Why is the CurrentC app collecting your device information?

Over the last few days, CVS and Rite Aid have disabled NFC technology at their retail outlets to prevent customers from using Apple Pay. It's been reported that this is due to an existing deal in place with a system called CurrentC, which involves the use of an app, QR codes, your bank account, and their servers. Walmart recently explained MCX's — the consortium behind CurrentC — position to Business Insider as follows:

There are certainly a lot of compelling technologies being developed, which is great for the mobile-commerce industry as a whole. Ultimately, what matters is that consumers have a payment option that is widely accepted, secure and developed with their best interests in mind. MCX member merchants already collectively serve a majority of Americans every day. MCX's members believe merchants are in the best position to provide a mobile solution because of their deep insights into their customers' shopping and buying experiences.

It's also been suggested that CurrentC will help retailers avoid credit card transaction fees while also letting them mine personal data. With that in mind, here are some questions about MCX and the CurrentC app:

  1. Why do they want to retrieve your device's MAC address? (Don't worry, as of iOS 7, the OS returns a fake MAC address of 02:00:00:00:00:00 which is what CurrentC seems to be sending to their servers)
  2. Why do they want to log your device name, WiFi network name, and number of running processes?
  3. Why do they use a unique device ID that persists across multiple installs?
  4. Why do they send pings every 2 seconds?
See more

To their credit, CurrentC does employ SSL pinning to protect the application's traffic, but at this point it's hard to know if that's to protect their users, or their questionable data transmissions.

I haven't been able to test with a registered account yet, but at first glance what CurrentC is actually doing seems far more aligned with the vested self-interest of retailers than anything remotely connected to providing a great shopping experience for customers.

