Feeds

back to article Infosec bods scorn card-swiping Coin over security fears

All-in-one digital payments start-up Coin has issued a robust defence of its technology following criticism from an infosec firm. Coin offers a single combined credit/debit/loyalty/store card that's paired with a user's mobile phone. The Coin app requires that you take a picture of the front and back of the card, type in your …

COMMENTS

This topic is closed for new posts.
Gold badge
FAIL

Another firm that wants to turn you *into* the product?

Thanks but no thanks.

Should be popular with the ignoranti.

0
0
Anonymous Coward

Err, really?

So many problems, where to begin?

If you take a picture of the front and back of the card, then swipe it any malware on the device which is used can obtain a full copy of your card, the CVV2 and the magstripe.

I can't imagine a single bank being in any way supportive of a technology used to copy the magstripe in any way, let alone with a commodity device such as a mobile phone.

The card maintains a bluetooth connection with the phone, presumably as well as to keep the phone in the proximity of the card, but also to upload/modify data stored on the card. This is a blatant point with which to attack the card.

There will never be a chip and pin version of this device. I don't care what they say, banks aren't going to want to deal with companies who copy the magstripe, let alone allow those companies to have access to chip and pin keys, etc.

0
0
Silver badge

Re: Err, really?

That's assuming Chip-and-PIN gets accepted. You have to ask why magstripe has stayed in the US for so long, and perhaps one reason is that people have trouble with PINs (which are already used for bank cards). What happens when too many people cry out, "I want my magstripe back!"?

0
0
Anonymous Coward

Re: Err, really?

The reason that magstripe has existed in the US for so long is because the banks make the merchants pay for the equipment, so the merchants want to keep hold of equipment as long as possible and seriously push back on the banks if they try to mandate updates. Couple that with banks not really being bothered about card security to the same extent as the UK/EU. That said, EMV are forcing the issue and are making the banks in the US roll out chip and pin, it's only a matter of time now.

I don't doubt there will be a few people who think chip and pin is some sort of conspiracy - there are in the UK, so I've no doubt that there will be groups in the USA who think it is as well. Overall I think that the EMV have seen for a whole and even the banks in the USA are starting to see that it's a national embarrassment that their country is the target for the vast majority of international card fraud because of their hanging on to cheques.

0
0
Anonymous Coward

Re: Err, really?

Storing the magstripe content or the CVV is explicitly prohibited by PCI-DSS (v3.0: requirements 3.2.1 and 3.2.2).

So getting compliance will be difficult, and banks might have their day pushing all liability back to the customers who use it.

0
0

Re: Err, really?

Does a consumer have to be PCI DSS compliant?

0
0
Silver badge

Dead stupid, but might still be adopted

Having sat in on some audits over the years, the banks and credit card companies do not care a bit that the thing is 'secure' per se. As long as they have a profit model, they are in.

The card companies were warned in spades about fraud decades ago. Their response was to find a way to make the consumer pay for it. That is why card rates are so outrageous, why there are so many 'gotchas' and why the theft of ridiculous amounts of the value of some prepaid cards continues to this day.

For at least some of the card companies credit card fraud is at worst a wash and possibly a profit center.

As long as they can make a buck on it, they will do it. What we need to do is shift responsibility on to the card companies and/or the banks. Do that and it will essentially fix itself.

0
0
Silver badge

Re: Dead stupid, but might still be adopted

No, do that and they'll balk because fixing it for them costs money. And note that the banks can influence Congress.

Also, if consumers don't like the EMV, they could do the ultimate protest and back out. Like I said, some peole are VERY bad with numbers.

As for hidebound belief, a sizable contingent of Americans were polled as saying the world is flat (and honestly believing it, too). So you know what, the cynic in me tells me to expect the worst now, as too many people are too stupid or apathetic to give two shakes of a dead dog's...you know.

0
0
Silver badge

Re: Dead stupid, but might still be adopted

@Charles 9:

Re:"No, do that and they'll balk ... [they] can influence Congress."

True. Given the state of things, you should assume when I say something like 'pass legislation' it is implied that you find some way to do that. That part sure won't be easy, I agree.

0
0
Silver badge

Re: Dead stupid, but might still be adopted

Easy? I daresay the only way you'll get something like that through is by CRISIS. And given the type of crisis that'll take, I shudder as the collateral damage.

0
0

This post has been deleted by a moderator

This topic is closed for new posts.