Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
The Almighty Buck Security

Apple Pay Competitor CurrentC Breached 265

tranquilidad writes "As previously discussed on Slashdot, CurrentC is a consortium of merchants attempting to create a "more secure" payment system. Some controversy surrounds CurrentC's requirements regarding the personal information required, their purchase-tracking intentions and retail stores blocking NFC in apparent support of CurrentC. Now news breaks that CurrentC has already been breached. CurrentC has issued the standard response, "We take the security of our users' information extremely seriously."
This discussion has been archived. No new comments can be posted.

Apple Pay Competitor CurrentC Breached

Comments Filter:
  • by Anonymous Coward on Wednesday October 29, 2014 @01:04PM (#48262775)
    In my time we used to wait for a full roll out to break a system. Kids today lack the common courtesy to wait for the big payoff, and now we see the real price. It gives these folks the time to put another band-aid on their hack of a system and try again. You kids should have the decency to wait until it is rolled out to enough places to make a big score. It saddens me to see what has happened to this once great country.
    • by DarkOx ( 621550 )

      Deepends on if they thing they got more where this came from or not. CurrentC looks pretty hackney so my guess is there will be more breaches more vulns in the future.

      Think about the Snowden disclosures. Would it have been more damaging have published it all at once, or was it more entertaining to drop something watch them react and then force them to backpedal and temporize in the face a subsequent releases?

  • "We take the security of our users' information extremely seriously, but in this particular case, you're all screwed!"
  • Yeah, good luck ... (Score:5, Interesting)

    by gstoddart ( 321705 ) on Wednesday October 29, 2014 @01:11PM (#48262865) Homepage

    This is the problem with a new system like this. Especially one designed to make more money for the retailers, and give them more access to consumer data.

    They simply haven't been at this long enough to be trustworthy or competent at it.

    And, historically, many of the vendors involved in the creation of this system have been fairly inept at implementing security, and fairly moronic about reporting it when it happens. Or understanding the severity of it when it happens.

    So, sorry guys, I'll trust my bank -- because I know they're operating under at least some laws, and I'll trust VISA more than I'll trust you (because they've been at this for a while) ... but I will never use this system if I have a choice.

    This is a payment system which is designed to make them more money, and give them more information to consumer information at point of sale. Which means they've primarily focused on those things, and have proven themselves to have done a terrible job at security.

    So, what's in it for us consumers? I'd say nothing at all which provides value to us, other than the shiny baubles and discounts they're offering in return for them getting higher profits, and a much more detailed look at how and where you spend your money -- which they don't currently have since the CC processors don't let them have it.

    The people making this new system are interested in it for entirely different reasons. Which means everything they do is for their benefit, and not ours.

    • by taustin ( 171655 ) on Wednesday October 29, 2014 @01:31PM (#48263059) Homepage Journal

      I'll trust Visa more not because they've been at it a while, but because the law gives me a good deal of protection against fraud. CurrentC does not use credit cards, it requires direct access to your checking account. That means none of the legal protections against fraud that apply to credit cards. It also means that if their servers get breached, and that bank account information is stolen, the thieves aren't stealing money from the bank, and the bank responsible for getting it back, but rather, they're stealing my money from my bank account, and it's up to me to get it back. And my bank isn't responsible, and the merchant probably isn't either, according to their terms of service, and the people behind CurrentC are likely a shell corporation with nothing to sue them for.

      CurrentC looks, to me, like the biggest bucket of bad ideas in the history of electronic payment.

      • by gstoddart ( 321705 ) on Wednesday October 29, 2014 @01:40PM (#48263133) Homepage

        And, don't forget the part where (in addition to everything you said), the system is also designed to give merchants access to more information about your purchases and buying history.

        So, it's a badly written system, designed to tap directly into your account, with no liability on their behalf, coupled with an added amount of access to your information to violate your privacy.

