Slashdot Mirror
The Universal Card
retro128 writes "Wired News is carrying a story about a new product from Chameleon Network that's supposed to replace all of your credit/debit/customer cards. It can read the information off of the magnetic strips of credit/debit cards, scan the barcode off of customer loyalty cards, and even memorize the RFID signals of devices like the Mobil SpeedPass. All of this information is stored in a device called the Pocket Vault, and is unlocked with the user's fingerprint. If you wish to use a magnetic strip card, you select the card from the touch screen and put a Chameleon card, which looks like and can be run in standard readers like a credit card, in the Pocket Vault. The Chameleon card will then assume the identity of the card you selected, but only for 10 minutes. In this way, if the card is lost or stolen, nobody can use it. In the case of RFID, you just hold the Pocket Vault up to the RFID scanner for a reading. For barcode-based cards, the barcode will appear on the screen and can be scanned by a standard barcode reader. Chameleon Network says this technology will be available in early 2005 and is expected to cost under $200."
Seriously, seems cumbersome and delicate. Can I sit on one of these? You don't want me sitting on your lap (for various reasons) but my credit cards can handle it.
200 bucks for you to know everything about me?
How about YOU pay ME.
I have been pwned because my
This just seems too complicated. I enjoy the simplicity of looking in my wallet, and having only a glance of the card I want, pull it out and use it, no need to select any menus or buttons on it, just pull it out, insert, replace.
Help Brendan pay off his student loans
Any company that has a hyperlink marked "Investor Information" above-the-fold (shown without a need to scroll down on a typical 800x600 setup) is automatically a bit suspect.
I fear that Slashdot's logo is now going to get added to their brag-about-press-coverage page. For the record, the "Boston's WB in the Morning" program they brag about was canceled in 2002.
I'm not suggesting that this company's technology doesn't exist, but their product is pure vaporware and they have lists of good reasons why a merchant, bank, or large company should partner with them, but they can't name any merchant, bank, or large companies who have agreed to partner with them. At least they have a patent appilcation pending.
So I can grab any card I get my hands on for even a second (as a waiter or working at a gas station for example), run it through this toy and it saves the mag strip info to its internal memory. After getting several hundred (or when I max out the devices memory) I and my friends can then go on a HUGE shopping spree using stolen credit cards. Conveniently, as soon as I think the credit card companies might realize the first number is being used by an unauthorized person, I just switch to the next one. Sign me up! *sigh*
This sounded cool to me for a few seconds until I thought, what happens when the cashier at the quick-n-go tries to verify your credit card against your license? Stephen
and your thumb!
It's not quite clear if Visa or Mastercard will allow its member stores to accept Chameleon Cards in place of real plastic cards. Afterall, that card won't be able to mimic the Visa or MS holigram, the color-printed signature strip with code number on it, or the physical impression of the card numbers.
Accepting non-original cards opens up the risk of accepting any card with a magnetic stripe as being a stand-in for the real credit card. It would effectively turn all in-person credit card transaction to being as insecure as a web transaction. There's a reason why web merchants have to pay more for their credit card services, and it's that insecurity.
So, it's near certian that Visa and Mastercard accepting stores will be ordered by the card networks not to accept Chameleon Cards from customers. Game over for this technology... it works in the lab but won't work in the real world.
or verify a signature?
not too good..
every day http://en.wikipedia.org/wiki/Special:Random
One has to wonder... what happens if the ATM eats your card? Then again, if the ATM is likely to eat your card, you probably don't have the cash for this gadget anyways.
Skill is successfully walking a tightrope over Niagara Falls. Intelligence is not trying. -- Anonymous
I don't know about you, but I'd much rather have it use a password. I think most people would happily give a sufficiently threatening criminal their 4 digit PIN number (or any style of password) without too much of a fuss, but I'd rather avoid giving anyone any incentive whatsoever to leave me short one digit. It would be a very small consolation to cancel my credit cards after such an incident.
That's right, this is the card that Ford Prefect swipes from his new Editor so he can hack into the basement computers with the help of his pet robot and....
