Slashdot Mirror

← Back to Stories (view on slashdot.org)

Startup Touts All-in-One Digital Credit Card

Posted by timothy on from the fewer-pieces-to-steal dept.

First time accepted submitter NoImNotNineVolt writes "Coin, a Y Combinator-backed startup, has started accepting pre-orders for a device as slim as a standard piece of payment plastic that can hold eight credit, debit, and gift cards in its dynamic magnetic stripe. Paired with the Coin smartphone app via Bluetooth low energy, card details can easily be swapped in and out of the device. A minimalist user interface on the device itself allows the owner to toggle between the loaded cards and then swipe just as they would their ordinary card. All card details are encrypted (both on the device and in the smartphone app), and the device's on-board battery is expected to last for two years of typical usage. No support for chip&pin (EMV) yet, so this may have limited utility outside of the USA. They expect to start shipping in summer of 2014."

12 of 222 comments (clear)

  1. Great for CC scammers by hsmith · · Score: 4, Insightful

    Now an all in one solution to skim and use credit cards.

    But, I don't see this catching on. Tapping to pay with your device is "new" so people don't think much of it. Paying with an "all in one" credit card isn't something most will be used to. Plus, I'd expect pushback from Visa/AMEX on this.

    1. Re:Great for CC scammers by fuzzyfuzzyfungus · · Score: 3, Informative

      Is there any established precedent(either in law or in contract dickery that has come to light) about using cloned cards for transactions?

      Obviously, cloned cards can be a fraud tool, and fraud is illegal; and obviously most people have neither the tech nor the interest to clone mag stripe cards; but does Visa give a damn if I clone my card and swipe the clone, instead of the one they mailed me, at the point of sale? Do they claim some sort of 'despite all appearances to the contrary, card remains property of issuer, etc, etc, yadda, just shut up and swipe' clause? Have they ever been tried on that point?

      There has never been anything magic (aside from convenience, getting a full-color printed, shiny holograms, embossed characters, encoded mag stripe, card in quantity 1 costs a hell of a lot more than quantity 1 zillion) about the card itself, nor do mag-stripe cards have any secrets embedded (unlike chip-and-pin, which theoretically, like a SIM, contains values that should never leave the IC under any circumstances short of silicon-level attack), and a lot of transactions occur with nothing more than the card number, since they go over the web.

      I assume that if they do care, their easiest point of attack would just be to be enormous rules-lawyering dickheads about every last detail of PCI compliance, which would likely make the server/app side of things virtually impossible; but would the card-cloning itself, if not used for already illegal fraud of some kind, be an issue?

    2. Re:Great for CC scammers by cheater512 · · Score: 4, Insightful

      Quick little dive in to the code with a debugger and watch those limitations vanish in front of your eyes......

    3. Re:Great for CC scammers by wiredlogic · · Score: 4, Interesting

      Vendors are not supposed to accept card without a valid signature on them. That alone would place them in breach of contract with the credit issuers and card processors if they accepted a cloned card.

      --
      I am becoming gerund, destroyer of verbs.
    4. Re:Great for CC scammers by xaxa · · Score: 5, Informative

      This style of card is becoming more common in Europe right now, and a lot of automated terminals won't take a card that only has a magnetic stripe, apparently.

      It is almost universal in Europe (95% of terminals, 85% of cards, two years ago), and plenty of other countries. A card with a chip is almost essential if you travel to Europe -- I can't remember the last time I saw a ticket machine (or similar) accept a magstripe.

      http://www.creditcards.com/credit-card-news/american-travelers-guide-emv-chip-cards-1271.php is informative. I'm not convinced by '"In fact, as a late adopter of EMV, there's a great upside for the industry in the U.S. because we can avoid much of the cost and complexity involved in deploying older-generation chip cards, while still reaping all of the benefits of reduced counterfeit fraud,"' -- the US industry has had 10 extra years of fraud! (I have to phone my bank before using my card in the US, and give them the dates I will be travelling. Numbers are stolen in Europe, and used on fake cards in the US.)

    5. Re:Great for CC scammers by Amouth · · Score: 3, Insightful

      I don't think the issue is so much with having a skimmer. Right now if i show up with a card that doesn't look like an actual CC the person at the counter will think something is up. But if this gets going and has blessings of the CC makers, and looks official the teller will just say "hey he has that neat new card" and not care that you are no infact using a skimmer.

