Slashdot Mirror
Startup Touts All-in-One Digital Credit Card
First time accepted submitter NoImNotNineVolt writes "Coin, a Y Combinator-backed startup, has started accepting pre-orders for a device as slim as a standard piece of payment plastic that can hold eight credit, debit, and gift cards in its dynamic magnetic stripe. Paired with the Coin smartphone app via Bluetooth low energy, card details can easily be swapped in and out of the device. A minimalist user interface on the device itself allows the owner to toggle between the loaded cards and then swipe just as they would their ordinary card. All card details are encrypted (both on the device and in the smartphone app), and the device's on-board battery is expected to last for two years of typical usage. No support for chip&pin (EMV) yet, so this may have limited utility outside of the USA. They expect to start shipping in summer of 2014."
One thing to steal to be someone else!
Thats awesome.
Now an all in one solution to skim and use credit cards.
But, I don't see this catching on. Tapping to pay with your device is "new" so people don't think much of it. Paying with an "all in one" credit card isn't something most will be used to. Plus, I'd expect pushback from Visa/AMEX on this.
To rule them all.
Finally - a "smart wallet" that would actually be more convenient to use (or at least no less convenient) than the credit cards I already have in my wallet.
Cramming a UI and the electromagnetics required to spoof a mag stripe into something small enough to make it through a card reader is pretty impressive; but I just don't see the point.
I need another intermediary in my payment system like I need a hole in the head(and I certainly don't need any credit card details stashed in yet another OMGTOTALLY SECURE!!! server or app), and I'd need a hell of a lot of plastic infesting my wallet before a $100 piece of hardware, and BTLE-compatible smartphone become the lower-hassle alternative.
Along with a card reader, it'd probably be great fun as a tool for duplicating low security cards(eg. copier stored value cards, which commonly actually store their value in the stripe, rather than just encoding an ID that gets looked up by the payment processor), and generally fucking around with mag stripe readers; but for actual real-world financial transactions? How many credit cards do you carry on a daily basis?
Just use one card. Who needs 8?
I've read the articles, watched the video on their site, and read the FAQ. It is unclear whether the app actually sends your card information to their servers. As I posted over on Hacker News:
No, Coin, I'm not going to store all of my credit and debit cards in a single spot on the Internet.
Your app has to work without Internet, or it's a security risk.
To bad it's way less secure than chip and PIN. Mag stripes can be trivially copied and then used. In Canada a lot of the payment terminals are configured to not allow mag stripe usage if the card has a chip (I disabled the chip on one of my cards to see what happens, only place that would let me swipe is Home Depot, and even then the machine wouldn't accept it, they had to pull out an old physical ka-chunker machine and do it manually, haven't seen those in ages).
imagine idiots using this contraption trying to show themselves off and changing out credit cards at the register or setting their phone up to pay
My wallet.
. . .when your credit is declined and the clerk whips out the scissors.
If you load all that stuff into your card via the phone, why not just use NFC in the phone to pay? Oh wait, because people won't do that either.
I want to delete my account but Slashdot doesn't allow it.
I hear they're working on one that's EMV compatible, but there's no point in releasing sometime in 2014 what they've proposed now as Chip+PIN/EMV will be rolled out en-mass in the US. The networks (Visa, MC, AMEX, Discover) are starting a liability shift and most will go into effect in Oct 2015: http://en.wikipedia.org/wiki/EMV#United_States
What this means is the liability of any card fraud that occurs after that date with be moved to the entity that hasn't implemented EMV. That includes the card issuing bank, the merchant acquirer (the entity that the merchant uses to process cards), and even the merchant itself if they refused to update their terminals or POS systems. If fraud does occur and everyone is up to date with EMV, the procedure is the same as it is today supposedly.
I personally have my reservations about the system since there have been a string of compromised terminals in the past and the banks incorrectly blamed the card holder because the system was "fraud-proof" according to them. Hopefully those shenanigans don't happen in with US banks as this rolls out.
No support for chip&pin (EMV) yet, so this may have limited utility outside of the USA. They expect to start shipping in summer of 2014."
