Slashdot Mirror
The Universal Card
retro128 writes "Wired News is carrying a story about a new product from Chameleon Network that's supposed to replace all of your credit/debit/customer cards. It can read the information off of the magnetic strips of credit/debit cards, scan the barcode off of customer loyalty cards, and even memorize the RFID signals of devices like the Mobil SpeedPass. All of this information is stored in a device called the Pocket Vault, and is unlocked with the user's fingerprint. If you wish to use a magnetic strip card, you select the card from the touch screen and put a Chameleon card, which looks like and can be run in standard readers like a credit card, in the Pocket Vault. The Chameleon card will then assume the identity of the card you selected, but only for 10 minutes. In this way, if the card is lost or stolen, nobody can use it. In the case of RFID, you just hold the Pocket Vault up to the RFID scanner for a reading. For barcode-based cards, the barcode will appear on the screen and can be scanned by a standard barcode reader. Chameleon Network says this technology will be available in early 2005 and is expected to cost under $200."
The Chamelon Card system uses a fingerprint reader to secure the data vault. Fingerprint readers can be defeated using a simple hack involving common household items. I refer interested readers to the following article: http://www.schneier.com/crypto-gram-0205.html.
RTFA - It stores all of the information locally. The only one that knows everything about you is you.
If the machine doesn't prompt for the attendant to veryify the physical presense of the orignal card, then the card transaction slips from a card-present transaction to a card-not-present transaction, and a higher fee is due to the credit card issuers or the store has to eat the higher risk of fraud.
A debit card transaction can get by with just the pin and no physical verification... but that also means an even higher merchant fee. This is why Wal-Mart is no longer accepting MasterCard debit cards as debit cards when the card is capable of supporting a credit card transaction, because that's what's cheaper for the store to do.
That's not about the fee, that's for two other reasons:
1: Stores get the money credited for debit transactions immediately. They have to wait for credit card payments. That float is meaningful.
2: A credit card transaction is a lot easier to reverse... simply complain to the credit card company. Even if the complaint is invalid, the store's payment for the transaction is held in escrow until that is declared. (Reversed-by-complaint credit card transactions also carry steep penalty fees on the merchant side... the card issuing bank has to eat all fraudulently presented card cases.)
So, for $3 transactions, the debit card is better than the credit card mode because the store is just willing to eat the loss if the transaction goes fraudulent. For $300 transactions, not so much. Trust me, there's a dollar value somewhere at which point the default behavior will spin around... and you as a consumer never will want to use a debit card so long as you have a credit card in your wallet somewhere that can take the hit without incuring intrest.
Making him decode the cards has nothing to do with him testifying against himself. If a judge sees probable cause to believe there is evidence stored on the device, he can issue a search warrant requiring the criminal to give access to the device. Its just like taking a breathalyzer or getting a blood test to determine if you have been drinking and driving, you aren't testifying against yourself, but rather being compelled to assist in providing evidence, even if the evidence is being used against you.
Is it just me, or does it seem a little odd to other people that several of the principals listed on their web page (including the CTO) remain anonymous? Why the heck would anyone do that? Most companies at this stage splash the identities of their principals everywhere. These guys must have some pretty bad skeletons in their closet to hide like this.
Slashdot - News for Herds. Stuff that Splatters.
I contacted them with some questions. Here is their replies:
*****
Dear Malachi,
Three-digit credit card security codes will appear on the Pocket Vault screen when you press the "card details" icon. For any card that is currently "issued" or active on the Chameleon Card, the Pocket Vault will then display the security pin and available credit and card balance at the last time the device was updated.
Todd O. Burger
President & CEO
Chameleon Network Inc.
30 Monument Square, Suite 300
Concord, MA 01742
TBurger@ChameleonNetwork.com
W (978) 287-0703
F (978) 369-4661
H (781) 863-1196
M (781) 820-2521
*****
Dear Malachi,
Credit and debit cards can only be loaded to a person's Pocket Vault while the Pocket Vault is docked to a PC or Mac and the legitimate owner of the Pocket Vault has established a secure Internet session.
(The computer and the Pocket Vault actually establish dual secure sessions in parallel on a standard dial-up or better Internet connection with the Pocket Vault website or the website of an authorized Pocket Vault dealer (for example, a major credit card issuing bank). The security and simplicity of our loading process are two of the elements that impressed card industry executives. The complexity is not visible to the consumer and the number of steps the consumer actually takes are few.
The Chameleon Card does have a conventional signature block on its back. Most security experts would acknowledge that the usefulness of the signature is no better than the skill of the average retail clerk who must perform on the spot handwriting analysis by "confirming" that the signature on the card matches the signature on the receipt or the signature entered on the pad at the cash register. Despite the limited value of such verification, we do not alter this verification element. Of course, we think the other security elements that essentially verify that you are the legitimate owner and user of the Pocket Vault represent the real substantive security, and that retailers will eventually come to a similar conclusion, tending to ignore the signature block on Chameleon Cards.
There are two types of places that take imprints: Those that do it as another security tool on top of magnetic-swipe capture of the account number, and those that are completely off-line (e.g., a taxi or flea market merchant.) Those that do it for additional security will no longer need to do this with chameleon Cards. For truly off-line merchants, (about 2% of total credit card transactions or less), the merchant will record the card number by looking at the screen of the Pocket Vault and writing this by hand on the slip. Since worn cards often leave illegible imprints that require the retailer to re-write the number anyway, there is not a great deal of difference here.
The Pocket Vault can store a license type photo (and family and pet photos as well) and associate that photo with any photo ID. The photo displays on the Pocket Vault screen while a photo ID type card is issued.
Please feel free to post this information. You are one of many that has asked such questions, and we are unable to answer all of them. We hope the flood of orders we are seeing (and hope to continue to see) convince card industry executives that we have something here of broad interest to consumers, which could accelerate our efforts.
Thank you for your interest in our product and services.
Todd O. Burger
President & CEO
Chameleon Network Inc.
30 Monument Square, Suite 300
Concord, MA 01742
TBurger@ChameleonNetwork.com
W (978) 287-0703
F (978) 369-4661
H (781) 863-1196
http://www.google.com/profiles/malachid