10 Reasons Coin Card Could Be a Security Nightmare
The Coin card in a promotional photo. Credit: Coin, Inc.
Last week, thanks to a successful press campaign, San Francisco-based startup Coin raised $50,000 in 40 minutes from strangers willing to wait nearly a year for a digital wallet.
The Coin card, a credit-card sized black plastic rectangle with an LCD screen that will sell for $100, is due to hit the market in summer 2014. It will contain a programmable magnetic stripe that can be swiped through any standard card reader at a retail store, gas station, ATM or so on.
Up to eight credit, debit, ATM or loyalty cards— any card with a magnetic stripe — can be "saved" on the Coin card, giving users seven fewer cards to carry in wallets or purses.
It sounds terribly convenient. It also sounds like a security nightmare.
"Worst. Idea. Ever," Sophos security advisor Chester Wisniewski told Tom's Guide via email. "Convenient? Sure. Safe? Probably not."
Users will set up their Coin cards by swiping all their regular cards into a free Coin-supplied card reader attached to a compatible Android or iOS smartphone, taking a photo of each card for verification, and then "loading" the cards into the Coin card via a Bluetooth Low Energy (BLE) wireless connection.
(A similar digital wallet with a programmable card, the iCache Geode, failed to get off the ground last year despite a very successful crowdfunding campaign. The iCache company has apparently gone out of business.)
Each Coin card can be paired to the iOS or Android device, with the result that the Coin card will stop working if the smartphone gets out of Bluetooth Low Energy range, which is about 150 feet. (The Coin card can also be set up as a stand-alone device to work without a nearby smartphone, but with less security as a result.)
The Coin website has a long FAQ, but its dedicated security section is vague on details. The FAQ states that "our servers, mobile apps and the Coin itself use 128-bit or 256-bit encryption," yet doesn't specify what the encryption algorithms are, or how they might be applied. (Requests for comment from Coin were not returned.)
Here are 10 reasons why you might want to put off getting that Coin card.
— Card issuers may not take kindly to customers skimming their own card data onto third-party devices.
The Coin card reader and its card-duplicating system are essentially "cloning" credit cards and may violate industry standards, and possibly laws against forgery. The only caveat is that the user is duplicating his own cards instead of someone else's.
The Coin card is "almost guaranteed to be a breach of your cardholder agreement with your card issuer," Wisniewski said.
We've reached out to American Express, MasterCard, Visa and X9, the technical standards body for the financial industry, about whether Coin card will comply with their standards. American Express did not want to comment on another company's product; the others have not responded.
— Stores and other points of sale might not accept the Coin card — and there will be a downside if they do.
The jet-black, featureless Coin card, which has no hologram, logo, signature or other visible verification, "trains people to ignore cards that 'don't look right,' making it far simpler for other thieves to pass off Marriott hotel cards as valid credit cards," Wisniewski said.
— Coin card users may only be able to use the devices for a short time.
Coin cards, promised for mid-2014, probably won't be compatible with the new EMV "chip-and-PIN" credit, debit and ATM cards that U.S. customers will soon be using.
EMV (Eurocard, Mastercard and Visa) cards, already commonplace in Europe, contain a hard-wired security microchip that users insert into a special reader before typing in their personal identification numbers (PINs).
"Because of EMV," Wisniewski said, Coin card "will only work, at best, until October 2015, when Mastercard, Visa, American Express and Discover all implement a liability shift to merchants who are not using chip-and-PIN technology."
To force consumers and retailers into using and accepting EMV cards, the major payment processors are shifting certain types of fraud liability from card issuers to retailers on Oct. 1, 2015. Card issuers will no longer accept chargebacks from retailers defrauded by fake or stolen old-style magnetic-stripe cards, giving retailers plenty of incentive to install EMV terminals before that date.
Coin's website states that "future generations of the device will include EMV," but that goal may be difficult to achieve.
"That's not possible," said Robert Graham, chief executive officer of Errata Security in Atlanta. "By definition, [EMV] chips cannot be cloned. That's the entire reason for chips rather than magstripes."
— Card thieves would love to steal data from the Coin card.
Credit cards can be "skimmed" by crooked restaurant workers, bartenders, cashiers or hotel clerks — even fast-food restaurant employees — who sell the stolen magnetic-stripe data to card cloners. If you hand your Coin card to one of these crooks, they'll be able to steal the data from ALL your cards, not just one. (The Coin FAQ says you can't lock your Coin card, "but you don't have to.")
— Conversely, the Coin app card reader could let anyone become a card thief.
"It's a commercial skimmer!" Wisniewski said. "Install the app, swipe someone else's card through your phone, perhaps from the next table at the bar, and voilà!"
(The Coin FAQ says it's not possible for people to import data from cards they don't own, but the FAQ doesn't explain why not.)
— If you pair it with your smartphone, it'll be useless if you lose your phone, or if your phone's battery dies.
Imagine you go out for drinks after work. One bar leads to another, and before you know it, it's 3 a.m., you're out of cash and you're looking for a cab home.
You try to hit an ATM, but your smartphone's out of juice and, without a constant Bluetooth proximity connection, the Coin card has turned itself off. Without access to the worldwide electronic financial system, you're walking home.
— If you break the Coin card, lose it or leave it behind, you're stuck with the cash you happen to have on hand.
"It's a central point of failure in your wallet," said Steve Santorelli, director of global outreach with security firm Team Cymru in Lake Mary, Fla. "At least with the conventional batch of credit cards we all seem to lug around, if one stripe goes bad, you can default to manual entry, or use another one."
"I don't like the idea of all my eggs in one basket," said Sean Sullivan of Finnish security company F-Secure. "I frequently step out with just a debit card (with limited funds in its account) and my ID. Having all my bank cards in one is not actually desired from an 'opsec' [operational security] view, in my mind."
— Bluetooth Low Energy (BLE) security is unproven.
The BLE standard has barely begun to enter the market, and it's possible that it could be susceptible to old-style "sniffing" or "man-in-the-middle" attacks that worked against older Bluetooth protocols.
"While the BLE specification does include encryption, few, if any devices have implemented it yet," Mike Davis of Seattle security firm IOActive told the tech blog The Register. "Additionally, BLE has known issues when it comes to secure pairing."
— Hackers might be able to access credit-card data by hacking your smartphone.
"Consider the amount of overt malware out there for Android, and the occasional apps that are not quite what they seem in iOS," Santorelli said. "You are basically putting all your credit-card data in one place on a device that might not be secure itself. The potential for malware to sniff and ship the relevant files off your device is significant."
— Hackers might be able to steal your credit-card info by breaking into Coin's servers.
The Coin FAQ says that each Coin card will be "associated with your account and not that specific phone/device," and that the company is "in the process" of being certified for "PCI DSS standards for storing and transmitting card data."
That's a pretty strong hint that credit-card data will be stored on the Coin company's servers. But the Coin FAQ doesn't say how that data will be stored.
"Don't worry!" Wisniewski sarcastically said. "All of your card data is stored on Coin's servers."
It's not a good idea to let ANY online company, from Amazon.com down to Pa Kettle's Hi-Fi Repair, store your credit-card data. The consequences of a data breach, all too common these days, are just too high.