Feeds

Infosec bods scorn card-swiping Coin over security fears

Deprecated money-moving tech is still secure, insists biz

SANS - Survey on application security programs

All-in-one digital payments start-up Coin has issued a robust defence of its technology following criticism from an infosec firm.

Coin offers a single combined credit/debit/loyalty/store card that's paired with a user's mobile phone. The Coin app requires that you take a picture of the front and back of the card, type in your card details, and then swipe the card (using a reader it provides) to ensure the card’s encoded magnetic stripe data matches the card details provided.

It is not possible to complete these steps unless you are in physical possession of a card - see video below for an explanation of how the technology works.

However security researchers at IOActive fear the technology inadvertently creates new avenues for abuse, in particular the possibility of potentially opening the door to more potent skimming attacks.

Wim Remes, managing consultant for IOActive, explained: "Coin seems like an interesting idea, presented as a technology that simplifies how we use cards with magnetic stripes today. In essence, however, it also offers itself as a personal skimming device. From the information currently available about Coin, most of the security features that the inventors have implemented appear to be opt-in. Beyond a Bluetooth connection with a mobile phone it is to be assumed there are no further authentication features in the technology."

“At first glance there are an abundant possibilities for abuse. For example, a person that gets temporary access to your Coin device would be capable of recording magnetic stripe data from all the cards stored on it. Most cards currently get skimmed in retail environments and it is not too difficult to track down where a card got compromised. With Coin, however, a user could present a debit card that will get correctly charged while the credit card can be skimmed after the attacker has pushed the Coin button to select another card. You give an attacker your entire wallet, without any controls, instead of a single card," he added.

In response to El Reg's query, Coin acknowledged skimming was still an issue but maintained its technology was actually less at risk from skimming than conventional mag stripe cards.

"A Coin is less susceptible to some card skimming techniques that take a picture of the card as it is swiped since Coin does not display the full card details on the front or back of the device," said the company. "A Coin is no less susceptible than your current cards to other forms of skimming that capture data encoded in the magnetic stripe as the card is swiped. Also, you can only add cards that you own to your Coin."

Remes contended that any technology based on magnetic stripes was no longer suitable for credit or debit cards and that technology based on the harder-to-clone Chip and PIN technology was preferable.

"At best, the technology seems fit for low-value reward cards but definitely not for credit or debit cards. The fact of the matter is that in a world where card fraud is still running rampant, we should focus on the adoption of EMV [Europay, MasterCard and Visa] technology rather than making the use of magnetic stripe cards easier," he concluded.

For now at least, Coin only works with mag strip only cards. Chip and PIN (EMV smart cards) have been standard in Europe since 2005 but the technology has only just been introduced in the US and is not expected to be the de-facto standard for point of sale retail terminal transaction until October 2015. The technology was also recently introduced in the Asia-Pacific region.

This means that Coin is attempting to address a market for technology that's only really useful in the US, and perhaps only over a small time period at that; measurable in months rather than years.

Coin's card-swiping tech, which costs $100 and is only initially available in the US, will only ship in summer 2014.

In an FAQ, Coin said it plans to adapt its technology to support EMV smart cards.

Coin is currently designed for the U.S. market and does not support Chip and PIN (EMV), however, future generations of the device will include EMV.

Coin promo video

IOActive are far from the only security firm to raise a quizzical eyebrow at Coin, with other focusing on the digital certificate and cryptography used on its websites and other factors. Coin contends it has all these bases covered.

Maintaining the integrity of your Coin’s data is critical to your peace of mind. That’s why our servers, mobile apps and the Coin itself use 128-bit or 256-bit encryption for all storage and communication (http and bluetooth). Additionally Coin can alert you in the event that you leave it somewhere.

In the event that your Coin loses contact with your phone for a period of time that you configure in the Coin mobile app, it will automatically deactivate itself. Your Coin account is password protected and the mobile app requires that you type in your password before you can access sensitive card details.

Currently you cannot lock your Coin, but you don’t have to. Coin will automatically deactivate if it loses contact with your phone for a period of time that you configure in the Coin mobile app.

Mike Davis, principal research scientist for IOActive, has mixed feeling about Coin's use of radio connection technology.

"The use of BLE (Bluetooth Low Energy) is technologically the perfect choice for Coin, as the company can use super thin and flexible lithium polymer batteries, and eInk displays enabling users to get years of battery life out of a device," Davis explained. "And that’s even before breaching the subject of inductive charging."

"Security-wise there are a few issues,” Davis warned. “While the BLE specification does include encryption, few, if any devices have implemented it yet. Additionally, BLE has known issues when it comes to secure pairing and the only secure method ‘Out of Band’ may not be a realistic option for a product like Coin," he added.

Coin submitted its technology for certification under the PCI DSS payment industry regulatory standard. A device such as a Coin is seen as similar to a payment card in a consumer’s wallet so the PCI Security Standards Council's separate certification for payment applications (PA-DSS) is not applicable to Coin. ®

High performance access to file storage

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Putin tells Snowden: Russia conducts no US-style mass surveillance
Gov't is too broke for that, Russian prez says
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
prev story

Whitepapers

Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.