Monday, December 22, 2014

WARNING: Do NOT Get MasterPass

Right now is the "Wild West" of electronic purchases.  This is a time of great turmoil, massive insecurity, and as can be expected, a lot of snake oil salesman.  My bank debit card was part of the Home Depot hack, so I have a very strong interest in purchase security and mobile technology, so when I got a flyer from my credit union that I can sign up for MasterPass (and my constant questions about when will they support Apple Pay are constantly answered "no plans"), I was optimistically hopeful.

First, I called my credit union.  I asked them, it looks like MasterPass is only usable online, and not in stores, is that correct?  True.  So, that doesn't help me at all with my concerns - what I want is a solution where they have thought out the various ways in which people steal your payment information, and prevent them.  This is NOT it.

Then, I asked them the big one: when I make a purchase, does the merchant get my payment information (card number, expiration date, security code, and name)?  Or, do they get a unique transaction ID that can only be used once, and doesn't identify me?  They didn't know.  After about half an hour, going between on hold, and checking sources, he gave me the MasterPass Fraud number, 877-219-5053.

Interestingly enough, when I called them, even they didn't know the answers to these basic questions about how it works - they had to put me on hold, and find out.  That, to me, is an indication that I don't want to do business with them.  But, they did get me the answer.

Here's what MasterPass really is:
  • This is an e-Wallet software
  • It adds layers of security protocols, but no real security, on identifying who you are before you make the purchase.  But, that is not when identity theft occurs - it always occurs after you make the purchase.
  • Then, it transmits your card info to only online retailers.  So, it makes it easier to transmit your payment information - in fact, absolutely no different from how Safari web browser does it.  But, after your payment information is entered into the retailer's system, it can be hacked, and it is copied in however many retailer systems you used.  This is totally non-secure.
  • Yes, they do have this "appearance of security" feature, where you get a text message when someone wants to make a purchase, and you have to verify it.  But, first of all, this is only happening when they make a purchase using MasterPass, and not just using the plain card info.  Second of all, SMS is an inherently insecure system, inherently hackable, and it is so easy to clone phones and have the text messages reach multiple devices simultaneously - your phone, and a clone that a criminal made.  So now, all they have to do is cross-reference your payment information with your cell phone IMEI number, and voila - they have a very simple means of circumventing the appearance of security there.
In this day and age, it is very simple to research before you sign up for any new service.  I am frankly dismayed that this non-value-add thing is made available to dupe the American public that the banks and MasterCard is doing something.  Meanwhile, Apple Pay and the Federal law in October holding merchants liable for identity theft if they don't use EMV POS systems are the only things that are moving merchants and card issuers toward security.


  1. Hi Jay. Can you confirm if you have used the MasterPass wallet online, and in which country? Thanks

  2. Jiten, I definitely will not use MasterPass, I did not sign up for it.