Payments

12:05 PM
Connect Directly
Facebook
Twitter
Google+
RSS
E-Mail
100%
0%

What the MCX Hack Means for Mobile Payments

Just what mobile payments needed: a data breach.

Less than two months have passed since the payments industry watched closely as ApplePay was unveiled with a heavy emphasis on data security and privacy. That made sense, as it’s well known that many consumers are wary about the security of mobile payments. Those security concerns were realized yesterday when the merchant consortium MCX, one of ApplePay’s competitors, disclosed that it had been hacked while piloting its own mobile wallet, called CurrentC.

[For more on ApplePay, check out: 5 Things Apple Got Right with ApplePay]

MCX said that the CurrentC app itself wasn’t affected, but email addresses belonging to participants in the pilot program had been compromised. Some of those emails were dummy accounts used for testing, according to MCX. But having an email address compromised is a serious issue, since they are so often used as usernames, John Zurawski, vice president at Authentify, noted via email in response to the hack.

“It’s difficult to minimize the compromise of an email address,” he said. “Armed with usernames and a brute force dictionary account, [hackers could] possibly gain access to an account. The premium LinkedIn account, a frequent flyer account and Amazon Prime accounts are all accounts for which ferreting out additional information could lead to the compromise of a credit card-backed account.”

Zurawksi advised that anyone whose email address could have been affected might want to change their email, and should be on the lookout for spear-phishing attacks.

The hack, along with all of the other data breaches that have occurred in the last year, will also confirm the concerns that many have regarding mobile payments security. “I do not think that the impact of this [hack] is limited to MCX. The continuous stream of breach announcements will have a cumulative effect on the late majority and the slow-to-adopt portions of the market. They will become even more wary and slower to pick up non-traditional forms of payment,” Zurawski predicted.

MCX said that it would continue to update CurrentC users as it further investigates the incident. Ironically, the company posted a blog yesterday clarifying its data security practices just hours before the breach was disclosed. Mobile payments ventures are clearly focused on earning consumers’ trust. That probably won’t happen as long as data breaches are more pervasive than mobile payments.

Jonathan Camhi has been an associate editor with Bank Systems & Technology since 2012. He previously worked as a freelance journalist in New York City covering politics, health and immigration, and has a master's degree from the City University of New York's Graduate School ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Becca L
50%
50%
Becca L,
User Rank: Author
10/30/2014 | 3:47:22 PM
Compromised emails
Too many stories like this is the early days of ApplePay could have a big impact on mobile payment adoption. As someone who is very excited by the idea, I hope this is the end of it for a while.

On another note, Zurwaski advised anyone whose email was compromised to change it. Excuse me? Change your email? Eek, changing your phone number and alerting all your contacts is difficult enough, changing an e-mail is a serious ordeal - just thinking of all the sites and services subscribed to with my main address causes me to cringe.

Jonathan_Camhi
50%
50%
Jonathan_Camhi,
User Rank: Author
10/30/2014 | 3:56:48 PM
Re: Compromised emails
Yeah, he definitely mentioned that most people would hate to change their email. But there are so many fraud avenues opened up by having your email compromised. Spear-phishing attacks have become so much more sophisticated now, and if your email is compromised then you can probably expect to start getting some of those.
Becca L
50%
50%
Becca L,
User Rank: Author
10/30/2014 | 3:59:39 PM
Re: Compromised emails
I guess this all comes back to the need for next-level multi-factor authentication, so that even an email and dictonary isn't quite enough.
Jonathan_Camhi
50%
50%
Jonathan_Camhi,
User Rank: Author
10/30/2014 | 4:04:55 PM
Re: Compromised emails
Yeah everyone is touting multi-factor authentication right now. The issue is actually getting customer to use it. Gmail has offered multi-factor authentication for a long time. But no one I know uses it. And companies are hesitant to force customers to use it because they're afraid of the impact on customer experience.
Becca L
50%
50%
Becca L,
User Rank: Author
10/30/2014 | 4:10:15 PM
Re: Compromised emails
What's going on here with emails and usernames feels more like a personal attack than if my credit card was stolen. The latter is much less annoying from a customer point of view because the banks and issuers have a system for handling it all for you, but changing an email address is a frustrating and time consuming ordeal for the consumer. Maybe fear of having to go through the motions of changing email will be enough to convince consumers multi-factor authentication is worth the hassle.
Jonathan_Camhi
50%
50%
Jonathan_Camhi,
User Rank: Author
10/30/2014 | 4:14:47 PM
Re: Compromised emails
The most annoying thing though by far (and annoying is a serious understatement) would be having your identity stolen. That would make changing your email address seem like a walk in the park.
Kelly22
50%
50%
Kelly22,
User Rank: Author
10/30/2014 | 4:13:23 PM
Re: Compromised emails
I only know one person who uses Gmail's multi-factor authentication and while it's a bit of a hassle, it has been very effective. Changing your email really is like changing your phone number these days - I had to do it after my account got spammed a couple of years ago and it took forever to get everything back to normal. 
Becca L
50%
50%
Becca L,
User Rank: Author
10/30/2014 | 4:20:08 PM
Re: Compromised emails
I can't imagine. Whenever my credit card number gets updated I always forget about a few things that are autopaid with it until I start getting all the missed payment alerts - sigh. At this point I dont think I'd ever tie up all the loose ends from email.  

