Hands On With Apple Pay Competitor CurrentC

November 3, 2015

The mobile payments market is the next great battleground of the tech industry, and it will shape the retail experience of the next decade. There are two main technologies in play: Near Field Communication (NFC) radio hardware and Quick Response (QR) 2D barcodes. NFC technology is used by Apple Pay, Android Pay (nΓ©e Google Wallet) and others; while QR codes are used by CurrentC, Chase Pay (a variant of CurrentC), and Starbucks.

This post describes the CurrentC payment system, my experience using it first hand, and a few technical details regarding the CurrentC app itself. CurrentC is available on iOS and Android, however this post specifically discusses the iOS app.

NFC

NFC payments are a contactless system that uses short-range radio antennas to communicate with a payment terminal before the card information enters the credit card system. Because NFC requires new physical hardware at the point of sale, its adoption is fortuitously aligned with the switch to EMV credit cards on October 1, 2015. Although contactless payments don't require EMV, the two often go hand in hand because both require updated hardware at the store. EMV-enabled credit cards include an RFID chip that prevents most common types of card cloning, and this new chip needs its own radio in the payment terminal. Many merchants are choosing to install new POS equipment that supports both NFC and EMV credit cards, with a smaller minority upgrading to handheld scanners that can additionally read both 1D and 2D barcodes.

More secure payment systems like Apple Pay and Android Pay also employ tokenization to enhance user privacy and security throughout the payment process. This means that merchants are never given an actual credit card number, instead they are given a one-time use token that can be redeemed by a payment processor as if it was a valid card number. Besides the security benefits, these secure tokens can also be to process payments entirely in software (like purchasing a product on the web or in a mobile app). In contrast, QR codes can't be this way because they require a separate device to scan the code.

CurrentC's Payment Structure

The Merchant Customer Exchange (MCX) developed CurrentC as an alternative to NFC-based payment schemes because it doesn't require specialized hardware at the point of sale. Its payments are also routed from the retailer to the ACH system instead of the credit card system, which saves retailers from having to pay interchange fees (typically around 2% of the transaction amount). Because ACH skips the tokenization process used by credit card issuers, the retailers are given full access to the customer's payment information and other demographic data associated with the transaction, a boon for the retailer's data-driven efforts for product promotion. Customers are also not covered by the robust fraud protections provided by credit card companies, and the full amount of any fraudulent transaction is pulled directly from the customer's bank account.

Account Setup

Many of the privacy drawbacks of CurrentC are clearly brought to the forefront due to the sheer amount of information required to set up an account in the CurrentC app. As you can see below, it is basically an identity thief's wish list collected into a single database; basically the only piece of sensitive information not collected is your social security number. CurrentC requires these 15 pieces of information to create an account:

  • First & last name
  • Email
  • Mobile phone number
  • PIN to unlock the app
  • 3 security questions
  • Date of birth
  • Mailing address
  • Home phone number
  • Government ID type (i.e., driver's license)
  • Government ID state
  • Government ID number
  • Bank account routing number
  • Bank account number

Retailers are backing CurrentC in the market because they get access to all of this rich metadata about their customers, which can be trivially monetized via targeted advertising or coupon offers. The CurrentC privacy policy is pretty up front about these plans:

We share your information across our network of merchants and with our third party service providers.

MCX may share or disclose your information as follows:

  • To MCX Merchants based on your purchase of goods and services from that MCX Merchant, or participation in that MCX Merchant's loyalty/rewards program and/or merchant issued or controlled form of payment (e.g. private label credit card or merchant gift card);
  • ...
  • To third-party analytic providers and advertising partners to help us deliver, track and analyze the operations and effectiveness of our marketing campaigns, promotions or advertisements;
  • To third-party providers using your information on MCX's behalf in connection with opening a CurrentCβ„’ account;

While I didn't try to use my newly created CurrentC account until a few days later, I did get an email the day after I created it informing me the account was ready to be used. I'm assuming that the information I provided was checked against the last bullet's "third-party providers" before any transactions would be allowed.

Screenshot of the account confirmation email

Now that my account has been added and approved for use, it's time to use it in the real world.

Making a Purchase

As of Fall 2015, CurrentC is only available for a limited public trial in Columbus, OH, a common retail test market. I happened to be in Columbus in early October and tested CurrentC at the Target Columbus NE location.

Unlike my experiences using Google Wallet in its infancy, the transaction itself was processed with no issues. My cashier didn't recognize CurrentC by name, however once I explained it was a mobile payments system he told me "Oh it's one of those, I think I just scan it" and gestured to what looked like a normal laser scan gun. After pointing the gun at the QR code shown on my phone, the system beeped, after about 2 seconds my phone vibrated and the POS started printing a receipt. The entire process was quick and painless.

A CurrentC QR code The Target receipt

The pending charge appeared in my bank account immediately, but took over 5 days to settle into a final charge. Typical debit transactions seem to finalize in a day or two, however this process may be a reflection on the merchant and not the payment system itself. It is also interesting that the charge is identified by my bank as an e-check:

Screenshot of the bank transaction

Technical Details

As a technical guy, I couldn't resist the urge to take a look at the CurrentC app and QR codes to see how they work under the hood. Starting the payment process on the app requires a network call that presumably asks a remote server for the data to use in the QR barcode. Once displayed, the QR code will be usable for a few minutes before the process is repeated again with a new value. Here is an example of the data from a CurrentC barcode:

MCX.132a02df-1a99-4996-ba84-9f790ba2d77d

To find out details about what other information is used to generate this code, I attempted to intercept the CurrentC app's network requests with Charles proxy but was unsuccessful. While unable to read the network traffic for this post, I was relieved to find that the app correctly implements SSL pinning to prevent this kind of man-in-the-middle attack.

The app also appears to use CoreBluetooth in an unknown capacity, however the CurrentC website leads me to believe this is related to Bluetooth-enabled gas pumps. This error appears in the device log:

CurrentC[1261] : [CoreBluetooth] API MISUSE: can only accept this command while in the powered on state

Each time you return to the CurrentC app you are prompted to enter your PIN code, which appears to be checked against a remote server before allowing you to use the app. Presumably this code isn't stored on-device so that it could be used in the future at a dedicated PIN pad in a retail store.

iOS App Suggestions

There are a few issues that I'd like to see fixed in the next version of the CurrentC iOS app:

  • You are unable to paste into certain fields. I specifically noticed this when attempting to duplicate my mobile phone number into the home number field. The same issue also blocks users from using a password manager with the app.
  • It would be nice to have Touch ID support in lieu of the server-side PIN verification.
  • None of the network requests properly display the network activity indicator in the status bar.
  • Most navigation in the app results in fullscreen modal dialogs as the app loads something from the network. While these might be required because of the server-based logic of the payment system, the user should at least be able to cancel the request and go back to the previous screen.

Overall I was impressed with the technical execution of the iOS app.

The Final Verdict

I was pleasantly surprised at how easy it was to pay with CurrentC at Target; however, I'm not sure that I could recommend CurrentC over NFC-based systems like Apple Pay because of the fraud and privacy concerns. Ultimately the retail customer's money is on the line in the event of fraud, which is worrisome in light of the lackluster security record of many retailers (Target, 7-Eleven, and Michaels) in the MCX consortium.

@jszumski