Infosec bods scorn card-swiping Coin over security fears

Deprecated money-moving tech is still secure, insists biz

Protecting against web application threats using SSL

All-in-one digital payments start-up Coin has issued a robust defence of its technology following criticism from an infosec firm.

Coin offers a single combined credit/debit/loyalty/store card that's paired with a user's mobile phone. The Coin app requires that you take a picture of the front and back of the card, type in your card details, and then swipe the card (using a reader it provides) to ensure the card’s encoded magnetic stripe data matches the card details provided.

It is not possible to complete these steps unless you are in physical possession of a card - see video below for an explanation of how the technology works.

However security researchers at IOActive fear the technology inadvertently creates new avenues for abuse, in particular the possibility of potentially opening the door to more potent skimming attacks.

Wim Remes, managing consultant for IOActive, explained: "Coin seems like an interesting idea, presented as a technology that simplifies how we use cards with magnetic stripes today. In essence, however, it also offers itself as a personal skimming device. From the information currently available about Coin, most of the security features that the inventors have implemented appear to be opt-in. Beyond a Bluetooth connection with a mobile phone it is to be assumed there are no further authentication features in the technology."

“At first glance there are an abundant possibilities for abuse. For example, a person that gets temporary access to your Coin device would be capable of recording magnetic stripe data from all the cards stored on it. Most cards currently get skimmed in retail environments and it is not too difficult to track down where a card got compromised. With Coin, however, a user could present a debit card that will get correctly charged while the credit card can be skimmed after the attacker has pushed the Coin button to select another card. You give an attacker your entire wallet, without any controls, instead of a single card," he added.

In response to El Reg's query, Coin acknowledged skimming was still an issue but maintained its technology was actually less at risk from skimming than conventional mag stripe cards.

"A Coin is less susceptible to some card skimming techniques that take a picture of the card as it is swiped since Coin does not display the full card details on the front or back of the device," said the company. "A Coin is no less susceptible than your current cards to other forms of skimming that capture data encoded in the magnetic stripe as the card is swiped. Also, you can only add cards that you own to your Coin."

Remes contended that any technology based on magnetic stripes was no longer suitable for credit or debit cards and that technology based on the harder-to-clone Chip and PIN technology was preferable.

"At best, the technology seems fit for low-value reward cards but definitely not for credit or debit cards. The fact of the matter is that in a world where card fraud is still running rampant, we should focus on the adoption of EMV [Europay, MasterCard and Visa] technology rather than making the use of magnetic stripe cards easier," he concluded.

For now at least, Coin only works with mag strip only cards. Chip and PIN (EMV smart cards) have been standard in Europe since 2005 but the technology has only just been introduced in the US and is not expected to be the de-facto standard for point of sale retail terminal transaction until October 2015. The technology was also recently introduced in the Asia-Pacific region.

This means that Coin is attempting to address a market for technology that's only really useful in the US, and perhaps only over a small time period at that; measurable in months rather than years.

Coin's card-swiping tech, which costs $100 and is only initially available in the US, will only ship in summer 2014.

In an FAQ, Coin said it plans to adapt its technology to support EMV smart cards.

Coin is currently designed for the U.S. market and does not support Chip and PIN (EMV), however, future generations of the device will include EMV.

Coin promo video

IOActive are far from the only security firm to raise a quizzical eyebrow at Coin, with other focusing on the digital certificate and cryptography used on its websites and other factors. Coin contends it has all these bases covered.

Maintaining the integrity of your Coin’s data is critical to your peace of mind. That’s why our servers, mobile apps and the Coin itself use 128-bit or 256-bit encryption for all storage and communication (http and bluetooth). Additionally Coin can alert you in the event that you leave it somewhere.

In the event that your Coin loses contact with your phone for a period of time that you configure in the Coin mobile app, it will automatically deactivate itself. Your Coin account is password protected and the mobile app requires that you type in your password before you can access sensitive card details.

Currently you cannot lock your Coin, but you don’t have to. Coin will automatically deactivate if it loses contact with your phone for a period of time that you configure in the Coin mobile app.

Mike Davis, principal research scientist for IOActive, has mixed feeling about Coin's use of radio connection technology.

"The use of BLE (Bluetooth Low Energy) is technologically the perfect choice for Coin, as the company can use super thin and flexible lithium polymer batteries, and eInk displays enabling users to get years of battery life out of a device," Davis explained. "And that’s even before breaching the subject of inductive charging."

"Security-wise there are a few issues,” Davis warned. “While the BLE specification does include encryption, few, if any devices have implemented it yet. Additionally, BLE has known issues when it comes to secure pairing and the only secure method ‘Out of Band’ may not be a realistic option for a product like Coin," he added.

Coin submitted its technology for certification under the PCI DSS payment industry regulatory standard. A device such as a Coin is seen as similar to a payment card in a consumer’s wallet so the PCI Security Standards Council's separate certification for payment applications (PA-DSS) is not applicable to Coin. ®

Reducing the cost and complexity of web vulnerability management

More from The Register

next story
Infosec geniuses hack a Canon PRINTER and install DOOM
Internet of Stuff securo-cockups strike yet again
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
prev story


Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.