
CurrentC Has Been Hacked, Testers’ Email Addresses Stolen - Jeremy1026
http://techcrunch.com/2014/10/29/retailer-backed-apple-pay-rival-currentc-has-been-hacked-testers-email-addresses-stolen/
======
steakejjs
This is a big problem I've noticed with startups. Stupid web vulns are
EVERYWHERE.

I've reported so many serious web vulnerabilities to startups it isn't even
funny (4-5 S14 YC batch alone). Account hijacks, XSS, SQLi. Everywhere.

If you are starting a startup (or writing any web software software), PLEASE
read OWASP to at least get an idea of what types of issues can exist in Web
Applications. Their top 10 is a good place to start
([https://www.owasp.org/index.php/Top_10_2013-Top_10](https://www.owasp.org/index.php/Top_10_2013-Top_10))

~~~
potatolicious
Worse than stupid web vulnerabilities of the sort you mention, but many
startups don't even practice a modicum of best practices.

My coworkers recently tried a new New York-based food delivery startup and
found that their auth wasn't even HTTPS. Forget XSS or SQLI, this is basically
propping your front door wide open with a sign "please take whatever you
want".

Worst part is when we emailed them they tried defending the use of HTTP for
auth. Took a bit of convincing to get them to take us seriously.

There are a _lot_ of startups out there whose security practices aren't just
deficient, they're straight up amateur hour.

~~~
tcas
I think I know the food delivery service you're talking about (free delivery,
no tips). They use Stripe as their processing backend, and they said that
their connection to Stripe is over HTTPS, however, I gave up trying to explain
that of the initial transmission to their servers is unencrypted, it doesn't
matter.

I thought about reporting this to Stripe, but I don't know if that is an
appropriate thing to do.

I still gave them a try, but I generated a virtual card number to use.

~~~
kansface
If the form is POSTed directly to stripe (which is the recommended usage),
your info is never seen by a third party. The site in question would only
potentially store a token. Are you sure this wasn't the case?

~~~
__david__
If the form itself was delivered over http then it doesn't matter. An attacker
could easily change the POST address to something else. And how could you even
tell? Browsers don't display the URL that a submit button is going to POST
to...

~~~
dasil003
Of course if an attacker can MitM any HTTP web page on a site (ie. if a site
is not all SSL) then it really doesn't matter if they serve the form over
HTTPS because the attacker can set up another form over HTTP and the victim
will be none the wiser.

And then there's the possibility of XSS in which case neither lack of MitM
access or use of HTTPS will be sufficient protection.

------
jfb
Straight from the horse's mouth [1]:

"On the data security side, the technology choices we’ve made take consumers’
security into account at every aspect of their core functionality. We want to
assure you, MCX does not store sensitive customer information in the app.
_Users’ payment information is instead stored in our secure cloud-hosted
network_. Removing this sensitive information from the mobile device
significantly lowers the risk of it being inappropriately disclosed in a case
that the mobile device is hacked, stolen or otherwise compromised."

There are simply not enough faces to palm.

[1] [http://www.mcx.com/blog/answers-to-your-
questions/](http://www.mcx.com/blog/answers-to-your-questions/)

~~~
higherpurpose
It's funny that they say that, considering that storing tens or hundreds of
millions of credit card information or e-mail addresses in the "cloud"
represents a _much_ higher risk than storing everything locally, in a secure
enclave in devices, with little to no exposure to the OS, the way Apple does
it, in terms of potential for total damage.

~~~
jonknee
They worst part is that they aren't even going to store credit card details
because they aren't launching with credit card support. They want to tie into
your checking account and do ACH! (This being the big pitch to the retailers,
not only can you track across stores but you can forget about credit card
fees). This is an instant fail company.

~~~
meepmorp
> This is an instant fail company.

This is a project largely driven by Walmart with some buy in from other
merchants. Walmart has recently announced it'll provide low cost checking
accounts to its customers[1]. Walmart's profits are basically driven by volume
and beating up their vendors for low prices so they can in turn sell to
customers at low prices - the margins are razor thin. Cutting out 2-3% from
credit card fees has got to look attractive.

I'd never touch this product, because it's got shitty implementation and
security written all over it, but I'm not so sure if it'll be instant fail or
not. If they offer a portion of what they save in credit card fees in flat
discounts to people, they might be able to make it work.

