Payments

12:05 PM
Connect Directly
Facebook
Twitter
Google+
RSS
E-Mail
100%
0%

What the MCX Hack Means for Mobile Payments

Just what mobile payments needed: a data breach.

Less than two months have passed since the payments industry watched closely as ApplePay was unveiled with a heavy emphasis on data security and privacy. That made sense, as it’s well known that many consumers are wary about the security of mobile payments. Those security concerns were realized yesterday when the merchant consortium MCX, one of ApplePay’s competitors, disclosed that it had been hacked while piloting its own mobile wallet, called CurrentC.

[For more on ApplePay, check out: 5 Things Apple Got Right with ApplePay]

MCX said that the CurrentC app itself wasn’t affected, but email addresses belonging to participants in the pilot program had been compromised. Some of those emails were dummy accounts used for testing, according to MCX. But having an email address compromised is a serious issue, since they are so often used as usernames, John Zurawski, vice president at Authentify, noted via email in response to the hack.

“It’s difficult to minimize the compromise of an email address,” he said. “Armed with usernames and a brute force dictionary account, [hackers could] possibly gain access to an account. The premium LinkedIn account, a frequent flyer account and Amazon Prime accounts are all accounts for which ferreting out additional information could lead to the compromise of a credit card-backed account.”

Zurawksi advised that anyone whose email address could have been affected might want to change their email, and should be on the lookout for spear-phishing attacks.

The hack, along with all of the other data breaches that have occurred in the last year, will also confirm the concerns that many have regarding mobile payments security. “I do not think that the impact of this [hack] is limited to MCX. The continuous stream of breach announcements will have a cumulative effect on the late majority and the slow-to-adopt portions of the market. They will become even more wary and slower to pick up non-traditional forms of payment,” Zurawski predicted.

MCX said that it would continue to update CurrentC users as it further investigates the incident. Ironically, the company posted a blog yesterday clarifying its data security practices just hours before the breach was disclosed. Mobile payments ventures are clearly focused on earning consumers’ trust. That probably won’t happen as long as data breaches are more pervasive than mobile payments.

Jonathan Camhi has been an associate editor with Bank Systems & Technology since 2012. He previously worked as a freelance journalist in New York City covering politics, health and immigration, and has a master's degree from the City University of New York's Graduate School ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
jzurawski600
50%
50%
jzurawski600,
User Rank: Apprentice
10/31/2014 | 4:13:05 PM
Re: Compromised emails
Hi Becca,

As onerous as it sounds, think about it for a moment - where is your email address also the username?  For sure Amazon Prime LinkedIn, FaceBook... and a couple of dozen other places many people frequent.  THIS publication/Web site - UBM uses an email for password reset.  If I can get to your email from ANY browser and any Interent connection and change your password.  That's a huge attack surface.  Plus these aren't attacks being launched by people sitting at their computers.  They're being launched by computer programs written specifically to hunt vulnerabilities and they hunt 24 hours a day every day.

Add an ability to use "big data" techniques to match information from the millions of records stolen and stored online to new bits of information hacked from a new source and the cybercrimials ability to profile you and your accounts increases.

An option is to be sure an patronize online properties that offer two-step verification, or out-of-band two-factor authentication that reaches you via phone call or message when chnages are being made to your accounts.  It's still the most effective way to stop someone else armed with all of your information.

John Zurawski/Authentify

 
Nathan Golia
50%
50%
Nathan Golia,
User Rank: Author
10/31/2014 | 3:21:44 PM
Re: Compromised emails
My wife always makes fun of me when I log into Google and look for my buzzing phone. Of course, access to that account is basically a golden key to everything else, so I'm happy to take the derision in stride.
Byurcan
50%
50%
Byurcan,
User Rank: Author
10/30/2014 | 4:50:22 PM
Re: Compromised emails
People are lazy.
Kelly22
50%
50%
Kelly22,
User Rank: Author
10/30/2014 | 4:48:36 PM
Re: Compromised emails
Wow, 95% still don't try it? I guess it is bothersome, but I would think that more would at least give it a shot after their account has already been hacked. 
Becca L
50%
50%
Becca L,
User Rank: Author
10/30/2014 | 4:33:54 PM
Re: Compromised emails
****Hack me once...
Becca L
50%
50%
Becca L,
User Rank: Author
10/30/2014 | 4:33:06 PM
Re: Compromised emails
95% still don't do it? Wow.

Fool me once...
Byurcan
50%
50%
Byurcan,
User Rank: Author
10/30/2014 | 4:31:06 PM
Re: Compromised emails
Yes, a text. I do it, mainly because I attended a Google cloud symposium 3 years ago, and the guy speaking from Google said he advises everyone who has gmail to do multi-factor auth. But to the eariler comments about how most people don't bother, he also said that whenever a person's gmail acct is compromised and they're ironing it all out with a Google rep, they are always advised to do multi-factor auth to avoid this in the future. And he said that 95 % of people, whose emails have alrready been hacked mind you, never do it.
Becca L
50%
50%
Becca L,
User Rank: Author
10/30/2014 | 4:20:08 PM
Re: Compromised emails
I can't imagine. Whenever my credit card number gets updated I always forget about a few things that are autopaid with it until I start getting all the missed payment alerts - sigh. At this point I dont think I'd ever tie up all the loose ends from email.  

 

What's the Gmail multi factor anyway, a text?
Jonathan_Camhi
50%
50%
Jonathan_Camhi,
User Rank: Author
10/30/2014 | 4:14:47 PM
Re: Compromised emails
The most annoying thing though by far (and annoying is a serious understatement) would be having your identity stolen. That would make changing your email address seem like a walk in the park.
Kelly22
50%
50%
Kelly22,
User Rank: Author
10/30/2014 | 4:13:23 PM
Re: Compromised emails
I only know one person who uses Gmail's multi-factor authentication and while it's a bit of a hassle, it has been very effective. Changing your email really is like changing your phone number these days - I had to do it after my account got spammed a couple of years ago and it took forever to get everything back to normal. 
Page 1 / 2   >   >>
Register for Bank Systems & Technology Newsletters
White Papers
Current Issue
Bank Systems & Technology
BS&T's 2014 Elite 8 executives are leading their banks to success, whether it involves leveraging the cloud, modernizing core systems, or transforming into digital enterprises.
Slideshows
Video
Bank Systems & Technology Radio
Archived Audio Interviews
Join Bank Systems & Technology Associate Editor Bryan Yurcan, and guests Karen Massey and Jerry Silva from IDC Financial Insights, for a conversation about the firm's 11th annual FinTech rankings.