      --
      '...if only "Jumping to a Conclusion" was an event in the Olympics.'
    6. Re:Great for CC scammers by Just+Some+Guy · · Score: 3

      Your card is invalid. If and when some clerk refuses to accept your unsigned card, please understand that you're in the wrong and he's just doing his job.

      --
      Dewey, what part of this looks like authorities should be involved?
    7. Re:Great for CC scammers by adolf · · Score: 3, Insightful

      Meh. It's his signature, and he can draw it any way he wants to.

      --
      Kid-proof tablet..
  2. Cute; but why? by fuzzyfuzzyfungus · · Score: 4, Insightful

    Cramming a UI and the electromagnetics required to spoof a mag stripe into something small enough to make it through a card reader is pretty impressive; but I just don't see the point.

    I need another intermediary in my payment system like I need a hole in the head(and I certainly don't need any credit card details stashed in yet another OMGTOTALLY SECURE!!! server or app), and I'd need a hell of a lot of plastic infesting my wallet before a $100 piece of hardware, and BTLE-compatible smartphone become the lower-hassle alternative.

    Along with a card reader, it'd probably be great fun as a tool for duplicating low security cards(eg. copier stored value cards, which commonly actually store their value in the stripe, rather than just encoding an ID that gets looked up by the payment processor), and generally fucking around with mag stripe readers; but for actual real-world financial transactions? How many credit cards do you carry on a daily basis?

  3. To bad it's way less secure than chip and PIN by seifried · · Score: 3, Insightful

    To bad it's way less secure than chip and PIN. Mag stripes can be trivially copied and then used. In Canada a lot of the payment terminals are configured to not allow mag stripe usage if the card has a chip (I disabled the chip on one of my cards to see what happens, only place that would let me swipe is Home Depot, and even then the machine wouldn't accept it, they had to pull out an old physical ka-chunker machine and do it manually, haven't seen those in ages).

  4. No EMV, not going to be useful by 2015 by noc007 · · Score: 3, Informative

    I hear they're working on one that's EMV compatible, but there's no point in releasing sometime in 2014 what they've proposed now as Chip+PIN/EMV will be rolled out en-mass in the US. The networks (Visa, MC, AMEX, Discover) are starting a liability shift and most will go into effect in Oct 2015: http://en.wikipedia.org/wiki/EMV#United_States
    What this means is the liability of any card fraud that occurs after that date with be moved to the entity that hasn't implemented EMV. That includes the card issuing bank, the merchant acquirer (the entity that the merchant uses to process cards), and even the merchant itself if they refused to update their terminals or POS systems. If fraud does occur and everyone is up to date with EMV, the procedure is the same as it is today supposedly.

    I personally have my reservations about the system since there have been a string of compromised terminals in the past and the banks incorrectly blamed the card holder because the system was "fraud-proof" according to them. Hopefully those shenanigans don't happen in with US banks as this rolls out.

  5. Didn't work for iCache Geode... by irregular_hero · · Score: 4, Informative

    Been there done that. This was the same thing touted by the folks at "iCache" who released a few test units of the "Geode" -- an iPhone jacket and universal card combo that could do this as well as provide support for barcodes using an e-ink window on the back of the case.

    Unfortunately, the company -- after a successful Kickstarter and infusion of venture cash, crashed and burned. HARD.

    http://www.zdnet.com/icache-geodes-spectacular-crash-and-burn-7000014801/

    As it turns out, there were huge limitations on where this type of "cloned" card could be used -- no ATMs, no "pull through" swipers like at gas pumps... It all fell apart quite noisily with accusations of fraud and deceit on the part of the company's founders.

    The bottom line is this: Payment card providers require three things: 1) the card should be signed, 2) the card should be present so the merchant can verify the expiration and CVV (or pay a CNP fee), and 3) the card provider's logo must be visible on the card. Failure to comply with any of the three means a merchant may lose his ability to accept cards to the provider. The Geode could do ONE of those things; the same goes for this card, as technically interesting as it may be.

    And of course this goes out the window as NFC or chip-and-pin cards eventually come into fashion in the US (as chip-and-pin already is in Europe).