Blog Post

MCX: Hackers stole email addresses but never got anywhere near its mobile payment app

On Tuesday hackers managed to obtain email addresses of users beta testing MCX’s mobile payments app CurrentC, but the attack was directed at MCX’s email provider, not directly at the company’s own infrastructure, the big retail consortium revealed on Wednesday at what was perhaps one of the most stilted press conferences I’ve ever attended.

No credit card data or other financial information was compromised, and the CurrentC app was unaffected, MCX CEO Dekkers Davidson said during a press conference this afternoon. While some of the email addresses were for pilot testers and people who had signed up to participate in the pilot, many of the them were placeholders for dummy accounts used for internal tests. Davidson wouldn’t reveal the name of MCX’s email provider or how the attack occurred, saying that MCX would accept full responsibility for the breach.

“I own it,” he said. “CurrentC owns it.” He added that while MCX’s retailers are notifying any customers affected, the attack didn’t reveal any kind of security flaw in its core smartphone apps cloud-based payment authorization system. “We’ll learn from this, but we won’t let it slow us down,” he said.

(Source: MCX)
(Source: MCX)

MCX held the press conference to answer questions about the breach and the growing controversy surrounding its big retailer members refusing to accept to [company]Apple[/company] Pay and other competing mobile wallets. MCX is made up of some of the biggest big box stores, restaurant and pharmacy chains in the country, including [company]Walmart[/company], [company]Best Buy[/company] and [company]CVS[/company], who plan to roll out CurrentC either as a standalone app or integrated into their own affinity apps in early 2015.

But the press conference took on a rather surreal tone as Davidson responded to questions about why MCX was excluding all other payment systems with answers about how the retail industry needs to have multiple competing mobile wallets. He said no MCX member would be fined or penalized for accepting Apple Pay (contrary to an earlier report in the New York Times), while reiterating that member merchants have all agreed to use CurrentC exclusively.

From what I gather based on numerous sidestepped questions asked at the press conference, Davidson feels that MCX retailers are free do whatever they like as long as they quit the consortium, and that competition and third-party innovation are great as long as they’re done at some other retailer’s stores.

I’m not entirely unsympathetic to MCX. Its retail members are protecting their turf just like Apple and Softcard’s carrier members keep other mobile payments services off their phones, but we’re getting a lot of double-speak from MCX.

Big retailers can’t have it both ways. If MCX wants to keep Apple Pay out of its stores, fine (Apple Stores aren’t going to accepting MCX payments any time soon is my guess). But it’s ridiculous for MCX to try to sell us on this idea it’s promoting competition and innovation in the mobile payments space. In fact, it’s plain cynical. Attempts in the past to restrict mobile payments are the main reasons why buying something beyond a cup of Starbucks coffee with a smartphone is almost impossible today.

One of Davidson’s final comments was perhaps the most telling. He said the goal of MCX was for retailers to establish much stronger bonds with their customers, the implication being that Apple, Google or the carriers stand in the way of establishing that bond. “Three’s a crowd,” he said.

7 Responses to “MCX: Hackers stole email addresses but never got anywhere near its mobile payment app”

  1. Nicholas Paredes

    As a consumer, I have had four replacement debit cards this year. One was a result of the Target data compromise. Apple Pay is perhaps a recognition that the credit card companies aren’t going away anytime soon. It focuses on data integrity and anonymity. This was the primary reason I find Apple’s service interesting. We choose who we trust in these financial decisions and transactions. I trust my small bank, who sadly has not enabled Apple Pay yet. MCX has zero trust at this juncture.

    To the point of competition, if I am correct Apple allows the MCX app in the app store. While it does not provide every possible payment mechanism in this store, that is besides the point. Paypal only in the last year has become more common on e-commerce sites. I used PP in several recent transactions due to privacy concerns. Apple Pay follows a very similar model. I find the excuse that these stores will have no data on my transaction false.

    MCX is about eliminating credit card transaction fees. Rewards programs are pervasive. E-commerce transactions still require my email and shipping address. No data? What else do these merchants want? This is why Apple’s policy of privacy is appealing. I have yet to get a catalog as a result of Apple selling my information to other merchants. MCX will fail. Except for Walmart banking customers without choice, most consumers will avoid insecure payment mechanisms. Yesterday’s compromise was IMHO fatal.

    • Apple Pay uploads all your credit card information for every card you add to a single database. With Apple Pay, one compromise puts ALL your accounts at risk… Unless you believe that the Apple Pay database is somehow immune to hacking which hit companies like Bank of America and JPMorgan Chase. Ask a few nude celebs about Apple’s bulletproof security ;)

      It seems like it should be more secure than a stolen wallet, but there again, a thief could snatch your phone out of your hands while you’re using it and run off. All they would need to do is set it to Airplane mode and disable screen lock. Now they can charge on all your accounts and it will be VERY hard to dispute with your card company.

      I’ll stick with my plain old credit cards, thanks. If they’re stolen, I can cancel them and get a new account number. Anomaly detection is amazing these days. I had one card cancelled and replaced automatically before I even knew it was cancelled. I literally had the new card in my mailbox before my old card was declined.

      I can really empathize with the merchants. They are getting 2-3% transaction fees on every single transaction. Visa/MC/Amex are making a cut and collecting all that valuable private transaction data. They’re double dipping.

      I can’t blame these merchants for trying to develop their own system. It will probably cost them less than the transaction fees while allowing them to keep their customer’s private transaction data out of the hands of some third party middle man.

      Apple Pay doesn’t solve this, it just adds Apple as yet another middleman taking a cut of transactions.

  2. I’m old enough to remember when stores took MasterCard or Visa but not both; when Amex was fighting Diners Club for the restaurant business; when Sears turned its store card into Discover. Of course companies are going to fight over bonk to pay. Why is there no outrage that iTunes doesn’t have a pay with Google option. Sometimes it seems like standing in the path of Apple is worse than standing in the path of progress (by, say, claiming a patent on a rectangle with curved corners).

    • Kevin Fitchard

      I have to agree with you there, Hildy. I don’t necessarily think MCX is behaving in any noble manner here (and it’s claims of changing the status quo and fueling competition are ridiculous), but it’s behaving no worse than any of the other companies in the mobile payments space.