To be fair however the NFC systems are in place because of Google.
They were actually in place because of PayPass. From Wikipedia entry on Google Wallet:
The service works with the 300,000 plus MasterCard PayPass merchant locations, with Visa licensing their Visa payWave system to Google for use in Wallet as of September 20, 2011.
I didn't clue into the name at first, but then I did. My first thought was "CurrentC = Current Customer", basically meaning they can get to know their customers really well through data mining. Then I realized that it sounded like "currency", so it made sense why they stuck with it. But I do believe that this program was never about helping customers... it is all about their own self-interests.
Right, hence me suggesting the name was stupid, the play on pronunciation is far from the first thought for most i am sure. I'd love to have been a fly on the wall ...
"Let's call it 'Currency'
'That's snappy and meaningful, I like it."
"No, no ... how about 'Current .. C' Isn't that clever, get it It's like Currency but it isn't. The C is said after 'Current' get it?"
"That's stupid and pontless?"
"My dad is the CEO of Walmart"
"Oh yes it's a brilliant name."
I'm going to pull out and dust off my checkbook on any retailer that supports CurrentC and take my sweet time filling out my checks:) Lets make their lines long.
The 'story' is wrong in so many ways? Or CurrentC?
BTW Isn't that just an awful name ... CurrentC... was it supposed to be clever? It makes me think of electricity not money.
I didn't clue into the name at first, but then I did. My first thought was "CurrentC = Current Customer", basically meaning they can get to know their customers really well through data mining. Then I realized that it sounded like "currency", so it made sense why they stuck with it. But I do believe that this program was never about helping customers... it is all about their own self-interests.
I doubt it was a matter of marketing. Many of us (most?) have no interest in google watching our everyday financial transactions on top of everything else they watch and analyze.
Yep. That and Google's spotty customer service history in general. They already pushed Google Checkout, and it was a market failure.
I had to use Google Checkout to purchase tickets to an event a few years ago. Clusterf*** all the way around. Convoluted registration process. Multiple failed attempts to process the transaction. And in the end, Google Checkout failed with the event organizer as well. They wound up having to cancel all of the Google transactions, and have everyone purchase tickets at the door using the cash register and credit card reader for the bar next door. Never used Google Checkout again, and don't plan on using Google Wallet either.
I'm really, really happy that this is getting people's attention, and making people think about data security with their financial transactions, but I'm also a little concerned that choosing a better method of payment (?pay) will make people feel like retailers will not be able to mine their purchases and personal data.
Understand that when you use ANY credit/debit card, banks are part of that transaction, and they can and do give (sell?) your personal information back to the retailers. They don't just get your name and card number, they get your mailing address and probably your phone number as well, though I never verified the phone number part. That allows them, if they are so inclined, to marry it with Acxion and other HIGHLY invasive data.
Even when I used to use plastic for in-person purchases, I used it very carefully and infrequently, so I was able to track this down and several years ago I confronted my credit card issuing bank. At first they denied the practice, but it was very, very clear to me what had happened, so I persisted, asking for the call center manager. They too, continued insisting that the bank does not give information back to the retailers, so I dug my heels in and insisted on talking with this person's boss, and eventually was moved up the ladder. Finally, when I confronted the 3rd person up the chain, they admitted that they do indeed give (sell?) customer information back to the retailers, and that they considered it a helpful benefit to the cardholders. WTF?! She offered me the opportunity to opt out, and of course I said: Yes Please!
That was a major turning point for me in understanding how much data collection and sharing happens, and in turn, my personal elimination of CC/debit card use for everyday purchases.
Because of back-end data sharing, ?pay may not necessarily help on the data privacy front as much as people think, although if retailers have had to pay for this data in the past and are looking at CurrentC as a way to get it for free, it might possibly reduce the collection somewhat.
This is why I asked in another thread if anyone has attempted to link pre-pay debit cards to their ?pay account. That might finally allow anonymous electronic mobile transactions -- at least for a while (think biometrics). I'd love to hear if any of the pre-pay cards work. There are many different brands/issuers, so it's very possible that some might work while others do not. If you can try it, post your results here!
In order for us, as consumers, to use CurrentC we must give them our bank account number. Now can you imagine what would happen when someone hacks though their system and gets that info?
Not a chance is someone going to my back account info stored in a hackable cloud somewhere. Don't want any checks bouncing.
What is with their idea of blocking any NFC transactions such as Apple Pay? I guess they don't want to give us a payment choice or is it restraint of trade?
I have stopped going to the CurrentC retailers such as Best Buy, Lowes, Target, Walmart, etc. Its the only way I can protest their actions.