Of course, I don't really see what non-Walmart merchants are gonna get out of
this. Helping them improve their margins seems like it'd only make things
worse for places like Target or grocery stores.

[1] [http://www.nytimes.com/2014/09/24/business/finding-a-door-
in...](http://www.nytimes.com/2014/09/24/business/finding-a-door-into-banking-
walmart-to-offer-checking-accounts.html)

~~~
CamperBob2
So far, what I've heard about CurrentC reminds me of Circuit City's failed
attempt to push their proprietary pay-per-view DVD scam.

Like any number of similar schemes, up to and including Microsoft's attempt to
force-feed Metro to desktop users, it's all about what the company wants,
rather than what the consumer wants. That always works out _so_ well for the
company.

~~~
meepmorp
> it's all about what the company wants, rather than what the consumer wants.

This is definitely true, but I'm not sure how much it matters.

I, as a consumer, definitely prefer using credit cards because of the
protection it affords me, plus I get rewards for what I buy - I never use a
debit card to pay for things. I'm also a bit leery of the marketing
surveillance state that's cropped up in the US over the past few years, and a
scheme like this sets off alarm bells immediately. And I'm sufficiently well
off that I'm unlikely to be enticed to try it out just to get some discounts.

But I'm also not a typical consumer. I could see where - if properly and/or
luckily done - this might appeal to a not insignificant number of people. If
I'm getting a bank account at Walmart, it's likely because I have difficulty
getting one somewhere else. Those discounts might seem more attractive to me.
Maybe you could argue that's the type of consumer who's also less likely to
pay with their phone (or have a phone capable of handling the payments).
Dunno, but it seems like even though nobody particularly wants this, it could
work because there's a lot of folks who might not dislike it enough to make a
difference. DIVX failed because the idea of DVDs that are single use is just a
blatant cash grab. It's less obvious here, from the consumer's perspective.

My gut says clusterfuck, though.

EDIT: added a sentence.

~~~
jfb
I find it hard to believe that the consumer benefits of CurrentC (pretty much
just that it works on phones without NFC) outweigh the PITAness of the system.
A Walmart-issued card could be directly linked to a Walmart account and people
inside that closed ecosystem that bypassed the credit card companies (saving
Walmart that precious 2%) would be _easier_ and _safer_ using a Walmart card
than CurrentC, at least as currently described.

It looks to me like a very expensive way for some midlevel executive at
Walmart to collect huge bonuses for a few years and then get fired after
burning through billions with no appreciable change in the mix of payment
systems.

------
mikestew
MCX's privacy policy is a hoot, and worth a read if you like picking such
things apart:
[http://currentc.com/50D6A97C-4B72-44D6-9021-BE0884ED2F8D/pri...](http://currentc.com/50D6A97C-4B72-44D6-9021-BE0884ED2F8D/privacy-
policy/)

Where you see "enhance services", read it as "mine the hell out of your data
and sell it". Amongst all of that "service enhancement", there's this gem: _We
do not respond to web browser “do not track” signals at this time._

They'll also track which pharmacy you go to, and the time and frequency of
when you get your prescriptions. And so on, and so on. Apple and the rest of
the NFC stakeholders could have a lot of fun with this. But I think they'll
wisely just sit back for now and watch the whole thing blow up on its own.

------
ilikemustard
The fact that they've already had a data breach within the first week or so of
launch is not exactly a strong argument for how secure their platform is.

~~~
untog
I'm sure this is directly connected to the outrage at NFC payments being
disabled in CVS, etc. - effectively, they've become a target.

That said, they're supposed to be a payments provider. They should be able to
cope with being a target.

~~~
strict9
Hacking as retribution for personal data mining? Not likely. Sounds like an
opportunity to get details from a financial transaction application while it's
still green.

~~~
serge2k
Hacking to discredit and distrupt seems plausible.

------
michaelt

      But then those retailers disabled NFC at their registers, 
      ending their unofficial support for Apple Pay. The 
      problem, apparently, stemmed from the fact that 
      retailers’ contracts with MCX states they’re not 
      supposed to accept rival mobile payment products.
    

