Yesterday, Ed Oswald wrote a story about the retailer-backed payment network CurrentC, describing it as a threat to iPhone and Android users alike. In the article he spoke about the security of the system, saying "CurrentC is overly complicated, and just leaves too many opportunities for something to go wrong, or a hacker to make their way in".
He turns out to have been spot on, as today MCX admits its service has already been hacked, with email addresses of participants in the pilot program and other interested individuals being stolen. Hardly the most auspicious of starts. The following email was sent to those affected:
Thank you for your interest in CurrentC. You are receiving this message because you are either a participant in our pilot program or requested information about CurrentC. Within the last 36 hours, we learned that unauthorized third parties obtained the e-mail addresses of some of you. Based on investigations conducted by MCX security personnel, only these e-mail addresses were involved and no other information.
In an abundance of caution, we wanted to make you aware of this incident and urge you not to open links or attachments from unknown third parties. Also know that neither CurrentC nor Merchant Customer Exchange (MCX) will ever send you emails asking for your financial account, social security number or other personally identifiable information. So if you are ever asked for this information in an email, you can be confident it is not from us and you should not respond.
MCX is continuing to investigate this situation and will provide updates as necessary. We take the security of your information extremely seriously, apologize for any inconvenience and thank you for your support of CurrentC.
The CurrentC mobile app itself wasn’t breached, but a hack this early on hardly inspires confidence and will come as a major blow to the payment network's credibility. MCX's claim that it takes "the security of your information extremely seriously" seems laughable when made in a message admitting to having failed to secure the email addresses of supporters of the service.