If my answers frighten you, stop asking scary questions.
Tm
Support TBI Research: http://www.raisinhope.org
I don't know about other folks, but I've got 3 credit cards, a NYC Metro Card(transit fares), an Employee IS and a drivers license in my wallet.
I wouldn't call that a stack and it's manageable. Never even though of this as being a problem before reading the article.
If someone were to use this gadget, they'd have the 'stack' of cards, AND the gadget to worry about. Right?
Sounds like a waste to me.... Nothing to see here, move along please.
wbs.
Huh?
How am I going to stick that thing into an ATM?
It wasn't insanely exciting to look at. It was rather dull in fact. It was smaller and a little thicker than a credit card and semi-transparent. If you held it up to the light you could see a lot of holographically encoded information and images buried pseudo-inches deep beneath its surface.
It was an Ident-i-Eeze, and was a very naughty and silly thing for Harl to have lying around in his wallet, though it was perfectly understandable. There were so many different ways in which you were required to provide absolute proof of your identity these days that life could easily become extremely tiresome just from that factor alone, never mind the deeper existential problems of trying to function as a coherent consciousness in an epistemologically ambiguous physical universe. Just look at cash point machines, for instance. Queues of people standing around waiting to have their fingerprints read, their retinas scanned, bits of skin scraped from the nape of the neck and undergoing instant (or nearly instant-a good six or seven seconds in tedious reality) genetic analysis, then having to answer trick questions about members of their family they didn't even remember they had, and about their recorded preferences for tablecloth colours. And that was just to get a bit of spare cash for the weekend. If you were trying to raise a loan for a jetcar, sign a missile treaty or pay an entire restaurant bill things could get really trying.
Hence the Ident-i-Eeze. This encoded every single piece of information about you, your body and your life into one all-purpose machine-readable card that you could then carry around in your wallet, and therefore represented technology's greatest triumph to date over both itself and plain common sense.
Ford pocketed it.
DRM 'manages access' in the same way that a prison 'manages freedom'
Instead of stealing one or two cards (since I don't carry all my credit cards with me at one time)
A thief can now just steal my vault and get access to not only my credit cards, but get discounts at my grocery store!
I gotta go with the last line... It sounds cool, but it's just more hassle to actually use come purchase time.
"Honey, this was a lovely dinner of sushi, are you sure this isn't too expensive"
"No problem, I'm just going to pay with my pocket vault... and...uh"
"What's wrong?"
"I've got soy sauce on the fingerprint scanner and now it won't authenticate me and give me my credit card!"
"Don't you have cash?"
"I don't use cash because I have the pocket vault! AUUGGGHH THE BATTERY WENT DEAD!"
He wasn't saying it would be easy for thieves to steal the universal cards themselves; it would be easy to actually store stolen cards (be it credit cards, debit cards... whatever) into memory very easily and efficiently! He makes an excellent point and I think it's rather scary. A thief would only need the card for a second, and they would have card in their little database.
Let me list the reasons why
1) Cumbersome
2) Breakable
3) All eggs in one basket
4) A lost/stolen card is replaced by the credit card company. Who replaces that lost/stolen $200 computer?
5) What do you do when the batteries run out
6) What happens when the OS crashes and the information is wiped out?
So many reasons...
This is without a doubt the best thieves's tool!
... ) card, and pasting it on a cardboard card, and write your name and number up on the front. And then TRY to use it in any shop. I am sure they'll just ask for some other card.
The only thing that could be done to prevent this is to make it hold only a small number of each type of card. Like only 10 Credit Cards. Still, its pretty much simplyfies the "printing" of stolen cards.
OTOH, i wonder if this will ever work. CC companies must back this up to work, i mean try taking the mag strip off your AmEx (or visa, or
Then how do you let a friend borrow your card?
That gives me lots of confidence in the security of Speedpass cards. I predict wonderful "learning experiences" as RFID reading/duplicating technology moves down to individuals. Of course, legal threats are already being used to try to keep that genie in the bottle. (Previous story on Slashdot about nasty letters to people who bought smartcard readers for legitimate reasons.) Sure, that'll work...
