MCX Breach Shows Stores Can't Be Trusted With Customer Data

According to MCX (Merchant Customer Exchange), the maker of the Apple Pay mobile wallet competitor CurrentC, email data of its beta testers was breached in the past 36 hours. This couldn't have been worse timing, considering some MCX members started banning all NFC payments in their stores to stop people from using Apple Pay, because they wanted them to use CurrentC exclusively (when it's launched next year).

This is the e-mail MCX has been sending to its users, according to TechCruch:

Thank you for your interest in CurrentC. You are receiving this message because you are either a participant in our pilot program or requested information about CurrentC. Within the last 36 hours, we learned that unauthorized third parties obtained the e-mail addresses of some of you. Based on investigations conducted by MCX security personnel, only these e-mail addresses were involved and no other information.In an abundance of caution, we wanted to make you aware of this incident and urge you not to open links or attachments from unknown third parties. Also know that neither CurrentC nor Merchant Customer Exchange (MCX) will ever send you emails asking for your financial account, social security number or other personally identifiable information. So if you are ever asked for this information in an email, you can be confident it is not from us and you should not respond.MCX is continuing to investigate this situation and will provide updates as necessary. We take the security of your information extremely seriously, apologize for any inconvenience and thank you for your support of CurrentC.

Unlike Apple, which keeps no user data -- even the credit card number is stored locally in Secure Element, while giving merchants only unique tokens when the purchase is made -- MCX intends to collect much more data from its users including e-mail, bank account numbers, location and more.

What Target, Staples and Home Depot breaches have shown us is that not only can most of these stores not be trusted to hold such valuable information about their customers, but even if the stores' "clouds" are as secure as they can be, the potential for extreme damage (such as having hundreds of millions of users' account data leaked) is too high to be an acceptable way of doing business.

The malicious hackers, be they individuals, organized groups, or rival states only need to hack these databases once to get that data. Even if the data is properly encrypted, that only helps as far as the users' passwords were strong and unique enough. Unfortunately, it's common knowledge by now that most people either use predictable passwords or passwords that are easy enough to bruteforce. Apple's own iCloud easily fell prey to the same type of attack earlier this year.

Apple Pay may not be completely impenetrable either (nothing really is), but so far it's using a rather solid security design that stores the credit card data locally in hardware, with very little exposure to the OS or anything else. Even if that system is breached, the potential to have hundreds of millions of credit cards leaked through it is much smaller. If there's a serious vulnerability, hackers can only attack or infect one phone at a time, minimizing the total damage of such a hack.

We should be demanding that more systems that involve collecting valuable data from us, whether it's credit card numbers, fingerprints or facial recognition data, should store this data locally and securely in hardware. That data should also not be accessed directly, but through "virtual layers" on top of it, such as the unique tokens Apple Pay generates for purchases. This way, if a breach happens, the attackers will only get access to worthless "virtual" data.

Follow us @tomshardware, on Facebook and on Google+.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
  • glasssplinter
    We get, you're all over crapple pay and think it's the best system ever. No matter how secure you think it is because crapple told you the banks still have your credit card number. So instead of going after the merchant the hackers will now just hack the banks. Nothing is secure so get used to it. Suck it up and start using cash.
  • ammaross
    If you add your card via "take a photo", that photo gets transmitted to Apple for OCR. Is it kept? Likely not, but would be nice to stick some middleware in that stream....

    Also, in order to correctly bill you for a transaction, someone somewhere needs to know your account information. You generate a token for your card, someone has to be able to map that token to an account. Apple certainly isn't going to query your Secure Element to ask what credit card a token is associated with. Therefore, either your token is kept in an Apple database along side a "token" or account number identifying you with your card carrier (remember, they have access to credit card processors to process your transaction), or they simply have your account info (similar to adding a card to your iTunes account). As anonymous as their marketing wants to sound, you can't be anonymous from the company that does the associating of you and your money.
  • striptaway
    More Apple trash talk and in this case it's about CurrentC preliminary trail run of software that is far from it being in its final form.
    Apple had numerous problems with its recent wide release version of iOS 8 and OS X Yosemite.
  • Kary K
    They should keep the information some place safe, like the White House. ;-)
  • scolaner
    Tomshardware is so bought off by Apple it isn't even funny anymore. The reputation of this site is going down hard!