To be fair, Google Wallet spy's on everything you do!!! Pretty much what CurrentC does. At least it still is using Tokens. But Google Has your Credit Card Number, Google see's where you shop, what you're buying and how much you spent. When you buy something using Google Wallet, You're in fact paying Google, and Google in turn pays the Merchant. Google has set it's self up as the Middle Man!!! I do have a problem with that. It's not nearly as bad as CurrectC with the whole Direct access to your bank account and zero fraud protection, or CurrectC App making a grab for your health info stored on your phone, but I'm not a fan of what Google is doing, even though it's all part of it's business model.
At least I have a choice to not use it. I'm against CurrentC far more. The more support for NFC, the better for everyone. Fact is Google in all these years, what's it's been 4 years now built into Android and it's been dying a slow death here in the U.S. with zero promotion from Google!!! For the few that think NFC came out because of Android, NO!!! It came out before Android and Google just made use of existing tech!!! Part of Mastcard Pass and whatnot where you would use a Keyfob type thing to pay for things. That never took off either. Now I guess I'll e used for Chip & Pen which will be coming Next year. I think it's LAW, everyone has to move over to it. Which I'm confused on. I hear these company's will only support CurrectC or Cash! How would they get away with not having NFC or supporting Chip & Pen?
In Canada, there are three kinds of POS terminals:
1) Ones that are Chip+pin only (they have only a card slot/pin-pad), are used by vendors who only upgraded to the chip+pin, and won't replace their equipment until worn out.
2) Ones that are Chip+pin + NFC (usually tapping he card to the screen), All the ones I see are usually issued by Chase.
3) Ones that have separate pin-pads and NFC sensors. These are the old ones that were rolled out chip+pin between 2003 and 2010, and later added NFC. Chip cards have been issued in Canada since 2003 from some banks, but the requirements to go chip only have only been in place since 2010. Most places that had separate devices have been replaced with all-in-ones (eg McDonalds, Tim Hortons), as the separate NFC surfaces tend to fail a lot.
I don't think so. I think it was MasterCard that started the "tap to pay". Googs just piggybacked on that. (Not saying anything negative).
This seems highly improbable. The rest of the world started using chip+pin, and the NFC devices are now built into the Chip+Pin POS systems, so what you're seeing are "nfc only" devices circa 2010 or later, as the US has yet to switch to EMV.
Actually, this is not true. I work at an (unreleased) mobile payments place (not in competition with Apple Pay, Google Wallet, or CurrentC really) and we ask for the last 4 when you sign up, as part of regulatory compliance for AML (anti money laundering) laws, but we don't have anything at that point, and only collect the last 4, since the ID Verify things we have to use as part of "Know Your Customer" laws can get a good enough match off the last 4, that it suffices for what we need. We don't want the whole SSN and only do the minimum that will allow us to be compliant with regulatory requirements.
The fact is, someone has the full SSN somewhere in that ID verification chain, which is why I made mention of it. Outside of the US, you aren't allowed to use the taxpayer ID for anything but tax reporting purposes, so unless you have a tax relationship you can't ask for it. In Canada they typically ask for the Drivers License and any existing credit card to do a credit check. The reference I was making was AT&T Wireless's legacy (TDMA) system where it only showed the last 4 digits of the SSN to the CSR, but ANY CSR could view the entire thing by looking at the credit reporting information. In their GSM system pre-cingular, that full SSN information was not present, but most customers had a legacy account at that time anyway. Which is why outsourcing customer service is such a bad idea
The point I'm making is that US-based companies are over-reliant on the SSN as a verification tool, and many use the SSN as part of their account search index, which makes it more than easy to harvest the numbers if there is a single bad actor (think third party contractor or disgruntled employee) with access to the system. Hence why all the paranoia about "I don't want CurrentC to have my bank account, SSN, DL, etc" is completely warranted, but the most valuable piece of data is not the ACH numbers themselves, but the ID information.
Just to dig AT&T's grave a little bit deeper. In the TDMA era, when SMS's started taking off, someone had this brilliant idea that they could use their cell phones to pay for things, using SMS (you may have seen this a lot) but over time, the amount of scamming using SMS outstripped the legitimate charges, and there was no way to prevent children from using SMS to buy premium content. So the Customer Service reps were told never to credit back this stuff, it's all legitimate. This obvious would have been correct if it wasn't for the fact that many internet-based SMS premium message sites started popping up, and had no verification. Hence "cramming" charges.
This is why I would call Softcard into question. While I think the NFC part of it may be just fine, I wouldn't trust the mobile carriers to ever refund fraudulent charges.