        There's really not a damned single thing about this which is in any way good for the consumer ... I'm sure they'll try very hard to get people to use it (and in some cases might actually try to make it mandatory).

        I agree, the entire premise of this system makes one go "WTF are you clowns thinking?" This is an insane amount of terrible ideas which have no net benefit to the consumer -- unless they create artificial benefits like their rewards program.

        But losing the security of your bank account to people who are too greedy and incompetent to implement security is a terrible idea.

      • by brunes69 ( 86786 ) <slashdot@nOSpam.keirstead.org> on Wednesday October 29, 2014 @03:02PM (#48264063)

        The other thing CurrentC seems to have goofed on is that there is no way in hell this system will ever see the light of day outside the USA.

        The USA may still live in the backwater side of banking where people still commonly pay for groceries by cheque, but in the rest of the world the idea of giving a third party your bank account information is quite foreign nowadays. There is absolutely no way in hell I would ever use this system, and if someone at Walmart asked me for my chequeing account information I would laugh in their face.

    • Especially one designed to make more money for the retailers, and give them more access to consumer data.

      Retailers are not making money from this service. In fairness, a retailer does not make more money from a credit card company either. The people making money from these services are in essence middlemen acting as the proverbial money changer and money lender.

      That's not to claim retailers get nothing from the arrangement. They don't have to carry cash every day to deposit in the bank, and "skimming" is much less of an issue. For a retailer, it's probably worth the few percent on every transaction to be p

  • by genghisjahn ( 1344927 ) on Wednesday October 29, 2014 @01:18PM (#48262927) Homepage
    And I imagine it'll suffer the same fate.
  • by cant_get_a_good_nick ( 172131 ) on Wednesday October 29, 2014 @01:25PM (#48262991)

    For years, these MCX folks allowed NFC payments, meaning potentially Google Wallet payments. Apple Pay comes out with an EMV based solution, and instantly block all NFC, taking Apple Pay and Wallet down together. So, Google was never seen as a threat, or at least never passing the threshold of needing-to-ban, even after years of use, but Apple is seen as a potential threat from literally Day One.

    I wonder why Apple is seen as a threat more? Their network of friends? Number of potential users can't be it - many more Android phones than iPhone 6s. Number of cards already in iTunes? Ease of use (i never even tried Google Wallet)? Did Google leak some of the info back to the retailers where Apple is balking at that info leak?

    Just wondering.

    • by iluvcapra ( 782887 ) on Wednesday October 29, 2014 @02:01PM (#48263387)

      I wonder why Apple is seen as a threat more? Their network of friends? Number of potential users can't be it - many more Android phones than iPhone 6s.

      My understanding is that even on NFC-equipped Android phones, Google never had a proper deployment strategy; they only partnered with a few card issuers, they didn't really work with any merchants to get them on board, Verizon blocked their app on their phones, it was only limited to the US, etc.

      Over that first weekend, we know now that ApplePay adoption was in the millions, and in those first few days CVS probably saw this deluge of NFC transactions and were like, the jig is up, the train is leaving the station, and if we continue to allow NFC transactions through the 2014 Christmas season the Payments War will be over and CurrenC won't have even been a contender.

    • by tlhIngan ( 30335 ) <slashdot&worf,net> on Wednesday October 29, 2014 @02:53PM (#48263949)

      For years, these MCX folks allowed NFC payments, meaning potentially Google Wallet payments. Apple Pay comes out with an EMV based solution, and instantly block all NFC, taking Apple Pay and Wallet down together. So, Google was never seen as a threat, or at least never passing the threshold of needing-to-ban, even after years of use, but Apple is seen as a potential threat from literally Day One.

      I wonder why Apple is seen as a threat more? Their network of friends? Number of potential users can't be it - many more Android phones than iPhone 6s. Number of cards already in iTunes? Ease of use (i never even tried Google Wallet)? Did Google leak some of the info back to the retailers where Apple is balking at that info leak?