    It's hard to respond constructively to such an ignorant comment.

    I don't think you understand what you're alleging; if we took money from Apple (or any other company), we'd be in serious trouble. We'd all be fired and would probably never be able to work in the industry again.

    If I, as the News Director, thought any of my guys were being paid off, they'd be on the street in a heartbeat. But they're not.

    No one on Tom's Hardwarre has ever, or will ever, take money from a company for our opinion on anything, ever.

    As to your suggestion that our reputation has "gone down hard", you're entitled to your opinion, but I strongly disagree.
  • hitman40
    Wow so many Apple haters in here for the wrong reasons. This isn't even about Apple dumbasses. It's about MCX going against NFC form of payment, including Google wallet. Retailers did this because THEY don't want to pay a fee using CurrenC, and NFC involves paying a fee. This clearly shows they only care about themselves and not the customer.

    You anti-Apple fanboys are really starting to be a joke when something you think about Apple isn't.....
  • everygamer
    This is not correct, apple does have your email address on record, it is what ties your device to your account with them. As such, they could just as easily loose the same information that MCX did. Additionally, Apple does have your Name, Address along with that Email address so that they can contact you or bill you if they ever need too.
  • skit75
    I fundamentally disagree that anyone could be trusted with my data, other than me. And even then.... I am not sure I can be trusted with my data.
  • everygamer
    Wow so many Apple haters in here for the wrong reasons. This isn't even about Apple dumbasses. It's about MCX going against NFC form of payment, including Google wallet. Retailers did this because THEY don't want to pay a fee using CurrenC, and NFC involves paying a fee. This clearly shows they only care about themselves and not the customer.

    You anti-Apple fanboys are really starting to be a joke when something you think about Apple isn't.....

    Just so you understand, retailers already pay a 3% or 4% fee each time you swipe your credit card. NFC services like Google Wallet include those fee's but pass them to the consumer and discount the retailer, so a retailer would want to have customer use NFC, it would save them money. The reason why retailers are turning off NFC is that a number of them have a contract with MCX that up until now didn't have any major competition, or at least competition that was getting front page news about it. Google having NFC was not as disruptive as both Google and Apple having it, plus, as much as I don't like how Apple does business (one company to rule them all), they are amazing at marketing and bringing a large following into the market with new technology quickly because of the large number of people that replace their existing apple products annually or bi-annually (brand loyalty is worth its weight in gold).

    MCX lost email addresses, Apple lost nude photo's, there is no such thing as a perfectly secure network. Apple has your email address (registered to your device and apple account), name and address all from when you bought your phone and swiped your credit card to walk out of the store with it.

    It will be interesting to see how things play out with the payment systems over the next few years. The thing that I think is funny is how crazy everyone is about NFC, and how they act like Apple created the technology and got all the retailers to put NFC readers in the stores. The reality is the retailers were already doing it over the last 5 or 6 years and Android has been using it for about 2-3 fairly effectively. The smart thing that Apple did was wait until there was enough hardware to support NFC payments at the retail chains before adding it to their phone, they just didn't plan for MCX to have contracts in place to force retailers to turn it off.
  • NotProfit
    Regardless of if anyone is getting paid for anything, I'll have to agree that the amount of biased information is starting to disturb me... I've been a long time Toms Hardware reader / lurker regardless of the age of my account. The article on "Windows finally getting two factor authentication" the other day BLEW ME AWAY. The most uninformed hipster Microsoft hating I've ever seen on this website. It's a shame... but more importantly, it doesn't make sense for a website that, and I may be wrong on this, caters to mostly PC builders. I don't believe the bias should be directed the other way by any means, but I'd like to see some more research go into these articles, maybe people would be less accusing about your Apple paychecks... jk lol