Coin: Risk vs Reward

OnlyCoinAfter completing a $50,000 kickstarter campaign in under 40 minutes, this small company’s mission is to shrink the size of your wallet by decreasing the amount of plastic a person has to carry to a single card.

A small step to the transition of plastic to digital money management, there is a lot to like about the slick promo video for the card that can store debit card, credit card, and loyalty/gift cards on a single swipe-able card.  I love the idea, but will the execution be solid enough to stave off the security concerns around a comprehensive identity theft target?

The viral promo video has scored 8 million views; clearly there is a demand for the product. While this product might be the thing that finally enables me to put away my wallet of yester-year and adopt a hip money clip, I’m legitimately frightened of the security implications of such a device. Read on before you make your decision.

What Are The Security Features of Coin?

Coin has published a general FAQ that covers some security features.  The card uses a low energy Bluetooth connection with your phone.  As the video implies, you can configure the card to lock your card choice in so it is “unchangeable” if the card is a certain distance from your phone. This is to prevent someone farther away from unintentionally switching your card choice to swipe the wrong card. You can also disable the card if it has been out of range of your phone for a defined period of time.  Many consumers and news outlets have already covered their concerns here.

What happens if my phone dies? Card is swipe-able, but only before the timeout.  A short timeout would be more secure, but you open yourself to needing to carry a backup card if your phone is low on juice. your card can die too-bluetooth uses power (even if it is low energy) and the card currently only has a 2 year life span. After that, you have to buy a new card.  Since the retail value is 100$, that isn’t that great of a price point.

Coin’s servers, mobile apps and the Coin itself use 128-bit or 256-bit encryption for all storage and communication (http and bluetooth). What if your phone and card get stolen together? Silly girls and their wristlets… The best way to prevent use of the coin is to leverage the phone security features, such as screen lock, and wipe phone after 10 invalid unlock attempts. If the thief gets through the lock screen, they still need your username and pass to sign into the coin app, which stores the credit card details.

Some card skimming techniques are less effective on Coin, particularly the ones that take a picture of the card, because there are no numbers on the card itself. It is no less vulnerable to skimming attacks that read the mag strip of the card.

Coin Vulnerabilities?

The Coin seems to center its security model on the basis that requiring a bluetooth connection with your phone will ensure that the card is not usable by someone who is not you.  Many of the features to prevent swiping all of your cards or stealing your coin revolve around this bluetooth connection. The only problem is, last I checked, Bluetooth Low Energy has known security flaws leaving the technology susceptible to eavesdropping attacks.

The link points to a conference talk in 2012, where the speaker demonstrates that using a $120 bluetooth sniffing device called Ubertooth, you can execute a reliable attack that sniffs bluetooth connections, even if they are encrypted, and can capture enough information to decipher the data by forcing a reconnect of your device. that means if I am 30 feet from your coin and phone with this thing, I can hijack the bluetooth connection to your Coin.

It’s not that through bluetooth I can read your card details.  Its that I can send a fabricated signal to your coin when it asks, “Hey Owner’s phone, you still around?” and respond, “Oh sure it is, don’t worry!” Even if the owners phone is long gone.   I sit near you, I trick your coin into thinking I’m your phone, and when I steal our coin I now have access to up to 8 of your credit/debit cards.

Is This Realistic?

Look, I know the above attack sounds kind of far fetched, but my view is if I can buy the device and use it out of the box, then that’s a problem. Bluetooth has acknowledged that a future version of BTLE will use anti-eavesdropping techniques, but the vulnerable devices are already here, right now.  If Coin sells as many of their cards as their pre-orders suggest, then attacks like this may become common.

Will I Use It?

I don’t know. There is the risk of having to cancel all of my cards (will banks insure against identity theft if your Coin is stolen?) weighed against whether the features of the Coin are “secure enough” to protect me from the average thief.  I’m not exactly a high net worth target. I dont actually think that the average Joe is going to go out and buy that device and follow me with a laptop and hack my digital credit card.  Not at this level of proliferation, anyway. I strongly support the move from plastic to a digital financial system, but this implementation may not be the one.  I look forward to reading more about it.  What do you think?  Let me know in the comments if you would use this card.

~PL

Posted in Finance, Hardware, Security, Software, Technology. Tagged with , , , , .

Leave a Reply

Your email address will not be published. Required fields are marked *