One line blog. I hear that they're called Twitters now.
The Chamelon Card system uses a fingerprint reader to secure the data vault. Fingerprint readers can be defeated using a simple hack involving common household items. I refer interested readers to the following article: http://www.schneier.com/crypto-gram-0205.html.
What if my Chameleon Card is lost or stolen? With conventional plastic, I can call the issuer, report the card lost/stolen, and have a replacement sent within a couple of days for free (be wary of those companies that would charge you for this service). What is my recourse with Chameleon? Ponying up another $200? Also, what if I destroyed my original cards when transferring their data to the Chameleon device? Is there an online backup somewhere? Or am I shit out of luck?
'He who has to break a thing to find out what it is, has left the path of wisdom.' -- Gandalf to Saruman
Right...
I think it would be much easier to start with a simpler problem: digital cash. I would love to have a card that can hold up to about $100 that is anonymous and which I could use for bus fare, parking meters, road tolls, or small purchases like meals. This would be a natural for on-line purchases of paid content (iTunes, archived news stories).
By being anonymous, my privacy would be protected (at least in theory). It would also be completely unconnected to my credit cards and bank accounts, so it could never be used to steal more than $100 from me.
This is not a trivial problem -- it has some of the same problems as voting (anonymity & non-repudiation).
I think this is already being done in Europe. If only the US would catch up.
Hey, slick, it can memorize a SpeedPass code. Gee, what could posiably go wrong with this?
Now we gotta wrap our speed pass in tin foil too!
I'm an American. I love this country and the freedoms that we used to have.
One Card to rule them all, one Card to find them
One Card to bring them all and in the darkness bind them
In the Land of Cameleon Network where the Shadows lie.
-Valen
Yeah, what did you mean by "suspect?" Are EMC or IBM guilty of producing vaporware? Is NewsCorp not far-reaching enough for you? Granted, not all of these are the most ethical companies in the world... but just an example.
From about a year ago: this article says France has a system like what I want. It's not clear from thaat article whether you can use it for all of the purchases I mentioned, but it's a start.
That's $200 you're whipping out in front of everyone. So easy to lose, and so tempting to steal (even if they can't get the data in it).
Here's what would make more sense: All credit/debit cards require the reader to verify and register the purchase. Instead you open up a meta-account with a debit card that you register ALL your cards and bank accounts with, and then use just that card, allowing the meta-account to distribute your money for maximum savings or returns. Since interest is compounded daily, paying/investing daily could save/make you a fair chunk of change. Hell, just make it a free government service and make it your driver's license or id, so you don't have to carry anything extra.
Oh, and if you lose it you're not out $200.
---If you can't trust a nerd, who can you trust?
- It's expensive. Too expensive for a trinket that might be lost/damaged in everyday life. Credit card lost? No biggie - you just cancel it, request new one. At worst you pay few bucks fee for replacement card.
:) - logos and all. And if you expect chameleon cards to be allowed to display those logos, think again. Not to mention that a chameleon card would either have to display gazillion different logos (fishy, wouldn't pass in most stores without tons of education and approval of credit card companies), or you'd need a custom card for every card you have - in which case the whole toy is useless.
- Lose this trinket, and you just gave *every damn card/id thingy ya had* to a thief. Yeah yeah its fingerprint keyed. So what? The data is inside and everything is ultimately hackable.
- It can obiviously be used to swipe magnetic strip data off other people's cards you may be able to handle. As a bonus if it can 'dupe' smartcards, Visa & co wont be happy - they just spent gazillions in moving every (insecure) magnetic card to ones with chip inside. I think their timetable is something like by end of 2005 every Visa card is a smartcard. I'd expect credit card companies to sue the pants off this company for unauthorized reverse engineering of their security features against duplication in the cards. DMCA will be used to pwn these guys. (And if it does *not* dupe smartcards, it will be useless in couple of years when every card becomes one)
- Big credit card companies will just tell to the retailers not to accept anything except Genunie Visa(r) Card(tm)
- Huge hassles with most clerks refusing the cards 'swiped on' with this trinket even without guidance from credit card companies - "that's not a visa card, are you trying to fool me with some thieves tool with copied card data?". The education required to train every damn minimum wage clerk in the world to identify and accept this thingy in place of a real card would be astronomical - EVEN if the card companies would go along with it.