      Because Google Wallet and Apple Pay work in opposite ways.

      For a retailer to support Google Wallet, they need to work with Google and their merchant processor to support Google Wallet. Because what really happens is the transaction details are forwarded to Google who then charges your payment method (credit card, debit, Paypal, bank account, etc). This is why Google knows everything about your transaction whenever you use Google Wallet. (Basically Google gets to know everything about what you're buying).

      Apple Pay is nothing more than EMV so it's just an electronic credit card. Once you register your card through Apple Pay, Apple is no longer in the transaction. As long as the retailer takes credit cards, and has an NFC reader, Apple Pay will work. Most of the retailers listed by Tim Cook? They did diddly squat to support it. They just had working readers and probably someone came over and tried it and was successful.

      Because to support Apple Pay means you need an EMV compatible terminal (swipe, chip+pin, NFC) and processor, and because of October 2015 legislation, people are supporting it by default since practically all new terminals have it. So all a retailer needs to do to get Apple Pay support is make sure their hardware (terminals) is upgraded (which they're doing anyways over the next year) and their processor supports EMV (which if they're doing chip+pin, they're going to have support for).

      However, for Apple Pay to work, Apple needs to work with banks to ensure when a user scans a credit card,, they can get a token assigned in its place (the token is private between the user and the bank, and is basically just an index so the bank can determine who to bill).

      So Google Wallet requires no effort by banks, etc., and effort by retailers to support. Apple Pay only requires hardware updates they're doing anyways which is minor, but effort by the banks to support EMV.

      That's why Google Wallet's penetration has been low - there are probably more retailers that support Bitcoin than Google Wallet just because. (Though if your processor is adding support for Bitcoin, they probably have Google Wallet support as well).

      For Apple Pay, because for retailers it "comes for free", which means its market penetration is far higher than what Tim Cook had in his presentation. Because retailers who already have NFC terminals practically already support EMV and that makes them Apple Pay compatible with zero effort.

      So retailers may be inadvertently supporting Apple Pay when they don't want to because Apple Pay just shows up as a credit card.

  • by DumbSwede ( 521261 ) <slashdotbin@hotmail.com> on Wednesday October 29, 2014 @01:28PM (#48263025) Homepage Journal

    The vast majority of coverage on CurrentC is negative – now this. It will be interesting to see how long they keep this thing on life support before pulling the plug. Anything after this would seem like good money after bad.

    Everybody in the tech community was already worried about direct access to bank accounts and no fraud protection. How will the consortium behind CurrentC answer the already swirling security concerns when this happens so quickly after members give Apple Pay (and it's biometric locks) the boot?

  • by 140Mandak262Jamuna ( 970587 ) on Wednesday October 29, 2014 @01:30PM (#48263037) Journal
    Credit cards have a 50$ limit for liability for fraudulent transaction for the account holders. It is not due to any magnanimity or kindness of the credit card companies or the banks. Nor are market forces and competition forcing them to offer this. There are just two big players and they would collude rather than compete. It is the federal law. It protects the consumers when credit is extended electronically. When there is no credit involved there is no protection. As consumers we should demand the liability against fraudulent transactions to be part of any better system we transition to.

    We should demand similar protection against ALL electronic charges, whether or not credit was involved. Telephone slamming should be included too. Our bank accounts need protection too. The burden of proof should be on those who are responsible for the installing and maintaining the system. Not the little guys who are users of the system.

  • CurrentC is NOT aiming to create a "more secure" payment system. That is obvious!

  • CurrentC wants a link right into your checking account. Sounds real safe. What happens when there is an issue? How long does it take to fixed botched transactions? What liability is there? How happy are the banks going to be working with them?

    I'll stick to Apple and Google's model.

