Techcrunch.com are reporting that MCX (Merchant Customer Exchange), the coalition of retailers including Walmart, Best Buy, Gap and others, who are backing a mobile payments solution CurrentC has been hacked. The data breach involves the theft of email addresses.
CurrentC are working hard to bring their own mobile payment solution to the market and recently made a number of retail chains turn off their contactless (NFC) card readers to prevent people paying with the competing Google Wallet and Apple Pay.
Are proprietary solutions becoming the new norm? Previously, all TVs could display all channels being broadcast and either cash or standard, mainstream credit cards were universally accepted but the new direction seems to be a plethora of incompatible technologies for the benefit of the vendor instead of the customer.
(Score: 0) by Anonymous Coward on Thursday October 30 2014, @12:13AM
spooky halloween present for Apple
(Score: 0) by Anonymous Coward on Thursday October 30 2014, @01:41AM
*from Apple.
Fixed that for you
(Score: 2) by kaszz on Thursday October 30 2014, @01:58AM
If one eavesdrop just about everything and have people to do the IRL stuff. It's a piece of cake to manufacture a "breach". Can't have people leave the iZombie brand.
(Score: 4, Insightful) by J053 on Thursday October 30 2014, @12:46AM
(Score: 5, Insightful) by frojack on Thursday October 30 2014, @12:50AM
Agreed.
These people have their terminal systems hacked almost weekly and now they want to play banker?
I don't think so.
No, you are mistaken. I've always had this sig.
(Score: 5, Insightful) by dlb on Thursday October 30 2014, @01:30AM
These people have their terminal systems hacked almost weekly and now they want to play banker?
That's the thing...they want to play banker with a direct link into my bank account. And if they or some hacker pretending to be them decide to drain my account, I could very well never see that money again.
The scary part is that a few years from now we might all have currentC. It's not that far fetched that it'll have replaced credit cards, or even cash itself. Laws are written by corporations, after all.
(Score: 2) by kaszz on Thursday October 30 2014, @02:02AM
What would make CurrentC fail in the market?
(Score: 1) by J053 on Thursday October 30 2014, @02:15AM
(Score: 1) by Wrong Turn Ahead on Thursday October 30 2014, @03:10AM
You're assuming that the masses are smart enough to care or disciplined enough to commit. Consumers seem to tolerate anything these days...
(Score: 1) by Whoever on Thursday October 30 2014, @03:17AM
Will Apple allow their app in the Apple store?
(Score: 2) by quacking duck on Thursday October 30 2014, @03:28PM
It's already *in* the app store. Has been since Oct 20. Some are demanding its removal, I've been arguing it should stay because to yank it would open Apple to unjustified (in this case) accusations that Apple Pay can't compete with it, and giving it undeserved "underdog" cred.
Ironically, MCX (backed by the Walmart brand) forcing retailers to disable NFC makes Apple and Google the underdogs in this race.
Instead, let it stay. Let the 1-star reviews remain. And let anyone really that curious to try it, see just how bad it, demanding info that's an identity thief's dream when (not if) it gets hacked, is, and what a hassle it is to use.
(Score: 3, Interesting) by frojack on Thursday October 30 2014, @03:11AM
The scary part is that a few years from now we might all have currentC.
Doubt it. People don't like paying credit card fees but they don't like turning their banking info over to some company that can't even manage their own business. Paying with a phone isn't THAT important to most shoppers.
The credit card clearing companies aren't going to take this without a fight. Both Google and Apple worked WITH the credit card companies, CurrentC is trying to go around them.
You have to wonder to whom we owe our thanks for this hacking.
No, you are mistaken. I've always had this sig.
(Score: 1) by Whoever on Thursday October 30 2014, @04:53AM
Don't forget that there are large corporations who also don't want CurrentC to work: all the companies and banks behind MasterCard, Visa and American Express.
(Score: 2) by DeathMonkey on Thursday October 30 2014, @06:14PM
What is craziest to me is that these companies are so hated that everyone is defending the Credit Card companies!
One of the thing Obama really got right in my opinion was the Credit CARD Act of 2009. You never hear about it though....
Probably one of the reasons people don't hate their CC company as much these days.
(Score: 0) by Anonymous Coward on Thursday October 30 2014, @01:42AM
Something tells me that they weren't using OpenBSD!