Interesting example of applied public relations here - you want to do foo but
you don't want to be blamed for doing foo, so you create a scapegoat
organisation and have them take the blame.

~~~
otterley
The FAQ ([http://www.mcx.com/blog/answers-to-your-
questions/](http://www.mcx.com/blog/answers-to-your-questions/)) has a very
evasive answer to the question "Does MCX Require its Merchants to Only Offer
CurrentC?":

"MCX merchants make their own decisions about what solutions they want to
bring to their customers; the choice is theirs. _When merchants choose to work
with MCX, they choose to do so exclusively_ and we’re proud of the long list
of merchants who have partnered with us. Importantly, if a merchant decides to
stop working with MCX, there are no fines." (emphasis mine)

The important part here, that they've clearly buried, is that yes, if you go
MCX, you have to go all the way. While merchants can choose whether to use MCX
or not, they _cannot_ choose to use MCX _and_ NFC. Any implication that they
can is absolutely false.

~~~
michaelt

      Any implication that they can is absolutely false.
    

This is the brilliance of this PR tactic - it seems just like that, doesn't
it? I mean, when you sign a cell phone contract the contract you can't
negotiate it, it's offered to you take-it-or-leave-it, right?

But MCX is retailer owned - and even if it wasn't, there is nothing stopping
MCX from varying the contract at a retailer's request. If Wal-Mart came along
and said they would sign a contract, but only if the exclusivity language was
removed, do you think MCX would turn them down? Of course they wouldn't, they
can and they would change the contract.

The exclusivity clause is there because the retailers want it there.

~~~
otterley
> The exclusivity clause is there because the retailers want it there.

More accurately, I'd contend the exclusivity clause is there because _every
other_ retailer wants it there. You don't want it applied to yourself, but the
only way it would work is if it bound everyone.

------
kreek
CurrentC will not fail because of this, they will fail because they use QR
codes. An old lady could probably write a check faster than most people can
scan a QR code.

~~~
jonknee
To be fair it works the other way around--the retailer scans your phone with
the QR code on the screen. Like Starbucks' app. It's still clumsy, especially
compared to Apple Pay, but you don't have to use your camera for anything.

~~~
mikestew
I looked for the picture I saw somewhere on the MCX website, but can't find
it, so I'll have go with the same pic but from the MacRumors site:
[http://www.macrumors.com/2014/10/27/currentc-mobile-
payments...](http://www.macrumors.com/2014/10/27/currentc-mobile-payments/)

If I'm reading that diagram correctly, not only does the consumer have to scan
a code, but the vendor then scans another code. So not one, but two QR code
scans. The success is built in!

~~~
smackfu
The TechCrunk article that MacRumors get their info from says: "When it’s time
for a user to check out, they request to pay with CurrentC. The consumer then
unlocks their phone, opens the CurrentC app, opens the code scanner, and scans
the QR code shown on the cashier’s screen. In some case, the reverse may
happen where the consumer’s CurrentC app displays a payment code and the
cashier scans it."

So sounds like one or the other.

~~~
mikestew
Hmm, okay, I guess it could be just one scan.

But unrelated, the steps you quote: gawd dahyum. I'd rather stand behind the
old lady writing a check, as mentioned by another commenter. Thing is,
retailers have mostly solved the check-writing problem (but they still can't
make Mr. OldSkool fill out everything but the amount _before_ he gets to the
front of the line). No more "I need check approval on aisle 3", no more 3
pieces of ID, just scan it and stick it in the drawer. It sounds like there's
a strong possibility that they're bringing us back to the time when those
behind get to roll their eyes and sigh as we all wait for the person at the
front because "oh, gawd, they're using _that_ thing".

~~~
jonknee
> It sounds like there's a strong possibility that they're bringing us back to
> the time when those behind get to roll their eyes and sigh as we all wait
> for the person at the front because "oh, gawd, they're using that thing".

Except I doubt you'll ever see anyone actually use CurrentC.

------
joeblau
Since CurrentC blocked NFC technology at the terminal, it would be funny if
Apple and Google blocked CurrentC from their app stores.

~~~
hk__2
Isn’t CurrentC a “physical-only” payment system, i.e. not supported for online
transactions?

~~~
joeblau
You're correct, but like Jeremy said, they have mobile apps in both the Apple
[1] and Google [2] Store. Funny enough, they both have over 2000 ratings at 1
star.