Dot.com boom coming back? This company is beyond loony to even attempt to develop something this stupid.
The netherlands has chipknip (free translation: chipwallet)
/ netherla nds.pdf
See this pdf for a nice english description about.
http://www.protonworld.com/downloads/pdfs
It isnt such a succes as they planned. But it is used pretty much and most stores accept chip payments.
There where some rumors about security leaks do. Chipknip is integrated with your bankcard so not anonymous
200GB/2TB $7.95 Coupon: SAVE90DOLLAR
Remember, /. people are intelligent, and intelligent people conceal identity whenever possible.
So Linus, RMS, that ESR guy... they're all dumbasses then?
There's a difference between concealing your identiity and making sure that your private data stays that way.
Well, Visa and Mastercard are moving over to smart credit cards - with the embedded ICC - so the Chameleon Card will not only have to produce the right magnetic strip, but also the right applications to the ICC... and you can't just stick a smart card into a reader and duplicate it. BTW, anybody else notice that the team members of Chameleon contain more than one Unpublished name... so if some of the people behind it don't want their name public, what faith can you put in their product.
This'll be great if it takes up less space in my wallet than a half dozen cards. Otherwise, I'll wait for a future, slimmer, version.
Seriously, though, this could be a great idea. Three credit cards, a driver's license, three insurance cards (dental, medical, and auto)... plus a bunch of other cards I don't carry because I rarely use them (voter's registration card, etc) and are therefore at perpetual risk of being lost; this thing has a lot of potential.
The owner is in control of the information on the device, and it appears actually safer than carrying regular credit cards since it can't be used by thieves (assuming it also proves to be secure). My only questions center around the RFID tag, but they could be easily satisfied.
Hell, just make it a free government service
Free? Free to who? There are no such thing as "free" government services. They cost tax $. My tax $. Maybe I don't want to pay for your personal convenience. Maybe the guy next door doesn't care to pay for it either.
"An unarmed man can only flee from evil, and evil is not overcome by fleeing from it." Col. Jeff Cooper
Plus, can I sit on it?
I do security
Or is this just an open invite for an even more high-tech form of identity theft.
Who do you want to be today?
o)
Credit card thieves dont physically steal the card anymore. Most often they have their own card reader like this device and they will swipe your card an extra time under the table and pretend it didnt go through the first time.
A week or two later they make a fake card with your magnetic stripe and usually go on a 5000 dollar (the usual single day limit on most cards) spending spree and then fence the goods. The consumer discovers 5000 dollars on his card, usually from stuff purchased when he was in another state, at work, on the international space station, etc and calls the bank up. They issue a new card and reimburse the money.
This happened to me, and not ONCE did my card leave my wallet.
The only real solution to credit card thievery is to have intelligent software that tracks the spending habits of the legitimate user and requires extra verification before allowing out-of-the-ordinary purchases. Like if someone normally buys nothing but gas and groceriers with a credit card and suddenly buys 3000 dollars worth of stereo equipment 200 miles from where they live.... red flag!
"Jonnie Public"
"Johnathan Public"
"J. Q. Public"
"Johnathan Quincy Public"
If all this should have a reason, we would be the last to know.
What do you think of this?
You get a single card that can store all your info, and a card reader at home. You slip the card in before you head out and unlock all the elements of it using the card reader and some kind of authentication thing like a public key (I like codes that thieves will not expect you to know off the top of your head, like a 4-digit PIN--that's dangerous...but can you see a crook saying, "Give me your Universal Card and your public key"?). You could say, unlock all my credit and debit until 8pm tonight, and leave the Visa and Mastercard unlocked until 10pm.