Please, people, if you're dealing with any sort of a computer system that needs any security, just use OpenBSD. It's the smartest thing to do, because OpenBSD is the securest operating system there is.
(Score: 2) by kaszz on Thursday October 30 2014, @01:51AM
Not using OpenBSD gives vulnerability karma that comes around to bite the operator ;-) no other BSD protects against the ev1lz forces?
(Score: 1, Informative) by Anonymous Coward on Thursday October 30 2014, @03:27AM
If it were me, and I were given authority over what went in, I would go with Micrium's uC/OS. While its not free software, it is supported, and the people who make it are quite open as to how it works.
I feel one of the riskiest things to do is to use proprietary stuff protected by obscurity. I cite the latest round between FTDI and Microsoft versus the blokes who trusted them as evidence as to why that business model should not be trusted. Its like buying a bridge with a little hidden lever under it, which when pulled will collapse the bridge. Only business executives, with their personal fortunes tucked safely behind hold harmless clauses, would buy into such a thing.
I am the designer, and I really feel uncomfortable designing anything into my stuff which has a back door in it. Especially ones I do not know about. The FTDI one caught me with my pants down. I did not do due diligence, I saw someone else's design in a trade magazine and designed it in from there. To me, it was just another low-level logic gate... not some remotely crashable device that just waits for a prankster to feed it a destruct code, with the resulting chaos at my expense. I will be red-faced over that one for some time now. I have stuff in the field with FTDI chips in it. I do not sleep well. I wish I had designed around an expendable download cable.
A soldered in bricked chip makes for a bricked board, and in my case, a bricked system.
We have a poll of "greatest fear" here on Soylent. One of mine is that in the event of societal breakdown, the powers that be flood the internet with destruct codes so that a lot of non-military technologies are rendered useless. The public would be subject to a mass DOS attack using the powers claimed to be used for copyright infringement. If its not our own Government issuing NSL's to do this, it will be foreign sovereigns intent on creating havoc. I simply do not believe anyone should have the power to collapse public infrastructure and property belonging to others only because he knows the code to bring it down.
Neither Microsoft nor FTDI are trustworthy, as thus shown. Unfortunately, I do not trust anyone anymore.
The only way both Microsoft and FTDI can save face in my book is to trot both the engineer who devised this, and the managers who approved it, out in the open, strip them of both job and all retirement benefits, and wash their hands of it... in public. Just as they would do to an employee if they caught him putting sugar in the gas tank of the company truck. But that's dreaming. When one gets that high in an organization, one seems to be immune from taking responsibility; someone else considers them too important. Sometimes, it seems the only answer is to ditch the entire execumanagement structure and restart the technology from the ground up with just the working class of engineers, technicians, and assemblers.
(Score: 1) by jmorris on Thursday October 30 2014, @05:04PM
This is drifting seriously offtopic but dude! Blaming Microsoft for the FTDI fiasco and demanding they throw somebody under the bus? When the story broke it wasn't even a day before they pulled the update. Remember, they operate in the closed source world where they DO NOT get to see the source of things any more than their customers do. They just saw a routine driver update from an established vendor and rolled it out. This one is all on FTDI.
(Score: 2) by tibman on Thursday October 30 2014, @05:42PM
I think you're misinformed on FTDI. If you have an actual FTDI chip then everything will work fine. If you had a counterfeit then everything would not work fine. Unless you are building devices with counterfeit chips then i think you'll be okay. If your chip sources are dodgy then you'll always have these issues. FTDI did publicly apologize. Apparently a lot of people were using fake chips.
As far as Microsoft, i'm not sure how much they play into this. They just distributed the driver. I do not like MS but other than asking them to vet every driver, i don't think there is much they can do here. Especially in this case where checking the driver which authentic hardware would have passed all tests.
Your Doomsday scenario will only affect devices and software that allows automatic external/upstream updates. Very little hardware and production machines run in this scenario. Patches are applied to test machines before a rollout. If it fails then you rollback or re-image and don't apply that patch to your production hardware/software. Some consumer hardware is managed by external companies, that would be the failure points. Things like cable-modems and cell-phones. But not things like computers, routers, traffic lights, and public infrastructure.
SN won't survive on lurkers alone. Write comments.