Considering that all US merchants have to be capable of using EMV[1] by October of 2015, perhaps that two year battery life is about right, because that's all the longer they will be useful. And most merchant services are pushing hard to have everyone capable of taking EMV by the middle of 2014.
Mag strip cards will be around for as long as the current ones out there last, but most new cards being issued now are EMV capable, and very soon, all of them will have to be. Without EMV support, this is, at best, a short term fad. And eventually, mag strip cards will just disappear, and merchants will have no reason to be able to take them.
[1]Technically, not required to stop taking mag strip only, but those who don't become 100% responsible for all fraud, automatically, regardless of the circumstances. As a carrot to go with the stick, those who get EMV up and going are not longer resopnsible for the sometimes pain-in-the-ass (and often expensive for small operations) requirements for PCI compliance.
And if you drive a lot, probably a kinked back from the fat wallet.
Q. How long does a Coin last? Do I recharge it? What happens when my Coin’s battery dies?
A. Coins are designed to last for 2 years under normal usage and do not need to be recharged. Once the battery dies you will need to replace your Coin.
For $100? I don't think so.
Cards are moving to chips and NFC.
If I swipe my credit card in a terminal with a chip reader, it rejects and tells me to insert the card.
A few years back, I remember a startup which had a card that was programmable with any magstripe ID, but instead of Bluetooth, it had a few small wires between the main handheld apparatus and the card itself.
It went over like a lead balloon, and I don't even remember the name of the contraption maker.
Intead, I'd much rather see the smartphone itself be the payment device using Bluetooth between it and the register [1]. The register sends a signed transaction, the device validates the signature and asks if you want to pay it, you tap a fingerprint or PIN code on your device, payment is confirmed, and one is on their merry way. Of course, there are still security loopholes (someone copies the app with the card repository, etc.) However, it isn't that much worse than an average piece of plastic with an easily forged magstrip.
[1]: Of course, the weakness would be the same as any CA based system... compromise the head CA, and all hell breaks loose, but it does get rid of skimmers as a potential attack, and those are far cheaper to make than hacking a SSL private key.
Pointless without EMV
Don't expect it soon. The whole point of EMV is to be IMPOSSIBLE to clone. To the credit card chip designers, this thing is exactly the same as a clone-and-spoof attack.
They put a little computer on the card and run encrypted protocols with the store terminal.
The details of the computer are closely held. (I was once asked to work on hardware for one, but it would have required a major security clearance investigation and a contract that, IMHO, would have made it difficult to work on anything else cryptographic afterward.)
They also do their best to avoid designing in things that might make its operation or storage subject to tapping or observation by electrical or mechanical means.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
Wouldn't retailers be required to treat these transactions as "Card Not Present" transactions, meaning that far fewer would accept them?
I believe the liability is increased to the merchant if they just accept a CC number + expiration + CVV, to which accepting this would be functionally equivalent.
It's better to vote for what you want and not get it than to vote for what you don't want and get it.
- E. Debs
I believe that CC is dying so I really don't understand why create a new technology to solve a "problem" (ie have a couple of cards in your wallet) for something that seems it's not going to be in the market for much longer.
I think that only people who can't afford buying an smartphone will keep using CC in the near future, but at the same time these people usually hold only one CC...
Virtual currencies looks much prominent that this product imho.
How about unusable outside the USA? In many stores in Belgium the staff does not even know how swiping works. If it doesn't accept the chip and pin, the are lost and will not be able to complete the purchase. Or they just not accept swiping, because they do not trust it.
The whole world that uses the metric system also uses chip instead of the magnetic strip. Perhaps it is related?
Some pre-paid cards just have a chip and the numbers are not even embossed anymore or in the standard landscape form http://s1.djyimg.com/i6/1202131251562133.jpg
Don't fight for your country, if your country does not fight for you.
Can't remember the last time I swiped a credit card. It's been the chip and pin system for years or the RFID system where you just tap your card against the reader. Next thing you'll tell me that you have to sign your credit card transactions too!
