MCX Hacked In What Must Be the Worst Timing Ever

CurrentC, the mobile payment application developed by MCX,has disclosed to pilot users that their email addresses may have been accessedby an unauthorized 3^rd party.

From TechCrunch:

“Within the last 36 hours, MCX saysit learned that unauthorized third parties obtained the emailaddresses of some of its CurrentC pilot program participants and otherindividuals who had expressed interest in the app.

The group has now notified its merchantpartners about the incident and is communicating directly with thoseindividuals whose email addresses were involved, a company spokesperson tellsus.”

The articlealso includes the full email CurrentC sent to its users:

“Thank you for your interest in CurrentC. Youare receiving this message because you are either a participant in our pilotprogram or requested information about CurrentC. Within the last 36 hours, welearned that unauthorized third parties obtained the e-mail addresses of someof you. Based on investigations conducted by MCX security personnel, only thesee-mail addresses were involved and no other information.

In an abundance of caution, we wanted to makeyou aware of this incident and urge you not to open links or attachments fromunknown third parties. Also know that neither CurrentC nor Merchant CustomerExchange (MCX) will ever send you emails asking for your financial account,social security number or other personally identifiable information. So if youare ever asked for this information in an email, you can be confident it is notfrom us and you should not respond.

MCX is continuing to investigate thissituation and will provide updates as necessary. We take the security of yourinformation extremely seriously, apologize for any inconvenience and thank youfor your support of CurrentC.”

MCX is stating that just the email addresses were accessed.It would be extremely troubling if participants’ bank routing numbers were alsoreleased. The worst possible scenariowould be if hackers gained access to the customer’s checking account using bankrouting information, because at least credit card data is protected by thebanks with Zero Liability.

The hack will make it even harder for those merchants thatwere contractually forced to refuse Apple Pay by MCX to defend that decision ifthey are unable to prove their own system is more secure than Apple Pay, and ifthat new more secure solution isn’t available on iOS in short order.

The timing of the hack is almost unbelievable, as MCX andsome of its merchants have taken a stand against Apple Pay, disablingacceptance earlier this week. Naturally, we wonder who might be behind thehack. Since CurrentC is still in pilot, the app likely does not have data onmany consumers. The motive could be just to make a statement rather than toreap financial gain. Here are three possible explanations for the intrusion.

• A loose cannon within Apple, or within one ofits partners, hacked MCX/CurrentC in retaliation for merchants deciding toblock Apple Pay acceptance – this is hopefully not the case.
• An overly exuberant Apple fan boy, frustrated bysome merchants’ decision to not accept Apple Pay, hacked MCX out of spite.
• Noticing that the CurrentC app requires users toprovide bank account, driver’s license, and social security info to enroll achecking account, thought the hack would be worthwhile despite only havingcredentials for a few pilot customers.

Overview by Tim Sloane, VP of Payments Innovation for Mercator Advisory Group

Read full story in TechCrunch