool argues that there are no probabilities.
Giving your personal info to someone in order to spend money is archaic. It is only necessary because these systems equate spending money with give your password. Use bitcoin or some other cryptocurrency.
Because Google Wallet and Apple Pay work in opposite ways.
For a retailer to support Google Wallet, they need to work with Google and their merchant processor to support Google Wallet. Because what really happens is the transaction details are forwarded to Google who then charges your payment method (credit card, debit, Paypal, bank account, etc). This is why Google knows everything about your transaction whenever you use Google Wallet. (Basically Google gets to know everything about what you're buying).
Apple Pay is nothing more than EMV so it's just an electronic credit card. Once you register your card through Apple Pay, Apple is no longer in the transaction. As long as the retailer takes credit cards, and has an NFC reader, Apple Pay will work. Most of the retailers listed by Tim Cook? They did diddly squat to support it. They just had working readers and probably someone came over and tried it and was successful.
Because to support Apple Pay means you need an EMV compatible terminal (swipe, chip+pin, NFC) and processor, and because of October 2015 legislation, people are supporting it by default since practically all new terminals have it. So all a retailer needs to do to get Apple Pay support is make sure their hardware (terminals) is upgraded (which they're doing anyways over the next year) and their processor supports EMV (which if they're doing chip+pin, they're going to have support for).
However, for Apple Pay to work, Apple needs to work with banks to ensure when a user scans a credit card,, they can get a token assigned in its place (the token is private between the user and the bank, and is basically just an index so the bank can determine who to bill).
So Google Wallet requires no effort by banks, etc., and effort by retailers to support. Apple Pay only requires hardware updates they're doing anyways which is minor, but effort by the banks to support EMV.
That's why Google Wallet's penetration has been low - there are probably more retailers that support Bitcoin than Google Wallet just because. (Though if your processor is adding support for Bitcoin, they probably have Google Wallet support as well).
For Apple Pay, because for retailers it "comes for free", which means its market penetration is far higher than what Tim Cook had in his presentation. Because retailers who already have NFC terminals practically already support EMV and that makes them Apple Pay compatible with zero effort.
So retailers may be inadvertently supporting Apple Pay when they don't want to because Apple Pay just shows up as a credit card.
>>It is not due to any magnanimity or kindness of the credit card companies or the banks
They have no problem limiting liability to the credit card owner, because the merchant retailers are the ones that bear the costs.
I agree that a better system is needed, but pushing more costs out to the merchants isn't a great solution on it's own. If someone makes a fraudulent purchase with your card, and you report it, the money is taken from the merchant, then an additional "chargeback fee" is also taken from them, and of course...the merchandise is long gone. There is almost no financial impact to the credit card companies or banks, even though they are the only ones able to effect change.
Increased protection for consumers would be best implemented by rolling out some technology more sophisticated than a 16 digit number printed in plaintext.
What timely hack, makes one wonder.
"If any question why we died, Tell them because our fathers lied."
http://usa.visa.com/personal/get-help/checkout-fees.jsp
"Surcharging isn't allowed everywhere. Currently, there are laws limiting surcharging in: California, Colorado, Connecticut, Florida, Kansas, Maine, Massachusetts, Oklahoma, Texas and Utah."
"Visa's Operating Regulations also continue to prohibit surcharging outside the U.S. unless there is a local law or variance that requires merchants be permitted to engage in the practice."
There's also no easy way to be granular about it. Some credit cards (especially debit cards used a a credit card) present relatively low costs back to the retailer, others (like reward cards, Amex, etc) present much higher costs.
The other thing CurrentC seems to have goofed on is that there is no way in hell this system will ever see the light of day outside the USA.
The USA may still live in the backwater side of banking where people still commonly pay for groceries by cheque, but in the rest of the world the idea of giving a third party your bank account information is quite foreign nowadays. There is absolutely no way in hell I would ever use this system, and if someone at Walmart asked me for my chequeing account information I would laugh in their face.
DivX and DivX ;-) were a pun on CC's misguided DIVX.
I think it's an appropriate association and for people who think CurrentC or its future incarnations is a bad idea should associate it with DIVX.
"CurrentC, the DIVX of the 21st century."
Does anyone know where I can order some high-quality clown shoes, preferably with some amount of customization options?
I'd like to starting mailing pairs of bright, ostentatious clown shoes to idiots who fuck up royally. Everything from shit like this to politicians who stay stupid shit or get caught lying and cheating to Ubisoft and Microsoft dicking around with shitty parity clauses.
they only partnered with a few card issuers
They didn't partner with any card issuers; you can use any credit card with Google Wallet. The way it works is that you're actually paying with a Google-issued MasterCard debit card, then Google charges whatever credit card you gave them on the back end, so there are no restrictions.
they didn't really work with any merchants to get them on board
Untrue.
Verizon blocked their app on their phones
That was true for a while, but hasn't been true for about two years now.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
Nobody uses Google Wallet. Number of users is definitely it. Just because some Android devices have NFC doesn't mean that many people use it. I have never seen someone use NFC from an Android phone for a purchase. Mine doesn't even have NFC. The Android ecosystem is too fragmented and isn't the status symbol that Apple is. I haven't seen Google Wallet marketed the way Apple has either. I see Apple pay in the news nonstop. I think it will take Apple to push NFC payments forward. Google wallet will benefit as a result.
And then there's this:
"Tim Cook revealed last night that iPhone owners added 1 million credit cards to Apple Pay in the first 72 hours after the service’s launch. The response has been unprecedented and Visa and MasterCard have announced that Apple Pay already accounts for more mobile wallets than every other option combined."
http://www.cultofmac.com/301040/war-apple-pay-explained/
"CtnerruC" suggests something of Cthulhu to me. That doesn't so much "ring" as "slither".
FYI, it's "Chip and PIN". I'm not even sure how they would put a chip in your Personal Identification Number.
I know it's not all cool and stuff like NFC and swiping your phone, but you can get a Wallet card that works like a prepaid debit card as well. It is extremely handy for being able to provide a distant someone money, as they can keep the card (which can only access the funds in your Wallet), and you can push money into the Wallet as necessary.
Plus, all the new rage is using Wallet to buy quasi-legal substances.
Not to defend CurrentC (I'm not), but I read that in order to be a part of the MCX consortium a retailer had to sign a three year contract not to use any other mobile pay system. I wouldn't be surprised if this played some part in turning off Apple Pay functionality.
Not to say that would also explain why Google Wallet was accepted up until Apple Pay went live...because it doesn't...
The NSA: The only part of the US government that actually listens.
But they don't. They have paid off the politicians and are legally looting from small players.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
It seems that the hoo-hah about CurrentC is local to the USA; I'd never heard of it until this week. Here in Australia most retailers have installed paywave terminals in the last 18 months - it's now almost ubiquitous alongside chip and pin terminals. In fact, it's so ubiquitous that it's becoming a minor annoyance when a retailer hasn't got it yet. I do think that it has reached the point of maximum convenience really - getting your card out and waving it at a terminal is probably about the minimum effort it's ever going to be. Even getting out your phone instead is slightly MORE effort, as it involves (in the case of the iPhone anyway) the extra step of authenticating using the fingerprint scanner. That additional step might be acceptable as it adds a layer of security that your card doesn't have.
However, from what I've read about CurrentC, there's no way that it's going to get any traction. It's nowhere near as convenient and it seems it's nowhere near as secure. It's also conflicted in that it's trying to be attractive to the retailer as well as the consumer - those things can't be easily reconciled. But the killer is that paywave is already here and people are already getting used to that degree of simple convenience - anything that goes backwards now is never going to be popular. The horse has bolted, CurrentC is trying to close the stable door. The fact that some retailers have been forced to turn off paywave because they signed up to support CurrentC betrays their thinking: we know paywave is far more convenient and we haven't got a hope in hell if people get used to it, so let's pretend it never happened.
If I had anything to do with CurrentC, I would be packing my things.
I do hope that this does happen. If my card all of a sudden was putting through a credit-maxing transaction it would send off all sorts of alarm bells at my CC company. If there is one entity that could shut this whole civil forfeiture sh**t down (Jesus Christ America, how is this even a thing) it would be the banks.
I don't think the cops could coerce you into getting your signature or PIN, but they could take your card. You would just have to dispute the $30,000 dollar transaction and let the bank have fun with the police department.
Using a software-only alternative with the consumers' own bank accounts instead of NFC hardware protections with credit card accounts.
CurrentC is DOA.
Someone mod up, GP doesn't know what he's talking about. And sorry to see GWallet floundering. After living with Paypal for over a decade, certainly we've learned something about having competition=good. The more the merrier.
Google failed at advertising the product. You could use any card with Google Wallet and any NFC reader. They didn't need to setup deals like Apple Pay did.
Unfortunately there are a LOT of phones out there which have been capable of mobile payments for years but people have no clue.
I don't think that is right.
Google Wallet was never supported in Australia, none the less you could jump through hoops (till they closed the hole) and get it working on compatible Android phones. Back when it was working it worked everywhere I could find an NFC reader from big merchants to small butchers. It literally worked everywhere I tried it.
NFC transponders in current CC still allow you to get names and full numbers similar to regular stripes. There is plenty of code for reading it online.
Custom electronics and digital signage for your business: www.evcircuits.com
I dunno, so why do you think the uptake on Google Wallet has been so poor? I think the other fella down there has a good point -- they never properly marketed the thing.
NB. Swillden is either an employee of has an "It's Complicated" relationship status with Google Inc.
Don't blame me, I voted for Baltar.
Is it still alive? There were rumor GOOG was going to turn off the project.
They are not the same thing. While similar and while both use NFC that's about where the similarities stop: http://arstechnica.com/gadgets...
I had Google Wallet on my last phone (Evo 4G LTE) and used it a couple times when I got my phone. I stopped using it because it wasn't any more convenient than grabbing a credit card out of my wallet. I had to unlock my phone, find the Wallet app, type in a PIN code, and then tap my phone to the reader. Sometimes it would work, sometimes it wouldn't, sometimes it'd crash.
I've heard rumors that the experience has gotten better, but I no longer have a phone that I can try it out with.
I dunno, so why do you think the uptake on Google Wallet has been so poor?
Because Google never advertised or promoted it to users.
Swillden is either an employee of has an "It's Complicated" relationship status with Google Inc.
If you look at my /. user page, you'll see I'm an employee. However, that really has nothing to do with my comments, except that since I worked on some of the Wallet supporting infrastructure I'm more familiar than most with how it works and how it evolved.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
To answer my own questing, my best guess is Data.
Ever notice how sometimes they ask you what your zip code is AFTER your transaction goes through? What's the likelihood that your name (as read from your credit card, Track 1) is near unique in your area code (I think I'm unique in my state). So they can associate your purchases with you, those points cards notwithstanding. If Google Wallet uses a single credit card, then they can do much the same thing, just lose the name info but can still profile you.
But, now you have pseudo-random credit card numbers with EMV/ApplePay. They can't track you using credit card numbers.
So what is good for you (changing credit card with essentially one time credit card numbers, for security and privacy) becomes bad for the merchant (they can't track you across purchases).
On a side note, check out news about Axciom. I had a friend work there, and I'm glad they're gone. They can tie a huge amount of info to you, a scary amount.
Is the below not believable?
Provide consumers with multiple ways to pay at their favorite merchants, including merchant gift cards, credit cards and debit accounts and personal checking accounts. MCX has plans to add additional forms of payment, including credit cards.
Well I would switch over when they have the creditcard option.