This is the future of CurrentC. Children and adults who play dumb, will scam retailers, and then scam their banks because there is no verification at the device level that the person paying is the account owner. Unlike Apple Pay, which only the owner of the device, and the owner being present can pay. If someone is foolish enough to not have their device auto-lock so their kids can play with it, think about all the damage that can be done. We've already been over this with the "in app purchases".
You hear that? That is the sound of what happened at the collective CEO offices' of MCX, Wal-Mart, CVS, Rite-Aid, and the rest of their collective twits:
I think this was more of a security lover/protector. Let's just hope that Apple Pay is as secure as they say and as it seems to be in theory.
The nice thing about Apple's solution is that it's battle hardened. Apple Pay is effectively built upon the same technology as signed apps, so the underlying stuff is solid. This isn't new tech. It's 10 year old tech that has gone through 3 major revisions.
The beauty of PKI is that it works. The hassle is to build an end to end solution with enough network value (Metcalf's Law) to attract commerce. Apple has built one. Apple built the underpinnings of this for DRM for iTunes (thank you record labels for requiring this idiotic idea), extended it when they build the iPhone, improved it when they got the A7 secure enclave and touchID. And the fact that Apple doesn't have to broker anything, (and therefore have to have 'keys in the middle'), makes them less of a target.
the interface points (the NFC for handsets, the HTTPS for webapps) and the back end may be risky (once an issuing bank gets the stuff and decrypts with their private key, who knows what sort of security they will have), but Apple's part looks pretty solid.
As for MasterC and the hack... all I could think of was "Ooouch... Thaat's gonna leave a mark!;-)
Of course they don't know yet if the currentC pilot customer's bank account numbers and Social Security numbers were hacked YET? IF they were oops. My money is on they got into everything. And if they if they are toast
I can see the headline soon "CurrentC customer's bank accounts emptied"
That's just beautiful - a public hacking disclosure after "reiterating" that your cloud was "secure" - precious, really.
I wouldn't like to be the head of security at currentC when the CEO orders me into his office and his first questions is "Are you really sure the customer's bank account and SS# were not taken as well?" if they haven't checked the access logs to those files then they deserved to fail.
err ... I hope so, lemme ask Bob in the back there I'll get back to you boss
.
but on the other hand my devious/conspiracy theory mind is thinking, perhaps they did this to themselves deliberately, look at the timing ! Everyone knows about the App now! hmmm meh!
btw. folks I manage a couple of systems that process CC transactions and have ACL set up to limit access to them and reports that generate logs of all access to those sensitive files and we check them every day!
if the CEO fires or replaces the head of security or CTO you can be sure they don't have those protections in place.
If anything defines MCX as amateurs, this does. Walmart executives must now be wondering what they've committed to.
I'll bet that Walmart didn't commit to anything ... they are the ones that are driving MCX forward. You have to take a look at the whole of WalMart's banking strategy - in the US, WalMart has had a tough time getting off the ground and have only had limited success with the Amex partnered BlueBird card and the upcoming GoBank offering, but globally, they already have established banks in Canada and Mexico. Guess who the payment network vendor for Mexico is? FIS Global based in Florida.
Walmart is desperately trying to get into banking to be able to reduce their operating costs and increase consumer data and are using MCX to drive this forward. It is just icing on the cake that they have managed to get other merchants on board to help out with costs and get better consumer penetration. Here is an article from a year and a half ago about MCX when it was starting up, http://www.droplabs.co/?p=662
Comments
They were actually in place because of PayPass. From Wikipedia entry on Google Wallet:
Right, hence me suggesting the name was stupid, the play on pronunciation is far from the first thought for most i am sure. I'd love to have been a fly on the wall ...
"Let's call it 'Currency'
'That's snappy and meaningful, I like it."
"No, no ... how about 'Current .. C' Isn't that clever, get it It's like Currency but it isn't. The C is said after 'Current' get it?"
"That's stupid and pontless?"
"My dad is the CEO of Walmart"
"Oh yes it's a brilliant name."
I'm going to pull out and dust off my checkbook on any retailer that supports CurrentC and take my sweet time filling out my checks:) Lets make their lines long.
PC Rules!
I doubt it was a matter of marketing. Many of us (most?) have no interest in google watching our everyday financial transactions on top of everything else they watch and analyze.
Yep. That and Google's spotty customer service history in general. They already pushed Google Checkout, and it was a market failure.
I had to use Google Checkout to purchase tickets to an event a few years ago. Clusterf*** all the way around. Convoluted registration process. Multiple failed attempts to process the transaction. And in the end, Google Checkout failed with the event organizer as well. They wound up having to cancel all of the Google transactions, and have everyone purchase tickets at the door using the cash register and credit card reader for the bar next door. Never used Google Checkout again, and don't plan on using Google Wallet either.