[1] -
[https://itunes.apple.com/us/app/currentc/id912922036?mt=8](https://itunes.apple.com/us/app/currentc/id912922036?mt=8)

[2] -
[https://play.google.com/store/apps/details?id=com.currentc](https://play.google.com/store/apps/details?id=com.currentc)

------
coldpie
You know what works every time, is accepted everywhere, has no processing
fees, and won't leak your personal data?

Cash.

~~~
smackfu
In reality, as a consumer, I average 3% back on credit cards. I probably
average 2% fees on cash, between ATM fees and driving to free ATMs.

~~~
LandoCalrissian
Plus if you lose you wallet, or something horrible happens when you have cash,
it's gone. There is a bit of a hassle replacing cards, but you don't just lose
your money.

------
nav1
They were hacked before even launching publicly. I suppose they're trying to
build trust in their service early on.

------
higherpurpose
We can only hope this uber-data mining [1] app has a swift death.

[1] -
[http://techcrunch.com/2014/10/25/currentc/](http://techcrunch.com/2014/10/25/currentc/)

------
iLoch
Good riddance. Leave the difficult problems to capable companies and let this
be a lesson.

------
coldcode
Perhaps it's a new feature where everyone can mine user's information.

~~~
astrodust
It's part of their new open data platform?

------
ufmace
Considering the already known issues with CurrentC, where the customer is
liable for any type of fraud and they want to connect directly to your bank
account, not to mention potential issues with health information, I was
already feeling roughly hell no on having anything to do with these guys.
Having a data breach in like the first week only makes it look more dangerous.

I know it's just email addresses - this time. Sounds like next time, the
hackers might be able to clear out the connected bank account, and you'll bear
full liability.

------
Pinn2
I have more trust in Apple Pay and hope that wins.

------
DigitalSea
Seems like CurrentC have a great product on their hands. Effectively they are
cutting out the middle man and tying in a rewards program, not groundbreaking,
but still a better deal than Apple's offering. If all else fails for them in
the payments space, they have a great name that would allow them to pivot into
the bottled juice market as well.

The fact this thing has not even launched fully just yet, worries me they have
already been hacked. Just wait until CurrentC is rolled out to more vendors
and adoption increases (if it happens), it will just make them a bigger
target. To some of those vendors supporting CurrentC, I bet Apple Payments is
looking more appealing right about now.

Pretty rookie error, lets hope they get their act together before a more
widespread launch.

~~~
kbar13
how is this a good product? It's essentially making the payment workflow even
more complicated for users. NFC or chip+pin is the way to go, as it's more
user-friendly.

~~~
calbear81
They expect CurrentC users to get discounts that you wouldn't get with using a
normal credit card.

~~~
kbar13
Based on the fact that it will save merchants the credit card processing fee.
They'll most likely pocket the difference instead of passing along the savings
to the consumer, especially since there's no risk that their competitors will
pass along the savings.

------
Sonicmouse
This is just the beginning.

Anyone who has account information stored in their care should pull it now.

~~~
tormeh
Not typically possible with such systems.

------
showsover
And then you read what they show with just email addresses:
[http://www.imore.com/depth-look-currentc-and-personal-
data-t...](http://www.imore.com/depth-look-currentc-and-personal-data-they-
want-collect)

------
jchmura
Well at least this system is open with saying that it exists for the retailers
to mine customer data. Looking at the technology, it seems it would just be
faster to pay with a card than rely on my phones camera to make a payment.

------
abhishekmdb
However no personal data or payment card data was breached
[http://www.techworm.net/2014/10/currentc-
hacked.html](http://www.techworm.net/2014/10/currentc-hacked.html)

------
NN88
Courtesy of Apple

------
MrDosu
The entire cellphone based NFC payment system is retarded. Money needs to be
free from electricity and endure the elements.

I don't get it why they are not using proven NFC payment card systems like in
japan...

~~~
otterley
As far as I can tell, they work exactly the same way. I was able to use my
iPhone 6 at an NFC terminal (built for MasterCard PayPass/VISA PayWave) at
Dublin Airport where nobody had ever used it before in that fashion.

~~~
Glide
I suspect it's the same as well. I think CurrentC wanted to stop Apple Pay and
the rest were just collateral damage.

Which is stupid. Apple Pay is the most available way to pay for something that
is as secure as chip & pin in the USA.

~~~
otterley
I have a feeling the MCX participants and card issuers are going to come to an
impasse over their respective agreements. All the issuers have to do is
require that terminals capable of NFC (for the purpose of accepting
PayPass/PayWave) not have the functionality disabled. This will put the
merchants in a bind and force them either to replace the terminals altogether,
or re-enable NFC.

