A Consolidated Payment Card Sounds Convenient—But Is It Secure?
The Coin card, which acts as a digital wallet, already has generated a lot of buzz—and a lot of capital. The San Francisco-based startup began with a crowdfunding campaign to raise fifty thousand dollars to get the card manufactured, and it met that goal in only forty minutes. Interested techies are scrambling to buy cards for fifty dollars before the sale price doubles in December, even though the cards won’t ship until next summer.
Coin is supposed to be a replacement for all the plastic in your wallet. It’s the same size as a credit card, but it can store programmed information for up to eight credit, debit, or store loyalty cards. It has an LCD screen on the front that displays which of your saved cards you’ve selected to use, and when swiped, the magnetic stripe on the back will transmit that card’s data. That means you can use Coin to pay for gas with your debit card account, go to a department store and use Coin to pay with a gift card you have, then go to the ATM and use Coin to withdraw cash.
Sounds pretty convenient, right? However, experts warn that the card might not keep your information secure.
“Worst. Idea. Ever,” Sophos security adviser Chester Wisniewski told tech publication Tom's Guide via email. “Convenient? Sure. Safe? Probably not.”
On the Coin website’s FAQ page, the security section says its “servers, mobile apps and the Coin itself use 128-bit or 256-bit encryption for all storage and communication,” but it doesn’t specify what the encryption algorithms are. Additionally, the page warns that “Coin is no less susceptible than your current cards to other forms of skimming that capture data encoded in the magnetic stripe as the card is swiped.” Meaning if someone with bad intentions gets hold of your Coin, the data for all the cards stored on it would be compromised.
In fact, “skimming,” or swiping a credit or debit card to obtain its information, is essentially what Coin is doing, as the user has to clone his cards with a reader in order to get the data on Coin. The bad news here is that Coin hasn't secured approval with any of the major credit card issuers and networks with which it hopes to work. Those companies may not appreciate their cards being duplicated for use with a third-party device, and there may even be grounds for a violation of industry standards.
The wireless connection Coin uses to upload card information, Bluetooth Low Energy (BLE), is a relatively new technology model with unproven security.
“Security-wise, there are a few issues,” Mike Davis, principal research scientist for security firm IOActive, told tech blog The Register. “While the BLE specification does include encryption, few, if any, devices have implemented it yet. Additionally, BLE has known issues when it comes to secure pairing, and the only secure method ‘Out of Band’ may not be a realistic option for a product like Coin.”