I'm really, really happy that this is getting people's attention, and making people think about data security with their financial transactions, but I'm also a little concerned that choosing a better method of payment (?pay) will make people feel like retailers will not be able to mine their purchases and personal data.
Understand that when you use ANY credit/debit card, banks are part of that transaction, and they can and do give (sell?) your personal information back to the retailers. They don't just get your name and card number, they get your mailing address and probably your phone number as well, though I never verified the phone number part. That allows them, if they are so inclined, to marry it with Acxion and other HIGHLY invasive data.
Even when I used to use plastic for in-person purchases, I used it very carefully and infrequently, so I was able to track this down and several years ago I confronted my credit card issuing bank. At first they denied the practice, but it was very, very clear to me what had happened, so I persisted, asking for the call center manager. They too, continued insisting that the bank does not give information back to the retailers, so I dug my heels in and insisted on talking with this person's boss, and eventually was moved up the ladder. Finally, when I confronted the 3rd person up the chain, they admitted that they do indeed give (sell?) customer information back to the retailers, and that they considered it a helpful benefit to the cardholders. WTF?! She offered me the opportunity to opt out, and of course I said: Yes Please!
That was a major turning point for me in understanding how much data collection and sharing happens, and in turn, my personal elimination of CC/debit card use for everyday purchases.
Because of back-end data sharing, ?pay may not necessarily help on the data privacy front as much as people think, although if retailers have had to pay for this data in the past and are looking at CurrentC as a way to get it for free, it might possibly reduce the collection somewhat.
This is why I asked in another thread if anyone has attempted to link pre-pay debit cards to their ?pay account. That might finally allow anonymous electronic mobile transactions -- at least for a while (think biometrics). I'd love to hear if any of the pre-pay cards work. There are many different brands/issuers, so it's very possible that some might work while others do not. If you can try it, post your results here!
I guess revenge is a dish best served cold? CurrentC is one of the most clunkiest programs to date I wonder what VC is dumb enough to fund them!!
Not a chance is someone going to my back account info stored in a hackable cloud somewhere. Don't want any checks bouncing.
What is with their idea of blocking any NFC transactions such as Apple Pay? I guess they don't want to give us a payment choice or is it restraint of trade?
I have stopped going to the CurrentC retailers such as Best Buy, Lowes, Target, Walmart, etc. Its the only way I can protest their actions.
In Canada, there are three kinds of POS terminals:
1) Ones that are Chip+pin only (they have only a card slot/pin-pad), are used by vendors who only upgraded to the chip+pin, and won't replace their equipment until worn out.
2) Ones that are Chip+pin + NFC (usually tapping he card to the screen), All the ones I see are usually issued by Chase.
3) Ones that have separate pin-pads and NFC sensors. These are the old ones that were rolled out chip+pin between 2003 and 2010, and later added NFC. Chip cards have been issued in Canada since 2003 from some banks, but the requirements to go chip only have only been in place since 2010. Most places that had separate devices have been replaced with all-in-ones (eg McDonalds, Tim Hortons), as the separate NFC surfaces tend to fail a lot.
This seems highly improbable. The rest of the world started using chip+pin, and the NFC devices are now built into the Chip+Pin POS systems, so what you're seeing are "nfc only" devices circa 2010 or later, as the US has yet to switch to EMV.
The fact is, someone has the full SSN somewhere in that ID verification chain, which is why I made mention of it. Outside of the US, you aren't allowed to use the taxpayer ID for anything but tax reporting purposes, so unless you have a tax relationship you can't ask for it. In Canada they typically ask for the Drivers License and any existing credit card to do a credit check. The reference I was making was AT&T Wireless's legacy (TDMA) system where it only showed the last 4 digits of the SSN to the CSR, but ANY CSR could view the entire thing by looking at the credit reporting information. In their GSM system pre-cingular, that full SSN information was not present, but most customers had a legacy account at that time anyway. Which is why outsourcing customer service is such a bad idea
The point I'm making is that US-based companies are over-reliant on the SSN as a verification tool, and many use the SSN as part of their account search index, which makes it more than easy to harvest the numbers if there is a single bad actor (think third party contractor or disgruntled employee) with access to the system. Hence why all the paranoia about "I don't want CurrentC to have my bank account, SSN, DL, etc" is completely warranted, but the most valuable piece of data is not the ACH numbers themselves, but the ID information.
