Slashdot Mirror
Apple Pay Competitor CurrentC Breached
tranquilidad writes "As previously discussed on Slashdot, CurrentC is a consortium of merchants attempting to create a "more secure" payment system. Some controversy surrounds CurrentC's requirements regarding the personal information required, their purchase-tracking intentions and retail stores blocking NFC in apparent support of CurrentC. Now news breaks that CurrentC has already been breached. CurrentC has issued the standard response, "We take the security of our users' information extremely seriously."
It isn't alleged-- TFA states CurrenC sent out a notice saying email addresses were compromised.
Wait until the cops decide that "credit limit" equals "cash on hand".
"How much credit do you have on that there credit card, sir?"
"Um, $28,839.54"
"I have reasonable suspicion that you used your credit to purchase cocaine, online child pornography and uninspected beef steaks. Please hand it over."
The world's burning. Moped Jesus spotted on I50. Details at 11.
In my time we used to wait for a full roll out to break a system. Kids today lack the common courtesy to wait for the big payoff, and now we see the real price. It gives these folks the time to put another band-aid on their hack of a system and try again. You kids should have the decency to wait until it is rolled out to enough places to make a big score. It saddens me to see what has happened to this once great country.
"CurrentC Allegedly Breached" would have been a more appropriate headline, that also doesn't necessarily expose anyone to a lawsuit if it turns out to be bullshit.
Did you read the fine article? MCX confirmed that "unauthorized third parties obtained the e-mail addresses of some of our CurrentC pilot program participants and individuals who had expressed interest in the app." They also sent emails notifying their users, No "allegedly" needed; it's not bullshit.
This is the problem with a new system like this. Especially one designed to make more money for the retailers, and give them more access to consumer data.
They simply haven't been at this long enough to be trustworthy or competent at it.
And, historically, many of the vendors involved in the creation of this system have been fairly inept at implementing security, and fairly moronic about reporting it when it happens. Or understanding the severity of it when it happens.
So, sorry guys, I'll trust my bank -- because I know they're operating under at least some laws, and I'll trust VISA more than I'll trust you (because they've been at this for a while) ... but I will never use this system if I have a choice.
This is a payment system which is designed to make them more money, and give them more information to consumer information at point of sale. Which means they've primarily focused on those things, and have proven themselves to have done a terrible job at security.
So, what's in it for us consumers? I'd say nothing at all which provides value to us, other than the shiny baubles and discounts they're offering in return for them getting higher profits, and a much more detailed look at how and where you spend your money -- which they don't currently have since the CC processors don't let them have it.
The people making this new system are interested in it for entirely different reasons. Which means everything they do is for their benefit, and not ours.
Lost at C:>. Found at C.
I was thinking along those same lines - they compared CurrentC to ApplePay. But, there is another player in field which meets the needs of Android users much as ApplePay for iOS does.
Both ApplePay and Google Wallet protect the consumer and keep them in mind such as by using the protections afforded in the use of a credit card. CurrentC is focused on the mercantile experience and puts all liability for fraudulent transactions squarely on the consumer. Using CurrentC, with its direct access to your checking and bank accounts as well as to your health information, you entire identity could be stolen along with your life savings. This breach highlights why they should not be trusted with your information even if no financial data was compromised this time around (they aren't live yet, right?).
Of course, Apple and Google can shut CurrentC down before they even get out of the starting gate - simply ban them from the app stores. This would prevent the software from being installed on anything iOS other than a jailbroken device. And, if Google choose not to allow it in the store, the only means to install it would be a side-install. Without an ability to have the consumer to install it, it will die pretty quick. Merchants would be forced to reconsider their strategy or face more competition from those merchants who demonstrate a willingness to protect the consumer and use one of the more anonymous systems such as ApplePay or Google Wallet.
As for merchants who say they won't accept credit cards - they do so at their own risk. To me, the smarter move would have been to work with Apple and Google and develop a system that meets merchant needs while protecting the consumer AND get it installed on the widest range of machines. Or, maybe, just rethink their business model.
And I imagine it'll suffer the same fate.
Sorry about the mess.
With the compromised emails floating around, who knows who REALLY sent out the notice. ;)
My God can beat up your God. Just kidding...don't take offense. I know there's no God.
For years, these MCX folks allowed NFC payments, meaning potentially Google Wallet payments. Apple Pay comes out with an EMV based solution, and instantly block all NFC, taking Apple Pay and Wallet down together. So, Google was never seen as a threat, or at least never passing the threshold of needing-to-ban, even after years of use, but Apple is seen as a potential threat from literally Day One.
I wonder why Apple is seen as a threat more? Their network of friends? Number of potential users can't be it - many more Android phones than iPhone 6s. Number of cards already in iTunes? Ease of use (i never even tried Google Wallet)? Did Google leak some of the info back to the retailers where Apple is balking at that info leak?
Just wondering.
We should demand similar protection against ALL electronic charges, whether or not credit was involved. Telephone slamming should be included too. Our bank accounts need protection too. The burden of proof should be on those who are responsible for the installing and maintaining the system. Not the little guys who are users of the system.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
I don't believe those two things can be reconciled.
The merchants want all of your data, and want to be able to operate with zero liability.
The consumers want security and privacy.
The people developing CurrenC are pretty much at odds with what consumers actually need. Which means this system can never be fixed or trusted, because it's not designed for that.
It's designed to make them more money, and get them more analytics. They don't give a rats ass about the consumer.
They want to be like PayPal ... act like a bank, with none of the liabilities of being a bank, and none of the responsibilities.
