Infosec bods scorn card-swiping Coin over security fears

Deprecated money-moving tech is still secure, insists biz

5 things you didn’t know about cloud backup

All-in-one digital payments start-up Coin has issued a robust defence of its technology following criticism from an infosec firm.

Coin offers a single combined credit/debit/loyalty/store card that's paired with a user's mobile phone. The Coin app requires that you take a picture of the front and back of the card, type in your card details, and then swipe the card (using a reader it provides) to ensure the card’s encoded magnetic stripe data matches the card details provided.

It is not possible to complete these steps unless you are in physical possession of a card - see video below for an explanation of how the technology works.

However security researchers at IOActive fear the technology inadvertently creates new avenues for abuse, in particular the possibility of potentially opening the door to more potent skimming attacks.

Wim Remes, managing consultant for IOActive, explained: "Coin seems like an interesting idea, presented as a technology that simplifies how we use cards with magnetic stripes today. In essence, however, it also offers itself as a personal skimming device. From the information currently available about Coin, most of the security features that the inventors have implemented appear to be opt-in. Beyond a Bluetooth connection with a mobile phone it is to be assumed there are no further authentication features in the technology."

“At first glance there are an abundant possibilities for abuse. For example, a person that gets temporary access to your Coin device would be capable of recording magnetic stripe data from all the cards stored on it. Most cards currently get skimmed in retail environments and it is not too difficult to track down where a card got compromised. With Coin, however, a user could present a debit card that will get correctly charged while the credit card can be skimmed after the attacker has pushed the Coin button to select another card. You give an attacker your entire wallet, without any controls, instead of a single card," he added.

In response to El Reg's query, Coin acknowledged skimming was still an issue but maintained its technology was actually less at risk from skimming than conventional mag stripe cards.

"A Coin is less susceptible to some card skimming techniques that take a picture of the card as it is swiped since Coin does not display the full card details on the front or back of the device," said the company. "A Coin is no less susceptible than your current cards to other forms of skimming that capture data encoded in the magnetic stripe as the card is swiped. Also, you can only add cards that you own to your Coin."

Remes contended that any technology based on magnetic stripes was no longer suitable for credit or debit cards and that technology based on the harder-to-clone Chip and PIN technology was preferable.

"At best, the technology seems fit for low-value reward cards but definitely not for credit or debit cards. The fact of the matter is that in a world where card fraud is still running rampant, we should focus on the adoption of EMV [Europay, MasterCard and Visa] technology rather than making the use of magnetic stripe cards easier," he concluded.

For now at least, Coin only works with mag strip only cards. Chip and PIN (EMV smart cards) have been standard in Europe since 2005 but the technology has only just been introduced in the US and is not expected to be the de-facto standard for point of sale retail terminal transaction until October 2015. The technology was also recently introduced in the Asia-Pacific region.

This means that Coin is attempting to address a market for technology that's only really useful in the US, and perhaps only over a small time period at that; measurable in months rather than years.

Coin's card-swiping tech, which costs $100 and is only initially available in the US, will only ship in summer 2014.

In an FAQ, Coin said it plans to adapt its technology to support EMV smart cards.

Coin is currently designed for the U.S. market and does not support Chip and PIN (EMV), however, future generations of the device will include EMV.

Coin promo video

IOActive are far from the only security firm to raise a quizzical eyebrow at Coin, with other focusing on the digital certificate and cryptography used on its websites and other factors. Coin contends it has all these bases covered.

Maintaining the integrity of your Coin’s data is critical to your peace of mind. That’s why our servers, mobile apps and the Coin itself use 128-bit or 256-bit encryption for all storage and communication (http and bluetooth). Additionally Coin can alert you in the event that you leave it somewhere.

In the event that your Coin loses contact with your phone for a period of time that you configure in the Coin mobile app, it will automatically deactivate itself. Your Coin account is password protected and the mobile app requires that you type in your password before you can access sensitive card details.

Currently you cannot lock your Coin, but you don’t have to. Coin will automatically deactivate if it loses contact with your phone for a period of time that you configure in the Coin mobile app.

Mike Davis, principal research scientist for IOActive, has mixed feeling about Coin's use of radio connection technology.

"The use of BLE (Bluetooth Low Energy) is technologically the perfect choice for Coin, as the company can use super thin and flexible lithium polymer batteries, and eInk displays enabling users to get years of battery life out of a device," Davis explained. "And that’s even before breaching the subject of inductive charging."

"Security-wise there are a few issues,” Davis warned. “While the BLE specification does include encryption, few, if any devices have implemented it yet. Additionally, BLE has known issues when it comes to secure pairing and the only secure method ‘Out of Band’ may not be a realistic option for a product like Coin," he added.

Coin submitted its technology for certification under the PCI DSS payment industry regulatory standard. A device such as a Coin is seen as similar to a payment card in a consumer’s wallet so the PCI Security Standards Council's separate certification for payment applications (PA-DSS) is not applicable to Coin. ®

Next gen security for virtualised datacentres

More from The Register

next story
Microsoft: We plan to CLEAN UP this here Windows Store town
Paid-for apps that provide free downloads? Really
Snowden on NSA's MonsterMind TERROR: It may trigger cyberwar
Plus: Syria's internet going down? That was a US cock-up
Who needs hackers? 'Password1' opens a third of all biz doors
GPU-powered pen test yields more bad news about defences and passwords
e-Borders fiasco: Brits stung for £224m after US IT giant sues UK govt
Defeat to Raytheon branded 'catastrophic result'
Hear ye, young cyber warriors of the realm: GCHQ wants you
Get involved, get a job and then never discuss work ever again
Chinese hackers spied on investigators of Flight MH370 - report
Classified data on flight's disappearance pinched
Microsoft cries UNINSTALL in the wake of Blue Screens of Death™
Cache crash causes contained choloric calamity
prev story


Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 10 endpoint backup mistakes
Avoid the ten endpoint backup mistakes to ensure that your critical corporate data is protected and end user productivity is improved.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Rethinking backup and recovery in the modern data center
Combining intelligence, operational analytics, and automation to enable efficient, data-driven IT organizations using the HP ABR approach.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.