Less than two months have passed since the payments industry watched closely as ApplePay was unveiled with a heavy emphasis on data security and privacy. That made sense, as it’s well known that many consumers are wary about the security of mobile payments. Those security concerns were realized yesterday when the merchant consortium MCX, one of ApplePay’s competitors, disclosed that it had been hacked while piloting its own mobile wallet, called CurrentC.
[For more on ApplePay, check out: 5 Things Apple Got Right with ApplePay]
MCX said that the CurrentC app itself wasn’t affected, but email addresses belonging to participants in the pilot program had been compromised. Some of those emails were dummy accounts used for testing, according to MCX. But having an email address compromised is a serious issue, since they are so often used as usernames, John Zurawski, vice president at Authentify, noted via email in response to the hack.
“It’s difficult to minimize the compromise of an email address,” he said. “Armed with usernames and a brute force dictionary account, [hackers could] possibly gain access to an account. The premium LinkedIn account, a frequent flyer account and Amazon Prime accounts are all accounts for which ferreting out additional information could lead to the compromise of a credit card-backed account.”
Zurawksi advised that anyone whose email address could have been affected might want to change their email, and should be on the lookout for spear-phishing attacks.
The hack, along with all of the other data breaches that have occurred in the last year, will also confirm the concerns that many have regarding mobile payments security. “I do not think that the impact of this [hack] is limited to MCX. The continuous stream of breach announcements will have a cumulative effect on the late majority and the slow-to-adopt portions of the market. They will become even more wary and slower to pick up non-traditional forms of payment,” Zurawski predicted.
MCX said that it would continue to update CurrentC users as it further investigates the incident. Ironically, the company posted a blog yesterday clarifying its data security practices just hours before the breach was disclosed. Mobile payments ventures are clearly focused on earning consumers’ trust. That probably won’t happen as long as data breaches are more pervasive than mobile payments.
Jonathan Camhi has been an associate editor with Bank Systems & Technology since 2012. He previously worked as a freelance journalist in New York City covering politics, health and immigration, and has a master's degree from the City University of New York's Graduate School ... View Full Bio