As most of the world has moved to EMV smart cards to reduce fraud (the US still has to move), this is a "solution" to a problem that doesn't exist for most of us. Also, the EMV standard already supports multiple applications on a chip card.
I'm not sure how clerks will look when, instead of me showing a credit card; I whop out an electronic device that is my mode of payment and swipe it. Wouldn't they feel "hacked"?
First World Problems
Unity? Screw that: XFCE. Slashdot Beta? Screw that: SoylentNews. Australis? Screw that: Pale Moon. UX developers DIAF
If it loses contact with your phone for a self-designated amount of time, Coin will deactivate itself.
So when you phone battery goes flat (and it will go flat quicker, with this app in the background waking up periodically and communicating with the card), you can't buy a new charger to charge it.
Some establishments actually do accept AMEX and DISC cards but swipe subtly attempt to dissuade customers from using them because of their higher swipe fees. With this device and the way most bill are handled, the cashier would probably need to swipe this generic card and now it's generally too late to go back to the customer to change negating this specific fee avoidance strategy***
***I suppose they could swipe the generic card charge, note that the charge was AMEX, reverse the charge, return the card back to the customer and have them switch the card to be VISA/MC and then reswipe, but I'm sure the POS terminals won't make that very easy for the overworked cashiers.
This would be a great thing for cloning all those obnoxious loyalty cards that clog your billfold, if it could clone those, but I'm guessing it is only for credit cards.
IMO, the right solution for credit cards is entirely different. What someone needs to do is work with Visa/MC/Amex to create a card that serves as a proxy card for multiple cards. It should have its own number, and each charge is treated as a preauthorization on your default card. Then, at any time before midnight on the day you make a purchase (possibly longer), you should be able to route the actual charge to the card of your choice.
Because the proxying would be handled by a real server with real compute power, you could even specify that, for example, all purchases made at a gas station during the months of May, June, and July should be routed to your Chase card (for example) because that's the bonus category for that period. You could automatically make Amazon purchases go to your Amazon card, make Amtrak purchases go to your Amtrak card, make air travel purchases go to your airline miles card, etc.
And because it would be a real card in its own right instead of a clone of an existing card, it could even have its own chip (or even chip and pin). You could assign an arbitrary billing ZIP code to make it far less likely for anyone to be able to use it to make significant purchases if it gets stolen. You could instantly cancel it from your mobile phone if it gets stolen without causing you to lose access to any actual credit. And so on.
Check out my sci-fi/humor trilogy at PatriotsBooks.
Can't skim cards [easily] with this. Apparently to "load" a new card, you've gotta snap some pictures of it and swipe it through the [included] card reader. And the card has to be in your name.
Why does it need a picture of the card? That seems strange. RTFA, but it doesn't have any more detail than your comment. I did like this nugget:
"If it loses contact with your phone for a self-designated amount of time, Coin will deactivate itself."
Nice security feature. Until my phone runs out of charge, and suddenly I can make a call and I can't use my credit cards.
I have the same thought from all the proposed smart phone-as-wallet apps. Great, let me put all my eggs in one easy to lose, easy to break basket. This one was interesting until they made it dependant on keeping a live phone near by.
Tout is such an annoying word.
But with an iPhone case for the card as well? Seems like they would own the patents to this...
Of what use is a credit card without Chip and PIN?
Marry this to Citibank's virtual credit card numbers (or similar offerings from other companies) and now you can use one-time credit card numbers for all transactions, bonus points if you can punch in a dollar amount too like citibank offers. Who *cares* if you card # is skimmed or not. At most one person will get the amount of money you wanted to pay. Otherwise, I would stay far away from the service.
"All in one"? ALL?
Those 'inventors' live in 80's or what? Unless you provide proper modern card functionality, you can't claim ALL. Heck, your card does not support anything mildly innovative, such as displaying your account balance.
This questionable invention seems to be limited to markets with no security (USA) which want to remain in Dark Ages, or to scammers who want to impersonate people from those countries.
This is even worse than UK card terminals that attempt offline PIN authorisation, yet another security risk.
