Startup Touts All-in-One Digital Credit Card

First time accepted submitter NoImNotNineVolt writes "Coin, a Y Combinator-backed startup, has started accepting pre-orders for a device as slim as a standard piece of payment plastic that can hold eight credit, debit, and gift cards in its dynamic magnetic stripe. Paired with the Coin smartphone app via Bluetooth low energy, card details can easily be swapped in and out of the device. A minimalist user interface on the device itself allows the owner to toggle between the loaded cards and then swipe just as they would their ordinary card. All card details are encrypted (both on the device and in the smartphone app), and the device's on-board battery is expected to last for two years of typical usage. No support for chip&pin (EMV) yet, so this may have limited utility outside of the USA. They expect to start shipping in summer of 2014."

Great for CC scammers

[hsmith]

Now an all in one solution to skim and use credit cards.

But, I don't see this catching on. Tapping to pay with your device is "new" so people don't think much of it. Paying with an "all in one" credit card isn't something most will be used to. Plus, I'd expect pushback from Visa/AMEX on this.

Re:Great for CC scammers

[NoImNotNineVolt]

Can't skim cards [easily] with this. Apparently to "load" a new card, you've gotta snap some pictures of it and swipe it through the [included] card reader. And the card has to be in your name.

I suppose you can create an account in the name of the victim, then snap pictures of their card, then swipe it... But that's not exactly the best skimming solution I've heard of.

Re:Great for CC scammers

[fuzzyfuzzyfungus]

Is there any established precedent(either in law or in contract dickery that has come to light) about using cloned cards for transactions?

Obviously, cloned cards can be a fraud tool, and fraud is illegal; and obviously most people have neither the tech nor the interest to clone mag stripe cards; but does Visa give a damn if I clone my card and swipe the clone, instead of the one they mailed me, at the point of sale? Do they claim some sort of 'despite all appearances to the contrary, card remains property of issuer, etc, etc, yadda, just shut up and swipe' clause? Have they ever been tried on that point?

There has never been anything magic (aside from convenience, getting a full-color printed, shiny holograms, embossed characters, encoded mag stripe, card in quantity 1 costs a hell of a lot more than quantity 1 zillion) about the card itself, nor do mag-stripe cards have any secrets embedded (unlike chip-and-pin, which theoretically, like a SIM, contains values that should never leave the IC under any circumstances short of silicon-level attack), and a lot of transactions occur with nothing more than the card number, since they go over the web.

I assume that if they do care, their easiest point of attack would just be to be enormous rules-lawyering dickheads about every last detail of PCI compliance, which would likely make the server/app side of things virtually impossible; but would the card-cloning itself, if not used for already illegal fraud of some kind, be an issue?

Re:Great for CC scammers

[cheater512]

Quick little dive in to the code with a debugger and watch those limitations vanish in front of your eyes......

Re:Great for CC scammers

[fuzzyfuzzyfungus]

What I don't know, and a secondary question to what I was asking about the history of non-fraud card cloning, would be "Will Visa/AMEX see this thing as a threat, or an ally?"

They likely have the power to seriously derail it(at least the software side); but if they are more worried about non-CC-based competitors cutting in on their action, with phone-based payments, or paypal QR code scanning, or some such nonsense, a different variant seems to pop up about once a week, they might actually welcome somebody stepping up to make mag-stripe cards more pleasant and convenient at no cost or risk to them.

If they are in a purely defensive/reactionary mode, for its own sake, or suspect that this is just step 1 to the creation of some alternate payment scheme that cuts them out of the equation but is backwards compatible with mag stripe hardware, they might decide to play hardball, and if they do, the PCI compliance guy for this company had better stock up on vodka and valium now; because he'll need them. If not, though, these guys aren't obviously more dangerous, just more sophisticated, than leather companies that produce wallets with lots of little card pockets.

Re:Great for CC scammers

[wiredlogic]

Vendors are not supposed to accept card without a valid signature on them. That alone would place them in breach of contract with the credit issuers and card processors if they accepted a cloned card.

Re:Great for CC scammers

[viperidaenz]

If Visa find out you cloned your card and someone uses that clone to defraud you, you'll can bet your ass Visa will make you liable for their fraudulent charges.

Re:Great for CC scammers

[khellendros1984]

The cards have a smart-chip in them. The data on the chip is encrypted, which makes it much more difficult to counterfeit with a credit card skimmer. As a second authentication factor, the cardholder punches in a PIN. This style of card is becoming more common in Europe right now, and a lot of automated terminals won't take a card that only has a magnetic stripe, apparently.