Just to dig AT&T's grave a little bit deeper. In the TDMA era, when SMS's started taking off, someone had this brilliant idea that they could use their cell phones to pay for things, using SMS (you may have seen this a lot) but over time, the amount of scamming using SMS outstripped the legitimate charges, and there was no way to prevent children from using SMS to buy premium content. So the Customer Service reps were told never to credit back this stuff, it's all legitimate. This obvious would have been correct if it wasn't for the fact that many internet-based SMS premium message sites started popping up, and had no verification. Hence "cramming" charges.
This is why I would call Softcard into question. While I think the NFC part of it may be just fine, I wouldn't trust the mobile carriers to ever refund fraudulent charges.
This is the future of CurrentC. Children and adults who play dumb, will scam retailers, and then scam their banks because there is no verification at the device level that the person paying is the account owner. Unlike Apple Pay, which only the owner of the device, and the owner being present can pay. If someone is foolish enough to not have their device auto-lock so their kids can play with it, think about all the damage that can be done. We've already been over this with the "in app purchases".
You hear that? That is the sound of what happened at the collective CEO offices' of MCX, Wal-Mart, CVS, Rite-Aid, and the rest of their collective twits:
[IMG ALT=""]http://forums.appleinsider.com/content/type/61/id/51619/width/500/height/1000[/IMG]
:smokey:
I think this was more of a security lover/protector. Let's just hope that Apple Pay is as secure as they say and as it seems to be in theory.
The nice thing about Apple's solution is that it's battle hardened. Apple Pay is effectively built upon the same technology as signed apps, so the underlying stuff is solid. This isn't new tech. It's 10 year old tech that has gone through 3 major revisions.
The beauty of PKI is that it works. The hassle is to build an end to end solution with enough network value (Metcalf's Law) to attract commerce. Apple has built one. Apple built the underpinnings of this for DRM for iTunes (thank you record labels for requiring this idiotic idea), extended it when they build the iPhone, improved it when they got the A7 secure enclave and touchID. And the fact that Apple doesn't have to broker anything, (and therefore have to have 'keys in the middle'), makes them less of a target.
the interface points (the NFC for handsets, the HTTPS for webapps) and the back end may be risky (once an issuing bank gets the stuff and decrypts with their private key, who knows what sort of security they will have), but Apple's part looks pretty solid.
As for MasterC and the hack... all I could think of was "Ooouch... Thaat's gonna leave a mark!;-)
i just skipped the article and comments for yesterdays article:
MCX defends CurrentC against Apple Pay controversy, says sensitive customer data is saved in the cloud
and jumped to this one. popcorn is ready.
I can see the headline soon "CurrentC customer's bank accounts emptied"
Okay, the Apple-lover who did this, please raise your hand!
I'd like to fix your post: "Okay, the Apple-share option holder who did this, please raise your hand!"
Honestly...I do wonder if that is the motivation hackers have. It is surely a way to leverage your skills.
This is a "feature". Everyone wants their email addresses be filled with spam.
Okay, the Apple-lover who did this, please raise your hand!
Who said Apple is not innovative!
Well done whoever broke into currentC from Apple
That's just beautiful - a public hacking disclosure after "reiterating" that your cloud was "secure" - precious, really.
I wouldn't like to be the head of security at currentC when the CEO orders me into his office and his first questions is "Are you really sure the customer's bank account and SS# were not taken as well?" if they haven't checked the access logs to those files then they deserved to fail.
err ... I hope so, lemme ask Bob in the back there I'll get back to you boss
.
but on the other hand my devious/conspiracy theory mind is thinking, perhaps they did this to themselves deliberately, look at the timing ! Everyone knows about the App now! hmmm meh!
btw. folks I manage a couple of systems that process CC transactions and have ACL set up to limit access to them and reports that generate logs of all access to those sensitive files and we check them every day!
if the CEO fires or replaces the head of security or CTO you can be sure they don't have those protections in place.
.
If this does not derail CurrentC then they are just wasting time and money...
If anything defines MCX as amateurs, this does. Walmart executives must now be wondering what they've committed to.
I'll bet that Walmart didn't commit to anything ... they are the ones that are driving MCX forward. You have to take a look at the whole of WalMart's banking strategy - in the US, WalMart has had a tough time getting off the ground and have only had limited success with the Amex partnered BlueBird card and the upcoming GoBank offering, but globally, they already have established banks in Canada and Mexico. Guess who the payment network vendor for Mexico is? FIS Global based in Florida.
Walmart is desperately trying to get into banking to be able to reduce their operating costs and increase consumer data and are using MCX to drive this forward. It is just icing on the cake that they have managed to get other merchants on board to help out with costs and get better consumer penetration. Here is an article from a year and a half ago about MCX when it was starting up, http://www.droplabs.co/?p=662