  • WTF? (Score:3, Informative)

    by apcullen ( 2504324 ) on Wednesday October 29, 2014 @01:37PM (#48263099)
    It hasn't been breached... they just got a hold of their email mailing list! This is the crappiest bad summary of all crappy bad summaries.
  • by FlyingGuy ( 989135 ) <flyingguy@gm a i l .com> on Wednesday October 29, 2014 @01:46PM (#48263183)

    cool frameworks and Languages too!

    When are programmers going to wake up and smell the coffee!

    You are screwing around with peoples money. You cannot just slap the latest cool frameworks together, write 50 lines of connection code and call it a system.

    I would be willing to bet that there is a single database credential that has rights to insert/update/delete/select on all the tables in the system and its is stored in some xml file that the web application has access to and if the web application has access to it so do all the people trying to break in.

    I cannot begin to count just how many times I have seen the following:

    select * from users where id=? and password=?

    and that returns everything about the user. Every modern database supports either functions or procedures to do something like:

    validate_user(uname,upass);

    and it simply returns true or false, 1 or 0 nothing more, nothing less.

    Far far to often I hear, lets use [ fill in the blank ] framework because that is what everyone else uses and besides look how much more productive we are! And so it is taken upon nothing more than faith and 90% of the time the people saying vehemently that that is the way to go, understand perhaps 10% of the framework code and don't investigate any further. When you are considering a framework that is 100's of thousands of lines of code that more then likely wouldn't pass the particular languages version of Lint or Bounds or any other validation tool you have already lost the security war.

    The people who are actively trying to break into large systems do their homework! They spend weeks or months looking at your generated web code looking for patterns that reveal the underlying frameworks and then comb through that code looking for even the most subtle vulnerabilities and then they make a plan and execute it.

    When you are building systems like this if you don't start with security as priority #1, for the entire stack you will lose, it is just a matter of time.

  • Crap in/crap out (Score:2, Interesting)

    by ADRA ( 37398 )

    Just CHIP-IN-PIN and be done with it. Tech is amazing at making a mountain out of shit and calling it a better alternative.

    Chip-in-pin works with basically every merchant systems, credit card processor, and Bank (or will sooner or later). The fees are dependent on the credit source.
    - If the merchant accepts credit cards at all, the credit card fees are built into the cost of the product NO MATTER WHAT (unless they're defrauding the contract of the CC by offering discounts)

    • I wrote my PIN on the back of the chip-n-pin card. Chip-n-Sign forever!

      Remember when retailers wanted people to run debit, and nobody would do it? That was because retailers get charged for credit transactions, and don't want to pay that; while individuals have to enter their PIN for debit, and are too lazy for that. As we can't be strong-armed into using debit over credit, we'd just say, "Credit!" and swipe and sign.

      That was, uh, EVERYONE.

    • Re:Crap in/crap out (Score:4, Informative)

      by necro81 ( 917438 ) on Wednesday October 29, 2014 @02:22PM (#48263627) Journal

      Just CHIP-IN-PIN and be done with it

      Particularly when using CAPSLOCK, please be sure to use the correct term. Chip and Pin [wikipedia.org]. Most English speakers are lazy enough in their pronunciation that it comes out as a homophone. But even if you couldn't hear the difference between "in" and "and", you ought to be able to work it out from context: you've got a chip, and you've got a pin; the chip does not reside in the pin.

  • by ThomasBHardy ( 827616 ) on Wednesday October 29, 2014 @01:51PM (#48263243)

    CurrentC Spokesman: Hello everyone, We're CurrentC. Screw Apple Pay and it's 1 million users! We're gonna go head-to-head with a major technology company using our tried and true 40 year old technology. Sure, all of our members have had huge data breaches in the past year but we're serious about it now and we're doing it right, for you, our customer. Trust us!

    Spectator: Umm, you dropped something there -points at ground-

    CurrentC Spokesman: Awww, Mother Pussbucket #*@^% #$)!( , @*!))(!

"The whole problem with the world is that fools and fanatics are always so certain of themselves, but wiser people so full of doubts." -- Bertrand Russell

Working...