Nick Arnott
  • no ones actually and this is how we can punish them http://goo.gl/rXyuNM Sent from the iMore App
  • Yes. Let me click that mysterious link, random internet person. Or. I can just not use CurrentC. Sent from the iMore App
  • Adding a "+" to the end of a Goo.gl link will show the long URL but anyways, his link points here: https://www.yahoo.com/tech/why-some-stores-wont-take-apple-pay-and-how-t...
  • lol ... that link ... IT'S DANGEROUSSSS! Sent from the iMore App
  • It is weird to obfuscate a link from Yahoo and then ask strangers to click on it.
  • I laughed when I saw that especially with that name which also looks a bit suspect. Unfortunately, this is why spam and other nefarious schemes amazingly enough still work. Funny after all this time.
  • I look forward to the companion article, "Whose Interest is Apple Pay Really Serving?" I won't be holding my breath until it's published though.
  • It doesn't take an article on this. It serves Apple's interest by creating tie-in to their products, it serves banks interest by reducing fraud, and it serves the customers interest by being so easy to use that almost anyone can use it. The only people's interest it doesn't really serve that well is the retailer, as they can't collect personal data using it. Although, there may be something up Apple's sleeve for helping out with this. Or, are you just being cynical and think that ApplePay is really equal to this?
  • I don't think it's being cynical at all to wonder about Apple Pay. You can't really tell me that Apple would implement this system without reaping benefits from it, can you? Also, can you tell me today, with 100 percent certainty, that Apple Pay will never be subjected to hacking or fraud? Because in this day and age that's a preposterous claim. I'm not here to champion CurrentC either - just so we're clear. I have no intention of using either of them, as I'm perfectly satisfied with the fraud protection my bank and credit cards have implemented on the off-hand chance I'm violated. And again, as mentioned in the posts of another column on iMore, it's worth noting that NFC was eviscerated on this blog and these forums when Apple wasn't on board with it. Now? It's the bees knees.
  • Apple's benefits are pretty clear. Primarily, Apple Pay is an additional offering that can help drive iPhone and Apple Watch sales. Users of Apple Pay become further invested in Apple's ecosystem and continue to buy their products and drive Apple revenue. On top of all that, Apple gets a cut of all payments that go through Apple Pay. There has been zero indication so far that Apple is doing any sort of data collection to sell to third parties or do targeted marketing, as it seems CurrentC likely intends to do. On top of that, what we see here are demonstrations of insecurity and carelessness on CurrentC's part. It's entirely fair to question Apple's intentions with Apple Pay, but I don't think it comes anywhere close to the picture we're seeing form of CurrentC.
  • You seem pretty opinionated and uninformed. A great combination. You don't lose any fraud protection from you CC company by using Apple Pay. It is a credit card charge, like any other. It is only the mechanics of the transaction that change. CurrentC is different, as the funds are withdrawn from you bank account. Details aren't totally clear yet, but I would think the transaction would be covered like an ATM card, which give the consumer far fewer protections, and less time to react, than a credit card. As far as people trashing NFC (I assume, in this context, you mean Google Wallet), get over it. You read fan boys from either side and you get plenty fan boy opinions. The facts are it simply didn't catch on. Will apple Pay? No one knows, yet. It does seem Apple put in far more work on the retailer side than Google ever did, so that may help. My opinion - If these retailers are going to block Apple Pay and Google Wallet, Apple and Google should not allow their apps in their stores. All these options should be available, and consumers can choose the ones they like.
  • I looked into the CurrentC transaction and it will be treated by banks as would a paper check. This is not going to go well for many consumers, as many banks charge fees now for a certain number of checks per month. Sent from the iMore App
  • I don't know where you bank, but typically if you give someone your checking account number and they clean you out, you MAY be able to get it back but its a looooooong drawn out process during which you have no money. IN other words, NOT covered like a credit card. If someone maxes out your CC, you may not have access to that CC for a few days, but your checking account is still in tact.
  • There was already an article on here that told the exact percentage of revenue Apple Pay garners for Apple.
  • It sounds like ApplePay is one of the most secure transaction methods out of all of them. It may not be perfect, but it may be the best. And, like many, I derided NFC, and still it is only a communication method. There would be other ways to accomplish the same goal.
  • Apple Pay serves Apple's interests, first and foremost. Like any big company, Apple is inherently amoral, and care about us only insofar as we pay them. In this particular case, Apple's interests agree with ours a lot more than CurrentC's do, which is all the more reason to support them - to encourage competitors that the interests informing Apple Pay (and, to a lesser extent Google Wallet) are important, and that they can capture more of our dollars by building products around those values.
  • CurrentC? No thanks -- the whole turning off of NFC thing actually motivated me to move the few recurring prescriptions I had over from Rite Aid to Walgreens. Previously, I viewed drugstores generically -- they're no longer 'all-the-same', I'd rather go to one now that offers the option of NFC payments. Previously, I'd used my NFC-equipped Chase Visa debit card at Rite Aid, that doesn't work either. Not a huge deal, but the perception is they've taken a convenient service for unwarranted reasons -- something I believe has already now backfired. PR firms probably have their bids ready for when the drugstore chains are looking for someway to reverse all the bad press their getting ;-)
  • It's all about controlling data. These big business are sick of paying large fees to MasterCard and visa for demographic information that MasterCard and visa collects with each swipe. What a bunch of hooey when they say they want to do what's in the best interest of the consumer.
  • I'll never use any service that links to my checking account. The fraud liability just isn't worth it. If I had bad credit, I'd get a zero-balance credit card and load that up before linking any payment system to my checking account.
  • "Their best interests in mind"...riiiiight Sent from the iMore App
  • I think the better question is why does Apple allow applications like this in their App Store? If a major app like this can get away with spyware, imagine how many others are doing it
  • *Of course* CurrentC is using SSL pinning to protect their users, not because they love us, but because that is a single clear case (safety of transmission) where their interests as a business coincide with ours as users. The rest of their interests seem to range between orthogonal and directly counter to user interests. In a charitable, mood, I might grant that points #1, #2, #3 and #4 here may only be valid during their invite-only beta period to help them troubleshoot bugs and refine the product, though the fact that they also ask to collect Health Data [ http://techcrunch.com/2014/10/25/currentc/ ] forfeits any benefit of the doubt.
  • When the people show their disdain for CurrenC buy not using it, then these retailers will tow the damned line.
  • Hey Apple Pay users, better stop using your debit cards too because THOSE are linked to your bank accounts! Just to be safe...why don't just cut them up and go into the bank every time you need cash. Oh...and make sure to cancel any autopay that debits from your checking account too because of all the inherent fraud. You all sound like a bunch of fraidy cats....geez. So...go ahead and continue to eat at McDonald's every day and do most of your shopping at Walgreens (since 9 in 10 merchants don't take Apple Pay-or Google Wallet). At least you'll be able to quickly and easily purchase Pepto Bismal to help digest all those Big Macs! It's so convenient!
  • It's common knowledge that you're safer to not use a debit card if you can help it. What's your point? The fact is, Apple Pay is more secure than using a CC, debit card, CurrentC or Google Wallet.
  • The point is...you can't use Apple Pay almost anywhere, whereas with a CC, debit card (or yes, CurrentC) is where most people shop. A small sampling of retailers joining CurrentC: 7-Eleven, Alon Brands, Banana Republic, Baskin Robbin's, Bed Bath and Beyond, Best Buy, Chili's, CVS Pharmacy; Darden Restaurants, Dick's Sporting Goods, Dillard's, Dunkin Donuts, Gap, Hobby Lobby, HMSHost, Hy-Vee, K-Mart, Koh'ls, Lowe’s Home Improvement, Meijier, Michael's, Old Navy, Publix Super Markets, Sam's Club, Sears, Shell Oil, Southwest, Sunoco, Target and Walmart, Wendy's, plus gas stations like Conco, Phillips 66, Shell, Exxon, Sunoco, 76. So, looks like Apple Pay lovers have a lot to boycott. Meanwhile, I'll continue shopping at my favorite places and using CurrentC or NOT. I'm not going to stand on some stupid principal that leaves me shopping just at Walgreens and McDonald's for food though.
  • I think the better phrasing is "Apple Pay is the more secure way of using a CC"
  • This tweet on Andy Ihnatko's feed says it best: "Awesome! @Ihnatko: Remaking a consumer experience in a form that only suits business is a rocket sled toward disaster http://breakingnews.suntimes.com/business/cvs-and-rite-aid-turned-off-ap... I hope so.
  • I'm taking my business elsewhere to Walgreens. I already know what happens when you trust merchants with your credit card information. No thanks. I was using CVS and Rite Aid a lot more since Apple Pay but not anymore.