Re:Great for CC scammers

[xaxa]

This style of card is becoming more common in Europe right now, and a lot of automated terminals won't take a card that only has a magnetic stripe, apparently.

It is almost universal in Europe (95% of terminals, 85% of cards, two years ago), and plenty of other countries. A card with a chip is almost essential if you travel to Europe -- I can't remember the last time I saw a ticket machine (or similar) accept a magstripe.

http://www.creditcards.com/credit-card-news/american-travelers-guide-emv-chip-cards-1271.php is informative. I'm not convinced by '"In fact, as a late adopter of EMV, there's a great upside for the industry in the U.S. because we can avoid much of the cost and complexity involved in deploying older-generation chip cards, while still reaping all of the benefits of reduced counterfeit fraud,"' -- the US industry has had 10 extra years of fraud! (I have to phone my bank before using my card in the US, and give them the dates I will be travelling. Numbers are stolen in Europe, and used on fake cards in the US.)

Re:Great for CC scammers

[tlhIngan]

I never understood the reasoning behind that. I have never signed any of the card I've ever had.

  If someone happens to gain possession of your card, do you also want to give them a template of your signature so they could practice their forgery?

  Good luck getting a chargeback when the charge receipt has your signature on it. Fuck that.

Technically, it's not a comparison template.

The signature on the card signifies you agree to the terms and conditions of your cardholder agreement. I.e., it's the acceptance of those terms between you and the issuer.

The signature on the slip signifies you agree to pay the amount shown on the slip. It's a contract between you and the issuer that you agree to pay the amount shown on the slip.

If one or the other isn't signed, the merchant bank could easily not pay, since the card was not valid at the time of transaction.

Of course, over time it got perverted to people thinking it was a comparison template.

Legally, if it doesn't have a signature, or if it has anything other than a valid signature, the merchant has a right to destroy the card as it's invalid.

And in theory, if your card wasn't signed, you could chargeback all the charges on it since it was invalid. But good luck finding a court who'll agree to it on technicality terms.

Re:Great for CC scammers

[Amouth]

I don't think the issue is so much with having a skimmer. Right now if i show up with a card that doesn't look like an actual CC the person at the counter will think something is up. But if this gets going and has blessings of the CC makers, and looks official the teller will just say "hey he has that neat new card" and not care that you are no infact using a skimmer.

Re:Great for CC scammers

A card with a chip is almost essential if you travel to Europe -- I can't remember the last time I saw a ticket machine (or similar) accept a magstripe.

Reality check about "almost essential" – I travel to Europe quite frequently. This year alone I've been to London, Brussels, Geneva, Zurich, Vienna, Brno, plus Bangalore and Tokyo. (Not bragging, just saying'. And yeah, I'm sure lots of people have been to even more places than I have.)

I've never (never, ever, ever) had an issue paying for things with my non-chip-and-pin American credit cards. Hotels, train tickets, cab rides, meals in restaurants, buying souvenirs, food in grocery stores, and withdrawing cash from ATMs. I don't know where people get this idea that you have to have a chip-and-pin CC to get by in Europe. It's just not true.

Re:Great for CC scammers

[xaxa]

I don't know where people get this idea that you have to have a chip-and-pin CC to get by in Europe. It's just not true.

I live in the UK, so examples of things you wouldn't be able to buy with a card include:
- train tickets (you'll need cash, or else a long queue if there's a human option)
- car parking (sometimes cash won't be an option, though that's rare)
- occasional smaller businesses (shops, restaurants) who will want cash instead due to the fraud risk
- any other ticket machine (e.g. cinema)

OK, it's more of an inconvenience than a necessity. It's ridiculous that the US has barely started to use the system though -- it's almost 10 years old.

(I don't think Brno is much to brag about...)

Re:Great for CC scammers

[Just+Some+Guy]

Your card is invalid. If and when some clerk refuses to accept your unsigned card, please understand that you're in the wrong and he's just doing his job.

Re:Great for CC scammers

[adolf]

Meh. It's his signature, and he can draw it any way he wants to.

Re:Great for CC scammers

[quacking+duck]

OK, it's more of an inconvenience than a necessity. It's ridiculous that the US has barely started to use the system though -- it's almost 10 years old.

The US hasn't switched to metric system or dollar coins yet. Partly due to cost, partly due to "things works fine the way they are," and I suspect partly because they must be "leaders" in everything and can't be seen as "following the rest of the world."

I predict that the US still won't have fully (or at least 99%) converted to chip&pin credit card terminals (even with magstripe fallback) by 2020.

