CurrentC, an upcoming mobile payments platform developed by a company called Merchant Customer Exchange (MCX), recently started to inform partners such as Rite Aid and CVS to disable NFC terminals in an attempt to block use of Apple Pay. A closer look by iMore at how CurrentC works has revealed the app wants to collect far more personal data then one would expect it to.
In contrast to Apple Pay which uses NFC to process payments wirelessly, the CurrentC system uses a dedicated app and relies on QR code scanning to process a consumer’s payment. According to the source, on launch, the app immediately starts sending pings to https://my.currentc.com/mobile/pinggateway every two seconds or so. “No interesting data is sent in the requests and blocking them seems to have no impact on the app”. Next, a deviceState request goes out with your device type and a unique device identifier. The third and last request seen on launch is a call to Localytics, a mobile analytics company.
“After you’ve launched CurrentC you’re given two options: I Have An Invitation or I Need An Invitation. If you tap I Have An Invitation you’ll be asked for your email address and ZIP code. Entering an email that hasn’t been invited yet will kick you back to the first screen and give you a message saying they’ll let you know when CurrentC is available in your area. A concerning behavior I saw here is that regardless of what email you enter, CurrentC’s service will respond with a large dictionary of user data.
Now, I have to stress here, I never got CurrentC to return me a real user’s data. However, the fact that these fields exist is a good indicator that CurrentC plans to collect this data, and also why on Earth would you ever return these fields without any sort of authentication first? I never hit on an email that appeared to be a valid account, but I was honestly too nervous to keep trying given the data it seemed eager to send back”.
The source concludes its analysis of the app by saying that CurrentC doesn’t look like a great app for consumers to trust their information with. “I have additional concerns about CurrentC, but am hoping to hear back from them before disclosing them”.