After Touting Security, Privacy Controls, MCX/CurrentC Hack Exposes Customer Email Addresses

It appears that all the hoopla surrounding Apple Pay and members of the Merchant Customer Exchange (MCX) is just getting started. Shortly after Apple Pay launched early last week, reports began to pour in that MCX merchants CVS and Rite Aid were disabling the NFC functionality on their registers to block Apple Pay customer (with Google Wallet customers being another victim of the ploy).
Walmart, the largest member of MCX, issued a statement touting the benefits of CurrentC over its new competition earlier this week that read in part:
  Ultimately, what matters is that consumers have a payment option that is widely accepted, secure, and developed with their best interests in mind. MCX member merchants already collectively serve a majority of Americans every day. MCX’s members believe merchants are in the best position to provide a mobile solution because of their deep insights into their customers’ shopping and buying experiences.  
Well, it looks as though MCX may have a bit of damage control on its hands now, as the “secure” part of its pilot program for CurrentC has come under fire. MCX issued a statement today indicating that the email addresses of participants in its pilot CurrentC program have been obtained by third-parties.

The statement reads in full:
  Thank you for your interest in CurrentC. You are receiving this message because you are either a participant in our pilot program or requested information about CurrentC. Within the last 36 hours, we learned that unauthorized third parties obtained the e-mail addresses of some of you. Based on investigations conducted by MCX security personnel, only these e-mail addresses were involved and no other information.
In an abundance of caution, we wanted to make you aware of this incident and urge you not to open links or attachments from unknown third parties. Also know that neither CurrentC nor Merchant Customer Exchange (MCX) will ever send you emails asking for your financial account, social security number or other personally identifiable information. So if you are ever asked for this information in an email, you can be confident it is not from us and you should not respond.
MCX is continuing to investigate this situation and will provide updates as necessary. We take the security of your information extremely seriously, apologize for any inconvenience and thank you for your support of CurrentC.  
The timing of this hack is quite comical for two reasons. First, it comes just hours after MCX posted a FAQ to its website to dispel some of the myths that have been floating around regarding CurrentC and its security. “Consumers’ privacy and data security are our top priorities,” said MCX’s Dekkers Davidson. “CurrentC will empower consumers and merchants to make informed decisions regarding how information can be shared through our privacy dashboard.”
“On the data security side, the technology choices we’ve made take consumers’ security into account at every aspect of their core functionality.”
Secondly, the breach comes shortly after iOS and Android users banded together (yes, you just read that correctly) via Reddit to inundate the CurrentC Android/iOS apps with one-star reviews in retaliation for MCX merchants disabling NFC functionality on registers.

“Human sacrifice, iOS and Android users working together, mass hysteria.”    Could some of these same Redditors be responsible for the MCX/CurrentC security breach? If iOS and Android users can come together to fight a common enemy, then we guess anything is possible…

Leave a Comment

Your email address will not be published. Required fields are marked *