This is sort of like trusting the mob to be your financial advisors ... there's pretty much no win for the consumers here.
Lost at C:>. Found at C.
After all, you can bet Google and Apple will try to resell ads and intelligence to the highest bidders, whoever those bidders might be, based purely on the data of the purchase history inside those stores.
No, you can bet Google will, and Apple will not.
This is a company that requires your social security number and full bank info for an account. Any bit of nerves about that is bad. Even just emails, it's bad. That and spear-phishing (shudder, I hate that term) emails are gonna cause more chaos. Also, maybe the emails is all we know about? If i hacked a payment processor, with the potential of getting payment info, SS numbers, and bank account numbers, Id keep that under my hat as I slowly drain things, no need to call the press on that. This is bad bad bad.
ApplePay allows you to give a credit card, which already has fraud protection on it. A couple orders of magnitude of peace of mind. Which would you pick?
My understanding is that even on NFC-equipped Android phones, Google never had a proper deployment strategy; they only partnered with a few card issuers, they didn't really work with any merchants to get them on board, Verizon blocked their app on their phones, it was only limited to the US, etc.
Over that first weekend, we know now that ApplePay adoption was in the millions, and in those first few days CVS probably saw this deluge of NFC transactions and were like, the jig is up, the train is leaving the station, and if we continue to allow NFC transactions through the 2014 Christmas season the Payments War will be over and CurrenC won't have even been a contender.
Don't blame me, I voted for Baltar.
No, see, that's where you're wrong.
The entire CurrenC system is designed to give merchants more access to your data. This is from TFA:
And if you really trust a merchant created system to respect your wishes and not track you, you're hopelessly naive.
Wait, what?
So which is it? They don't want my data? Or they want my data so they can sell it and make even more money?
Lost at C:>. Found at C.
That'd probably raise some anti-trust issues, though.
Given CurrentC's complete tone-deafness about what consumers actually want in a mobile payment system (easy, secure, private, pick none?), the best strategy Apple and Google could choose is to keep pushing their respective solutions and ignore CurrentC entirely.
Log in or piss off.
why is parent not modded funny?
Because people who actually pay attention have noticed that Apple has been making privacy protection an important, heavily promoted, feature to help distinguish their products in the market. People who actually pay attention have noticed Apple's description of the lengths to which Apple Pay goes to be secure, and to provide NO tracking information. But go ahead and bash away if it somehow makes your day a little more tolerable ;-)
Because Google Wallet and Apple Pay work in opposite ways.
For a retailer to support Google Wallet, they need to work with Google and their merchant processor to support Google Wallet. Because what really happens is the transaction details are forwarded to Google who then charges your payment method (credit card, debit, Paypal, bank account, etc). This is why Google knows everything about your transaction whenever you use Google Wallet. (Basically Google gets to know everything about what you're buying).
Apple Pay is nothing more than EMV so it's just an electronic credit card. Once you register your card through Apple Pay, Apple is no longer in the transaction. As long as the retailer takes credit cards, and has an NFC reader, Apple Pay will work. Most of the retailers listed by Tim Cook? They did diddly squat to support it. They just had working readers and probably someone came over and tried it and was successful.
Because to support Apple Pay means you need an EMV compatible terminal (swipe, chip+pin, NFC) and processor, and because of October 2015 legislation, people are supporting it by default since practically all new terminals have it. So all a retailer needs to do to get Apple Pay support is make sure their hardware (terminals) is upgraded (which they're doing anyways over the next year) and their processor supports EMV (which if they're doing chip+pin, they're going to have support for).
However, for Apple Pay to work, Apple needs to work with banks to ensure when a user scans a credit card,, they can get a token assigned in its place (the token is private between the user and the bank, and is basically just an index so the bank can determine who to bill).
So Google Wallet requires no effort by banks, etc., and effort by retailers to support. Apple Pay only requires hardware updates they're doing anyways which is minor, but effort by the banks to support EMV.
That's why Google Wallet's penetration has been low - there are probably more retailers that support Bitcoin than Google Wallet just because. (Though if your processor is adding support for Bitcoin, they probably have Google Wallet support as well).
For Apple Pay, because for retailers it "comes for free", which means its market penetration is far higher than what Tim Cook had in his presentation. Because retailers who already have NFC terminals practically already support EMV and that makes them Apple Pay compatible with zero effort.
So retailers may be inadvertently supporting Apple Pay when they don't want to because Apple Pay just shows up as a credit card.
CurrentC is Walmart. It is not Google nor Apple.
The sooner we figure out a way to cut out credit card processors from the purchase experience the better.
I really like the fraud protection my credit card offers me. Totally worth the effective 2% tax on the price of goods. Debit cards aren't the same. I haven't been impressed with PayPal, and have no reason to try the Apple/Google/MS/Startup offerings - CCs work fine.
Socialism: a lie told by totalitarians and believed by fools.
That'd probably raise some anti-trust issues, though.
Whats good for the goose is good for the gander. CurrentC stores in the CurrentC consortium (thats what it is, regardless of what they call it) are actively blocking NFC cards, one of which allowed it to occur for a period of time and then when a competitor hit the market before them, they actively worked to disable the ability to use the service.
Any sort of anti-trust issue that arises from Google and Apple banning their apps is the same as CurrentC users banning the use of NFC. They lost this battle when they took active steps to stop a working system. They might have had an argument about 'not upgrading to equipment with NFC' for various reasons, but thats not what they did. CVS has NFC capable equipment and WAS accepting it, then turned it off.
They (CurrentC) loses
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager