Sign in with
Sign up | Sign in

10 Reasons Coin Card Could Be a Security Nightmare

By - Source: Tom's Guide US | B 25 comments

The Coin card in a promotional photo. Credit: Coin, Inc.The Coin card in a promotional photo. Credit: Coin, Inc.

Last week, thanks to a successful press campaign, San Francisco-based startup Coin raised $50,000 in 40 minutes from strangers willing to wait nearly a year for a digital wallet.

The Coin card, a credit-card sized black plastic rectangle with an LCD screen that will sell for $100, is due to hit the market in summer 2014. It will contain a programmable magnetic stripe that can be swiped through any standard card reader at a retail store, gas station, ATM or so on.

Up to eight credit, debit, ATM or loyalty cards— any card with a magnetic stripe — can be "saved" on the Coin card, giving users seven fewer cards to carry in wallets or purses.

It sounds terribly convenient. It also sounds like a security nightmare.

"Worst. Idea. Ever," Sophos security advisor Chester Wisniewski told Tom's Guide via email. "Convenient? Sure. Safe? Probably not."

MORE: Mobile Security Guide: Everything You Need to Know

Users will set up their Coin cards by swiping all their regular cards into a free Coin-supplied card reader attached to a compatible Android or iOS smartphone, taking a photo of each card for verification, and then "loading" the cards into the Coin card via a Bluetooth Low Energy (BLE) wireless connection.

(A similar digital wallet with a programmable card, the iCache Geode, failed to get off the ground last year despite a very successful crowdfunding campaign. The iCache company has apparently gone out of business.)

Each Coin card can be paired to the iOS or Android device, with the result that the Coin card will stop working if the smartphone gets out of Bluetooth Low Energy range, which is about 150 feet. (The Coin card can also be set up as a stand-alone device to work without a nearby smartphone, but with less security as a result.)

The Coin website has a long FAQ, but its dedicated security section is vague on details. The FAQ states that "our servers, mobile apps and the Coin itself use 128-bit or 256-bit encryption," yet doesn't specify what the encryption algorithms are, or how they might be applied. (Requests for comment from Coin were not returned.)

Here are 10 reasons why you might want to put off getting that Coin card.

Card issuers may not take kindly to customers skimming their own card data onto third-party devices.

The Coin card reader and its card-duplicating system are essentially "cloning" credit cards and may violate industry standards, and possibly laws against forgery. The only caveat is that the user is duplicating his own cards instead of someone else's.

The Coin card is "almost guaranteed to be a breach of your cardholder agreement with your card issuer," Wisniewski said.

We've reached out to American Express, MasterCard, Visa and X9, the technical standards body for the financial industry, about whether Coin card will comply with their standards. American Express did not want to comment on another company's product; the others have not responded.

Stores and other points of sale might not accept the Coin card and there will be a downside if they do.

The jet-black, featureless Coin card, which has no hologram, logo, signature or other visible verification, "trains people to ignore cards that 'don't look right,' making it far simpler for other thieves to pass off Marriott hotel cards as valid credit cards," Wisniewski said.

Coin card users may only be able to use the devices for a short time.

Coin cards, promised for mid-2014, probably won't be compatible with the new EMV "chip-and-PIN" credit, debit and ATM cards that U.S. customers will soon be using.

EMV (Eurocard, Mastercard and Visa) cards, already commonplace in Europe, contain a hard-wired security microchip that users insert into a special reader before typing in their personal identification numbers (PINs).

"Because of EMV," Wisniewski said, Coin card "will only work, at best, until October 2015, when Mastercard, Visa, American Express and Discover all implement a liability shift to merchants who are not using chip-and-PIN technology."

To force consumers and retailers into using and accepting EMV cards, the major payment processors are shifting certain types of fraud liability from card issuers to retailers on Oct. 1, 2015. Card issuers will no longer accept chargebacks from retailers defrauded by fake or stolen old-style magnetic-stripe cards, giving retailers plenty of incentive to install EMV terminals before that date.

Coin's website states that "future generations of the device will include EMV," but that goal may be difficult to achieve.

"That's not possible," said Robert Graham, chief executive officer of Errata Security in Atlanta. "By definition, [EMV] chips cannot be cloned. That's the entire reason for chips rather than magstripes."

Card thieves would love to steal data from the Coin card.

Credit cards can be "skimmed" by crooked restaurant workers, bartenders, cashiers or hotel clerks — even fast-food restaurant employees — who sell the stolen magnetic-stripe data to card cloners. If you hand your Coin card to one of these crooks, they'll be able to steal the data from ALL your cards, not just one. (The Coin FAQ says you can't lock your Coin card, "but you don't have to.")

Conversely, the Coin app card reader could let anyone become a card thief.

"It's a commercial skimmer!" Wisniewski said. "Install the app, swipe someone else's card through your phone, perhaps from the next table at the bar, and voilà!"

(The Coin FAQ says it's not possible for people to import data from cards they don't own, but the FAQ doesn't explain why not.)

If you pair it with your smartphone, it'll be useless if you lose your phone, or if your phone's battery dies.

Imagine you go out for drinks after work. One bar leads to another, and before you know it, it's 3 a.m., you're out of cash and you're looking for a cab home.

You try to hit an ATM, but your smartphone's out of juice and, without a constant Bluetooth proximity connection, the Coin card has turned itself off. Without access to the worldwide electronic financial system, you're walking home.

If you break the Coin card, lose it or leave it behind, you're stuck with the cash you happen to have on hand.

"It's a central point of failure in your wallet," said Steve Santorelli, director of global outreach with security firm Team Cymru in Lake Mary, Fla. "At least with the conventional batch of credit cards we all seem to lug around, if one stripe goes bad, you can default to manual entry, or use another one."

"I don't like the idea of all my eggs in one basket," said Sean Sullivan of Finnish security company F-Secure. "I frequently step out with just a debit card (with limited funds in its account) and my ID. Having all my bank cards in one is not actually desired from an 'opsec' [operational security] view, in my mind."

Bluetooth Low Energy (BLE) security is unproven. 

The BLE standard has barely begun to enter the market, and it's possible that it could be susceptible to old-style "sniffing" or "man-in-the-middle" attacks that worked against older Bluetooth protocols.

"While the BLE specification does include encryption, few, if any devices have implemented it yet," Mike Davis of Seattle security firm IOActive told the tech blog The Register. "Additionally, BLE has known issues when it comes to secure pairing."

Hackers might be able to access credit-card data by hacking your smartphone.

"Consider the amount of overt malware out there for Android, and the occasional apps that are not quite what they seem in iOS," Santorelli said. "You are basically putting all your credit-card data in one place on a device that might not be secure itself. The potential for malware to sniff and ship the relevant files off your device is significant."

Hackers might be able to steal your credit-card info by breaking into Coin's servers.

The Coin FAQ says that each Coin card will be "associated with your account and not that specific phone/device," and that the company is "in the process" of being certified for "PCI DSS standards for storing and transmitting card data."

That's a pretty strong hint that credit-card data will be stored on the Coin company's servers. But the Coin FAQ doesn't say how that data will be stored.

"Don't worry!" Wisniewski sarcastically said. "All of your card data is stored on Coin's servers."

It's not a good idea to let ANY online company, from Amazon.com down to Pa Kettle's Hi-Fi Repair, store your credit-card data. The consequences of a data breach, all too common these days, are just too high.

Coin card promo

Follow Paul Wagenseil at @snd_wagenseil. Follow Tom's Guide at @tomsguide, on Facebook and on Google+.

Display 25 Comments.
This thread is closed for comments
  • 0 Hide
    ddpruitt , November 19, 2013 6:29 AM
    Quote:
    the major payment processors are shifting certain types of fraud liability from card issuers to retailers


    I have yet to see an instance where the issuer takes liability for fraud, it's always the retailer.

    Quote:
    our servers, mobile apps and the Coin itself use 128-bit or 256-bit encryption


    Quote:
    Coin is in the process of earning a PCI DSS certification


    These two statements alone should scare anyone away from one of these. Mag strip devices were designed for convenience, not security. The fact that Coin really doesn't seem to have a solid understanding of the security involved means that it might be difficult for them to have the device approved and that their security is flimsy at best. Now instead of having a single card stolen, you can have up to eight stolen at the same time.
  • 0 Hide
    Darkk , November 19, 2013 7:43 AM
    Biggest issue I see with this card right now is lack of PIN. Been said that second generation cards will have it. Well, if security is paramount why didn't they include PIN in the first place?

    I am better off having an app on my smartphone to pay for stuff. Least with it can be secure.
  • 0 Hide
    velocityg4 , November 19, 2013 8:54 AM
    [The jet-black, featureless Coin card, which has no hologram, logo, signature or other visible verification, "trains people to ignore cards that 'don't look right,' making it far simpler for other thieves to pass off Marriott hotel cards as valid credit cards," Wisniewski said.]

    Although I do agree that this just sounds like a bad idea for far too many reasons to go into. I did find this amusing. .

    Rarely does any clerk look at my card, ID or anything else. Most of the time the card reader is set out for the customer to use and the clerk doesn't even touch the card. Even on the rare occasion I hand a clerk the card. They don't look at the name on the card, my ID or anything else they just swipe it and hand it back. Perhaps one in a hundred uses does a clerk look at the name on my card and ask to see my ID.

    Heck more and more stores are putting in self checkout. With one clerk watching over 4, 8 or more lanes. There is no verifying identity with that system.
  • -1 Hide
    ChristineCWard , November 19, 2013 10:19 AM
    my friend's half-sister makes $83/hr on the internet. She has been out of work for 10 months but last month her income was $17342 just working on the internet for a few hours. linked here .....................................