You have to choose a default credit account that stays on all the time, but if you make too many purchases with it while the rest of the card is locked, the credit card company calls you and lets you know. That's it. They don't shut it off, they don't even have to have a live person call you. They just call you and say, "Someone's charging on your locked card, is it you?"
Of course, if you prefer the credit company to be liable, then you have to allow them to shut it off if purchases don't match your typical buying profile whether it's locked or unlocked. If you want the freedom to never have your card shut off, then you agree to pay the charges.
I don't see the point of keeping things the way they are. I don't know about you guys, but I keep all my credit cards right next to each other, so if I ever get mugged, I'm going to lose them all anyway, along with my ID. So I say stick 'em all on the same piece of plastic so I only have to track one thing. And you have to admit, it's definitely more secure than cash any way you cut it. Someone gets your cash, and what recourse do you have?
sev
but have you considered the following argument: shut up.
In the UK at least if you dont have a real signature on your signature strip then they will most likely refuse the transaction.
I know someone who on some occasions had the write the words "check id" to the upper right of her signature because people interpreted it as part of her sig.
Stores REALLY need to start reading the smart chips on cards. I've got 4 or 5 cards with those, but since moving to the USA they haven't been checked once.
I have to admit, even with the various concerns I have (and the ones listed here), I pre-ordered.
Why? Because I have thought of designing something like this for myself in the past. Even though I no longer carry half my cards anymore (BiMart, et all), I somehow still manage to have WAY too many... Obviously, i could not replace my drivers license (no Mr. Officer, really, this is valid)... looking through my wallet while replying to this, I found 12 cards that I could easily get rid of. Wierd thing is, I thought there would be more, but 1/2 my cards wouldn't work with this (I think), like Social Security Card, OMMP, etc -- because there is no barcode/smartChip/magStripe/RFID on them. IF it was able to simply show me the front and back of any of my cards, like a jpg or something, then I could easily double the number I could get rid of. Of course, at that point, it would probably be really useful for all those damned business cards that manage to get into my wallet too.
Malachi
http://www.google.com/profiles/malachid
Is it just me, or does it seem a little odd to other people that several of the principals listed on their web page (including the CTO) remain anonymous? Why the heck would anyone do that? Most companies at this stage splash the identities of their principals everywhere. These guys must have some pretty bad skeletons in their closet to hide like this.
Slashdot - News for Herds. Stuff that Splatters.
You have all posted very valid reasons why this new system would be unsecure, but don't you think Chameleon would have taken some measures to secure this?
I have no proof or way of knowing if this is what Chameleon does, but if they're smart, they've done something along these lines:
If someone stole your chameleon card, they wouldn't be able to use it without your fingerprint.
I assume Chameleon wouldn't let just anyone load any Chameleon card into their pocket vault. I'm sure they assign a single card to each pocket vault/user, and it won't accept cards that do not match the pocket vault's number.
So if someone stole your card (account #001) and tried to put it in their pocket vault (account #002), it would deny it because the card isn't account #002.
If someone stole your credit card and scanned it into their pocket vault, again I assume each pocket vault would have one user assigned and if it didn't match, it wouldn't accept. For those of you who say "What if a wife wants to use husband's card and vice-versa?", Chameleon probably lets you assign both the wife and the husband's name, so she can use his cards and he can use her cards.
Leeloo: Leeloo Dallas mul-ti-pass. ...
Korben: Yeah.
Leeloo: Mul-ti-pass.
Korben: Yeah, multipass, she knows it's a multipass. Leeloo Dallas. This is my wife.
Leeloo: Mul-ti-pass.
Korben: We're newlyweds. Just met. You know how it is. We bumped into each other, sparks happen
Leeloo: Mul-ti-pass.
Korben: Yeah, she knows it's a multipass. Anyway, we're in love.
I pay no charge to use my debit card, because I maintain a certain minimum balance in my account. I pay no charge to use my credit cards, because I pay off their balance each month, and use no-annual-fee cards.
A Universal card, properly secured, would be very attractive to me.
Don't underestimate the power of The Source