I just pre-ordered a Coin. I live in Canada where 100% of my credit cards and debit cards are Chip & PIN so this is of zero use to me from that angle. The whole reason I am getting it is so I can ditch all the damn loyalty cards. Day to day, I only carry around 1 credit card and 1 debit card - I have no need for more. But I have currently in my wally 4 different loyalty cards AND a gift card that I need to use. If Coin can take 4 loyalty cards and turn them into 1, then it is worth $50 to me. And this whole security discussion is thus a non issue because I really don't care if someone decides to steal my Aeroplan card... more points for me!
Is what I use. I don't see why , at this point, we need another thing to carry.
The Kruger Dunning explains most post on
Pre-ordering is stupid enough as it is; but pre-ordering something that facilitates spending? Some people really need remedial home economics.
Been there done that. This was the same thing touted by the folks at "iCache" who released a few test units of the "Geode" -- an iPhone jacket and universal card combo that could do this as well as provide support for barcodes using an e-ink window on the back of the case.
Unfortunately, the company -- after a successful Kickstarter and infusion of venture cash, crashed and burned. HARD.
http://www.zdnet.com/icache-geodes-spectacular-crash-and-burn-7000014801/
As it turns out, there were huge limitations on where this type of "cloned" card could be used -- no ATMs, no "pull through" swipers like at gas pumps... It all fell apart quite noisily with accusations of fraud and deceit on the part of the company's founders.
The bottom line is this: Payment card providers require three things: 1) the card should be signed, 2) the card should be present so the merchant can verify the expiration and CVV (or pay a CNP fee), and 3) the card provider's logo must be visible on the card. Failure to comply with any of the three means a merchant may lose his ability to accept cards to the provider. The Geode could do ONE of those things; the same goes for this card, as technically interesting as it may be.
And of course this goes out the window as NFC or chip-and-pin cards eventually come into fashion in the US (as chip-and-pin already is in Europe).
... then either you're possessed of very poor financial skills or you're one of the Ten Percent that the other Ninety secretly wants to lynch (or be).
but CC really don't take that much space and most people only have two or three of them. Plus the redundancy is great if you need to temporary share the CC with the wife in case she lost her or similar situations.
I have 5 credit cards and I have never thought, gee, these take up too much room in my wallet.
I carry seven. One for each day of the week. That way if a charge is posted on the wrong day (after factoring in any potential delay), I can figure out if it was fraudulent. Of course, maybe I should just get 31 credit cards, one for each day of any given month. Then I will truly know if something goes wrong, unless the person who stole my card happened to use it on the right day.
The above is a joke. I have two cards. Originally one credit card, which I will only use twice a year now. I got annoyed when my card was being transitioned to a new service provider.
YET????
I wonder how they are planning on supporting it. Apparently chip-and-pin was created specifically to prevent cloning. Here in Canada chip and pin are everywhere, I think all of my cards are chipped now.I can't imaging USA being too far behind.
The project is stillborn
I don't know where people get this idea that you have to have a chip-and-pin CC to get by in Europe. It's just not true.
I live in the UK, so examples of things you wouldn't be able to buy with a card include:
In Switzerland you can still see machine that have a mag-stripe reader. But that is disabled in the firmware.
A few years ago, it was the last-resort fall-back mode when the chip couldn't be used.
Recently, allmost all shop refuse to swipe card and it's disabled on almost all firmware (swiping a card is either ignore, or triggers a screen asking to place the card into the chip reader instead).
Shops are currently slowly rolling out new generation of terminals, without any mag-stripe reader, but with a NFC/RFID antenna instead (Which opens a whole new can of worms as a problem - like relay attacks - as PIN confirmation isn't required for small amount contactless payment).
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
I was working on similar idea a year and a half ago (I'm in Canada)
This method relies on storing the contents of mag-stripe.
The obvious issue with this is that all credit cards, and now debit cards too, have migrated to PIN chip technology.
When you try to pay using the swipe method, it will ask you like 6 times to use the chip.
Naturally, I stopped the development as there was limited use for a tech like this.
I'm a non technical lurker but instead of NFC (or in addition to) why not something like Bump to pay?
Now you can lose all your Cards at once!