    WWW.FB49.COM
  • -1 Hide
    zeuss , November 19, 2013 10:19 AM
    I'm not saying the coin is perfect, the chip and pin is going to be a requirement sonner than later and I don't see how its cloneable but...

    What do people think happens when a wallet gets stolen anyway? That's right... The thief has taken all of your cards anyway. No different than if they had stolen your coin.

    However all the cards in my wallet work once I've walked 200 feet away. A coin apparently won't.

    Everyone should understand that more often than not security is sacrificed for conveince.

    If you want to be super safe give up all your plastic cards, goto the bank and get to personally know all the tellers there so they remember your face, and only take out enough cash for each individual purchase you are going to make. Safe as can be... but doesn't sound convenient at all...
  • 0 Hide
    gm0n3y , November 19, 2013 11:00 AM
    The USA STILL doesn't have the chip in their debit/credit cards? In Canada we've been using them for the past ~3 years now.

    Some stores will allow you to swipe if the chip isn't being accepted for some reason (happens on rare occasions), but most will not. Regardless, this product seems super sketchy. I can't imagine a retailer that would allow someone to use a device that is designed to use skimmed cards (willingly or not). To anyone questioning the liability of retailers, a quick look at the EMV chip wikipedia page shows that retailers are going to have to accept liability when accepting swiped payments. I think whoever put money towards this is not going to get anything for it.
  • 0 Hide
    otacon , November 19, 2013 3:37 PM
    This will go nowhere. If I was a merchant I'd never accept this thing.
  • 0 Hide
    augustenl750 , November 19, 2013 4:35 PM
    my friend's sister-in-law makes $83 every hour on the computer. She has been out of a job for ten months but last month her pay was $17797 just working on the computer for a few hours. you could check here............. WWW.JOBS61.COM
  • 0 Hide
    slayer10000 , November 19, 2013 5:03 PM
    Using this for personal cards i would say no way!!! but for gift cards hell yes then no more carrying around 20 of them and forgetting about them ( who am i kidding i would still forget just less to carry around thats all)
  • 0 Hide
    Simon Anderson , November 19, 2013 5:46 PM
    It's only a useful product in the US, with it's card technology behind the rest of the world :p  Most countries adopted "chip and pin" years ago. The very existence of this product is the main reason why you should adopt chip and pin...
  • 0 Hide
    goinggoing , November 20, 2013 5:15 AM
    $5 Promo Code: https://onlycoin.com/?referral=LlJ3oZJ4

    Why not?..
  • 0 Hide
    goinggoing , November 20, 2013 5:15 AM
    $5 Promo Code: https://onlycoin.com/?referral=LlJ3oZJ4

    Why not?..
  • 0 Hide
    mynith , November 20, 2013 7:54 AM
    Dude. Chipcards have been around since the 90's in Europe.
  • 0 Hide
    _Cosmin_ , November 20, 2013 11:42 AM
    So far your phone app has less security than this device! A simple malware installed on phone could intercept all data it need to clone your card from your app!
  • 0 Hide
    goinggoing , November 20, 2013 1:00 PM
    Promo code for $5 off: https://onlycoin.com/?referral=LlJ3oZJ4

    not bad.
  • 0 Hide
    beachminter , November 20, 2013 4:03 PM
    That's why I am more excited about the Wallaby card, a software solution that combines alll your cards in the cloud. I'm sure it has problems too. https://walla.by/the-wallaby-card
  • 0 Hide
    jkbona , November 21, 2013 11:53 AM
    For $100 how long does the Coin Card actually function? There is no mention of this being a rechargeable device so I'll assume a primary battery is being used. Having to power a BLE, a display, a dynamic magstripe and the rest of it's components seems to be a high bar for the primary batteries available for the card form factor.
  • 0 Hide
    swapniljain26 , November 24, 2013 8:12 AM
    Earlier I had a concern about skimming of data, but now apparently the app tells you how many time your card was read. So you would eventually know if it was used somwhere else ! moreover now they are offering a morse code style pwd which you need to click after you select a card so that the waiter cannot cycle through other cards !

    Pre order one now !
    https://onlycoin.com/?referral=wX0z9AEU
  • 0 Hide
    Shebardigan , November 29, 2013 3:00 PM
    Fascinating. I wonder if the developers have licensed the patents taken out by Frank J. Gangi. I wrote some prototype firmware for exactly this device back in 1999. Warned him about these concerns and more.
  • 0 Hide
    RedundantInk , December 2, 2013 9:24 PM
    Single point of failure for your finances, mag stripe only and multiple obvious attack vectors. What could possibly go wrong
Display more comments
Tom’s guide in the world
  • Germany
  • France
  • Italy
  • Ireland
  • UK
Follow Tom’s guide
Subscribe to our newsletter