(Score: 2, Insightful) by dltaylor on Thursday October 30 2014, @03:47AM
A better than most (if not all) secure kernel is no protection against executives who should, but don't, go to jail when the systems are breached refusing to spend the money to secure the system, PHBs that don't have a clue about security anyway, or incompetent implementors who could not secure a web site if, literally, their lives depended on it. Of course there are the combination of the above that put the air conditioning system on the same network as the point-of-sale system and gives out privileged credentials to the HVAC maintainers (Target).
(Score: 1) by jmorris on Thursday October 30 2014, @05:23AM
Not seeing the point of all of this hating on CurrentC. Just look at who is behind them and the problem they are attempting to solve.
Retailers HATE the credit card companies. HATE. Most big box retail (the backers) end up operating on single digit net profit margins and they are giving up a point or more to the bloodsucking credit card companies. Then Google came along a few years ago and offered a shiny new thing that still involved them surrendering up a fee, installing new stuff and empowering another 800lb gorilla that would eventually menace them.. Any wonder that it never took off?
Now Apple thought that they could launch a new service.... in cahoots with the original HATED credit companies. Nope, Steve is dead and the Reality Distortion Field isn't operational anymore. Apple didn't offer merchants anything and are surprised they didn't have merchants lined up around the block like they were fanboys at a new iPhone launching. Nope, hype doesn't matter; they want a better bottom line.
So the merchants are doing the sensible thing, make the phone into a smart checkbook instead of a credit card, process transactions across the checking network where the only fees are for optional services that spot fraud. But retailers are not tech outfits and are bungling the tech right out of the gate. In a sane world they BANKS would be turning phones into checkbooks but they are too wed to the credit card fees to do it.
(Score: 2) by keplr on Thursday October 30 2014, @07:18AM
I'll stick with cash and debit. My credit union has never done me wrong, and I'm happy with the privacy I get from using mostly cash.
I don't respond to ACs.
(Score: 0) by Anonymous Coward on Thursday October 30 2014, @12:25PM
You forgot the part where WalMart arrogates to itself the right to track all your purchases made with CurrentC.
(Score: 1) by jmorris on Thursday October 30 2014, @06:53PM
They do that already and since CurrentC is basically an electronics checkbook that sends checks through the same network that would process a paper check, that problem can't be solved by the retailers, and as you note they aren't even interested in solving it.
Which is why I said the banks themselves should be doing this. They are the ones with everyone's checkbook and the ones the merchants must end up depositing into so they could do it as safely and securely as they wanted or more realistic, as much as regulators and customers forced them.
(Score: 2) by PizzaRollPlinkett on Thursday October 30 2014, @11:15AM
The first question I asked myself was: Who wrote this software? We're talking about a coalition led by do-it-cheap Wal-Mart to destroy the credit card business, so are they outsourcing the code to the lowest bidder? A lot of the transaction processing in the USA seems to be really old code, written by experienced professionals trying to get it right. This code probably goes back to the days before PCs. But this new stuff is being written for companies that are well-known for how cheap they are, and quality is simply not a priority. Are these new systems being written by body shop consulting firms?
And doesn't the public have the right to know who wrote the code? We have building inspections. We have car inspections. We have food inspections. Why don't we have code inspections? Why doesn't the government mandate code quality for the financial infrastructure of the economy, if they mandate everything else? We're just as dependent on it as we are buildings and vehicles. How can Wal-Mart create a new financial infrastructure for the USA and not have any accountability as to whether it is robust enough to protect people's money?
The problem with ACH is that it was never designed for what they're trying to use it for. This will get a whole lot worse before it gets better. FDIC protections on bank accounts, and fraud protections on credit cards and later debit cards, were slow to be implemented, and ACH is a B2B setup never designed for consumer transactions.
(E-mail me if you want a pizza roll!)
(Score: 3, Insightful) by elf on Thursday October 30 2014, @01:50PM
Here in the UK you can use contactless payment to pay with most credit /debit cards. They all use the same format and a lot of retailers support this form of payment. According to the wiki page on this the US seems to have a different system to the rest of the world, I guess there is more reason to have competition there? I think it just makes it more expensive for the retailers, maybe when the US has chip and pin it will be easier to adopt a world wide standard
(Score: 2) by zeigerpuppy on Thursday October 30 2014, @03:43PM
it's become increasingly obvious that securing databases is nearly impossible,
especially with so many state actors which cash to burn and markets to manipulate.
Cryptocurrencies will displace these payment models in time.