Re:Great for CC scammers

Signing the back of the card is your presented legal acceptance of the terms and conditions of the card itself, as the cardholder. Without that, the business that charges your card may have no legal claim to the funds you promised, since in their eyes you did not clearly and visibly accept the terms of the card. Legalese is more precise than you'd think, can vary by country/state/county/city/district, and you're naive to believe otherwise. If you ever decide to pursue an American law education, in any capacity, you will quickly learn that proof of expressed agreement means a lot in a courtroom, and that's all that really matters for most transactional disputes.

Re:Great for CC scammers

[xaxa]

The UK has seen a 66% drop in retail (point of sale) fraud since C+P was introduced in 2004. Lost and stolen fraud is at the lowest level in 20 years. Is that a compelling reason? I have to telephone my bank in advance if I want to use my cards in the USA -- they're blocked by default there, as the systems are insecure. I can use my card in Poland, Romania etc with no problems.

The PIN transaction doesn't take longer. I put the card into the machine (it doesn't leave my possession), read the display to confirm the amount I'm being charged, type my PIN, press OK, wait 1-2s, remove card. That's about the same time as handing the card over, waiting for the transaction to complete, being handed the receipt, signing it, the cashier checking the signature, handing the card back.

Contactless payment is almost instant. Two years ago the terminals weren't very widespread, but I've seen lots of "we now accept contactless payments" in the last six months or so in places with low-value transactions (coffee shops, convenience stores, bars etc). Paying this way is faster than cash.

It should be called OneCard

[foma84]

To rule them all.

Cute; but why?

[fuzzyfuzzyfungus]

Cramming a UI and the electromagnetics required to spoof a mag stripe into something small enough to make it through a card reader is pretty impressive; but I just don't see the point.

I need another intermediary in my payment system like I need a hole in the head(and I certainly don't need any credit card details stashed in yet another OMGTOTALLY SECURE!!! server or app), and I'd need a hell of a lot of plastic infesting my wallet before a $100 piece of hardware, and BTLE-compatible smartphone become the lower-hassle alternative.

Along with a card reader, it'd probably be great fun as a tool for duplicating low security cards(eg. copier stored value cards, which commonly actually store their value in the stripe, rather than just encoding an ID that gets looked up by the payment processor), and generally fucking around with mag stripe readers; but for actual real-world financial transactions? How many credit cards do you carry on a daily basis?

Security

[Isomorphic]

I've read the articles, watched the video on their site, and read the FAQ. It is unclear whether the app actually sends your card information to their servers. As I posted over on Hacker News:

No, Coin, I'm not going to store all of my credit and debit cards in a single spot on the Internet.

Your app has to work without Internet, or it's a security risk.

Re:Security

[NoImNotNineVolt]

On the other hand, the CNET article states "On the security side, Coin uses 128-bit and 256-bit encryption on both its server and mobile app, as well as on the card itself."

Encryption... on its server... ehhhhh...

Well, that's what chargebacks are for, right?

To bad it's way less secure than chip and PIN

[seifried]

To bad it's way less secure than chip and PIN. Mag stripes can be trivially copied and then used. In Canada a lot of the payment terminals are configured to not allow mag stripe usage if the card has a chip (I disabled the chip on one of my cards to see what happens, only place that would let me swipe is Home Depot, and even then the machine wouldn't accept it, they had to pull out an old physical ka-chunker machine and do it manually, haven't seen those in ages).

Why not just use the app

[Gothmolly]

If you load all that stuff into your card via the phone, why not just use NFC in the phone to pay? Oh wait, because people won't do that either.

No EMV, not going to be useful by 2015

[noc007]

I hear they're working on one that's EMV compatible, but there's no point in releasing sometime in 2014 what they've proposed now as Chip+PIN/EMV will be rolled out en-mass in the US. The networks (Visa, MC, AMEX, Discover) are starting a liability shift and most will go into effect in Oct 2015: http://en.wikipedia.org/wiki/EMV#United_States
What this means is the liability of any card fraud that occurs after that date with be moved to the entity that hasn't implemented EMV. That includes the card issuing bank, the merchant acquirer (the entity that the merchant uses to process cards), and even the merchant itself if they refused to update their terminals or POS systems. If fraud does occur and everyone is up to date with EMV, the procedure is the same as it is today supposedly.

I personally have my reservations about the system since there have been a string of compromised terminals in the past and the banks incorrectly blamed the card holder because the system was "fraud-proof" according to them. Hopefully those shenanigans don't happen in with US banks as this rolls out.