 

What's the Gmail multi factor anyway, a text?
Byurcan
50%
50%
Byurcan,
User Rank: Author
10/30/2014 | 4:31:06 PM
Re: Compromised emails
Yes, a text. I do it, mainly because I attended a Google cloud symposium 3 years ago, and the guy speaking from Google said he advises everyone who has gmail to do multi-factor auth. But to the eariler comments about how most people don't bother, he also said that whenever a person's gmail acct is compromised and they're ironing it all out with a Google rep, they are always advised to do multi-factor auth to avoid this in the future. And he said that 95 % of people, whose emails have alrready been hacked mind you, never do it.
Becca L
50%
50%
Becca L,
User Rank: Author
10/30/2014 | 4:33:06 PM
Re: Compromised emails
95% still don't do it? Wow.

Fool me once...
Becca L
50%
50%
Becca L,
User Rank: Author
10/30/2014 | 4:33:54 PM
Re: Compromised emails
****Hack me once...
Kelly22
50%
50%
Kelly22,
User Rank: Author
10/30/2014 | 4:48:36 PM
Re: Compromised emails
Wow, 95% still don't try it? I guess it is bothersome, but I would think that more would at least give it a shot after their account has already been hacked. 
Byurcan
50%
50%
Byurcan,
User Rank: Author
10/30/2014 | 4:50:22 PM
Re: Compromised emails
People are lazy.
Nathan Golia
50%
50%
Nathan Golia,
User Rank: Author
10/31/2014 | 3:21:44 PM
Re: Compromised emails
My wife always makes fun of me when I log into Google and look for my buzzing phone. Of course, access to that account is basically a golden key to everything else, so I'm happy to take the derision in stride.
jzurawski600
50%
50%
jzurawski600,
User Rank: Apprentice
10/31/2014 | 4:13:05 PM
Re: Compromised emails
Hi Becca,

As onerous as it sounds, think about it for a moment - where is your email address also the username?  For sure Amazon Prime LinkedIn, FaceBook... and a couple of dozen other places many people frequent.  THIS publication/Web site - UBM uses an email for password reset.  If I can get to your email from ANY browser and any Interent connection and change your password.  That's a huge attack surface.  Plus these aren't attacks being launched by people sitting at their computers.  They're being launched by computer programs written specifically to hunt vulnerabilities and they hunt 24 hours a day every day.

Add an ability to use "big data" techniques to match information from the millions of records stolen and stored online to new bits of information hacked from a new source and the cybercrimials ability to profile you and your accounts increases.

An option is to be sure an patronize online properties that offer two-step verification, or out-of-band two-factor authentication that reaches you via phone call or message when chnages are being made to your accounts.  It's still the most effective way to stop someone else armed with all of your information.

John Zurawski/Authentify

 
Register for Bank Systems & Technology Newsletters
White Papers
Current Issue
Bank Systems & Technology
BS&T's 2014 Elite 8 executives are leading their banks to success, whether it involves leveraging the cloud, modernizing core systems, or transforming into digital enterprises.
Slideshows
Video
Bank Systems & Technology Radio
Archived Audio Interviews
Join Bank Systems & Technology Associate Editor Bryan Yurcan, and guests Karen Massey and Jerry Silva from IDC Financial Insights, for a conversation about the firm's 11th annual FinTech rankings.