------
grandma876234
5.) Walmart is like a monopoly. Tax deals as well as real estate location.
CVS, Walgreen are like a monopoly. Especially in Florida where 1/3 of
population is older, retired or using Medicare.

6.)Identity theft is rising due to Affordable Health Care LAW, aka
'Obamacare.'

7.)Try to open an independent pharmacy in Florida and compete with the 24
hour, cut throat pricing of CVS, Walgreens. Like an EFFECTIVE monopoly.

8.)Your Grandma is NOT tech smart and lists her phone number in the phone book
EXPOSED. She uses her name in her e-mail address. I use mail redirectors like
33mail and others as well as 'changing configurations.'

9.)As a non-public USA Citizen, it is AMAZING how many ROBOT phone calls I get
on an unlisted phone number and how much spam and malware oritented stuff.

10.)why? The easiest and richest WHO OWN A HOUSE AND a BANK ACCOUNT that is
public rrecord are the SAND STATES.

11.)why? why? the Sand States are fast growing and have retirees like Florida,
Carolinas, Arizona (think Senator John McCain). and even California.

Not a lot of folks who love to LIVE IN North Dakota Winter. Unless you are a
oil drilling FRACKER who is making 250 thousand a year and living in a
trailer.

18.) SUMMARY: Attitude - CurrentC hires security codes for 'close to minium
wage' \- SO THE QUALITY IS FAR ABOVE THAT OF GOOGLE???? note: alleged and even
stupidity can be relative in context. Top Management Stupidity - the top are
marketers of HIGH END Soda. CVS pharmacy competes head to head against Publix
Shopping Chain. The BIG FLASHING SIGN marquee says 'special deal on Coca Cola
Soda. If Target and Home Depot Top Management have Never heard of BSD OS or
even linux command [ lsof -i ], then there is little hope for the KEY PHARMACY
SUPPLY CHAINS of the USA, in my opinion. Add in the screens of the hospital
waiting rooms that SHOW WINDOWS XP or old version Windows NT which can cause
some of HN to laugh out loud.

New chaos + Monopoly + Attitude + Rise of Botnets + Testers= YOUR Grandma +
Old White Hair Consultant (think Captain Crunch) \+ Top Manager Stupidity ==
No Surprise

Do I expect the SWAT RAIDS on Grandma's house?... errr no rare that someone
would borrow her identity as a 'tester' and

where are you hiding 'the pills' grandma?

*all respect to Grandma, she is used as a generalization. 1st amendment. fiction, no specialized mention of YOUR GRANDMA's name and no animals were hurt in the making of this message.

------
azdle
Am I the only one that sees this as somewhat promising? They've become a
massive target because of all the recent news with apple pay and whatnot, so
it's not that surprising that there are people attacking them and all that was
stolen (so far) was email addresses, but no actual important data. This is a
pre-release system, it wouldn't be surprising to me if they just stole some
logs off an under-protected email server that is being used to testing or
something. Plus they're actually being open about it rather than just sweeping
it under the rug like so many try.

Yes, it's never good when any amount of personal info is stolen, but it's just
email addresses and if you're not already getting spam, you just haven't been
using that address long enough.

~~~
mason55
_They 've become a massive target because of all the recent news with apple
pay and whatnot_

They're a payments platform, they should expect to ALWAYS be a HUGE target no
matter WHAT the news is. If it's not the Apple & Google fans it will be the
Chinese & Russians.

 _This is a pre-release system, it wouldn 't be surprising to me if they just
stole some logs off an under-protected email server that is being used to
testing or something_

Why would a pre-prod system even be accessible to the outside world? It shows
a lack of judgement and experience in security that they either made an known
insecure pre-production system accessible by the outside world OR they were
not competent enough to secure the server properly. They are either ignorant
or incompetent, neither of which are good when talking about a payment
processor.

~~~
jboy55
They're not just a payments platform that contains 16 digit CC#s, they also
contain SSIDs, Drivers Licenses, Checking/Routing #s and the PID that goes
along with that. My god, if you had that data, you could create all the 16
digits credit cards you would want, by forging those people's IDs. You could
even create bank accounts in their name, and probably get a Passport.

Not just a small target...