Re:No EMV, not going to be useful by 2015

[rickb928]

EMV (Chip + PIN) should be EASIER than the kludge stripe simulation. EMV uses a standardized connector, is essentially just a processor and storage with that EMV firmware, and all they will need is membership and licensing in the EMV infrastructure organizations.

Of course that licensing will be the doom of this.

BTW, EMV's ultimate risk-shift is to the cardholder. If you claim fraudulent use, all the rest will claim you must have lost your card and not reported it (magically reappearing in your possession, gee, you are a liar too) and gave out your PIN. In the UK, stories abound of sweet older women being shoulder surfed at the ATM, card nicked, account emptied, and the bank telling them they must have written down their PIN or given it to someone, sorry, no recourse. I hear this is diminishing some, but expect this to be the early experience with EMV card fraud here.

Oh, and terminals have been shimmed and card scammed. Take it to offline mode, capture the crypto and re-write the transaction for whatever amount you like, faking the rest. Next time you try to use the card it is out of sync and you can't get an approval anyways. In the rest of the world, this scam relies on poor identity confirmation of the business, which in the US is less of a problem, but not zero.

EMV is supposedly the Holy Grail of card fraud prevention. I'm not at all sure of this, but the industry is going there. I can hardly wait for those problems to hit my queue. Fun times. I have a job for life.

Pointless without EMV

[taustin]

No support for chip&pin (EMV) yet, so this may have limited utility outside of the USA. They expect to start shipping in summer of 2014."

Considering that all US merchants have to be capable of using EMV[1] by October of 2015, perhaps that two year battery life is about right, because that's all the longer they will be useful. And most merchant services are pushing hard to have everyone capable of taking EMV by the middle of 2014.

Mag strip cards will be around for as long as the current ones out there last, but most new cards being issued now are EMV capable, and very soon, all of them will have to be. Without EMV support, this is, at best, a short term fad. And eventually, mag strip cards will just disappear, and merchants will have no reason to be able to take them.

[1]Technically, not required to stop taking mag strip only, but those who don't become 100% responsible for all fraud, automatically, regardless of the circumstances. As a carrot to go with the stick, those who get EMV up and going are not longer resopnsible for the sometimes pain-in-the-ass (and often expensive for small operations) requirements for PCI compliance.

Card Not Present

[TheSpoom]

Wouldn't retailers be required to treat these transactions as "Card Not Present" transactions, meaning that far fewer would accept them?

I believe the liability is increased to the merchant if they just accept a CC number + expiration + CVV, to which accepting this would be functionally equivalent.

Re:Card Not Present

[hurfy]

Can you do a real 'card-not-present' transaction with it?

So i loaded all my cards into this thing and i want to buy something online. It looks like it displays part of the CC # so can it scroll the whole number to enter? What about the CCV on the back of trhe card? Most online stuff won't process without it and it isn't stored or is it?

PS, OK slashdot I'll change systems or browsers already. God, this site runs slower than my XT. Actually feels like I am typing on a 300 baud modem with the display half a line behind. Need more memory but other forums aren't nearly as bad.

Didn't work for iCache Geode...

[irregular_hero]

Been there done that. This was the same thing touted by the folks at "iCache" who released a few test units of the "Geode" -- an iPhone jacket and universal card combo that could do this as well as provide support for barcodes using an e-ink window on the back of the case.

Unfortunately, the company -- after a successful Kickstarter and infusion of venture cash, crashed and burned. HARD.

http://www.zdnet.com/icache-geodes-spectacular-crash-and-burn-7000014801/

As it turns out, there were huge limitations on where this type of "cloned" card could be used -- no ATMs, no "pull through" swipers like at gas pumps... It all fell apart quite noisily with accusations of fraud and deceit on the part of the company's founders.

The bottom line is this: Payment card providers require three things: 1) the card should be signed, 2) the card should be present so the merchant can verify the expiration and CVV (or pay a CNP fee), and 3) the card provider's logo must be visible on the card. Failure to comply with any of the three means a merchant may lose his ability to accept cards to the provider. The Geode could do ONE of those things; the same goes for this card, as technically interesting as it may be.

And of course this goes out the window as NFC or chip-and-pin cards eventually come into fashion in the US (as chip-and-pin already is in Europe).

Re:AMEX and DISCOVER would probably love this

[rickb928]

"because of their higher swipe fees."

I dunno about Discover, but if you're a merchant, and you're thinking Amex is noticeably more expensive to accept, I dare you to challenge your processor or bank to break out all of your fees.

You will not be happy. The other cards have caught up.