Chronicles of Mario

The Musings of a G[r]eek

Wordpress Themes
Home » Technology » Cybersecurity » Coin: 10 Reasons It’s Not a Nightmare

Coin: 10 Reasons It’s Not a Nightmare

Posted by Mario Stylianou Categories: Cybersecurity, Technology

Tom’s Guide published a piece called 10 Reasons Coin Card Could Be a Security Nightmare that starts off with a great summary of what Coin is but then goes on to excessively magnify the risks of using Coin and their likelihood. This alarmist piece does not accurately portray real usage and real risks of Coin, doing a disservice to those who are uninformed about the product. Read on to see what Coin is as well as an accurate assessment of the security risks it does and does not have.

First off, the great intro:

Last week, thanks to a successful press campaign, San Francisco-based startup Coin raised $50,000 in 40 minutes from strangers willing to wait nearly a year for a digital wallet.

The Coin card, a credit-card sized black plastic rectangle with an LCD screen that will sell for $100, is due to hit the market in summer 2014. It will contain a programmable magnetic stripe that can be swiped through any standard card reader at a retail store, gas station, ATM or so on.

Up to eight credit, debit, ATM or loyalty cards— any card with a magnetic stripe — can be “saved” on the Coin card, giving users seven fewer cards to carry in wallets or purses.

What follows this are the ten “nightmarish” issues the article brings up. Responses are provided underneath each to show that, while the issues are perfectly valid to raise, in reality their magnitude and incidence rate is blown out of proportion.

alt

Coin is a connected device that can hold and behave like the cards you already carry. Coin works with your debit cards, credit cards, gift cards, loyalty cards and membership cards. Instead of carrying several cards you carry one Coin. Multiple accounts and information all in one place.

  1. Card issuers may not take kindly to customers skimming their own card data onto third-party devices.
    • This may be true but the jury’s still out on it. I don’t think Coin is a big enough player for them to care substantially and the Coin demographic is a young, affluent, technology savvy group that would cause significant bad publicity for card issuers if they hindered Coin’s roll out.
    • Coin is essentially like duplicating a physical key. It may look different but it works exactly the same way as the original. Neither the lock you insert a key in nor the POS/point of sale device you swipe your card through knows whether it’s the original or a duplicate; if it authenticates, you proceed. Similarly, card issuers aren’t able to tell if you used your originally issued card or Coin.
  2. Stores and other points of sale might not accept the Coin card — and there will be a downside if they do.
    • It’s imprudent to not carry a back up credit/debit card and just rely on one card — Coin or otherwise. I carry two credit cards in case I have a problem with one; it’s called being prepared. The same philosophy should apply with Coin.
    • The article says that Coin won’t be accepted by people tendering a transaction. In reality, the majority of the time most people swipe their card themselves and it’s never handed over. If some contentious cashier has an issue, bust out the back up card.
  3. Coin card users may only be able to use the devices for a short time.
    • It’s great that the US is getting the same EMV chip-based security technology that Europe has been using for a decade. And yes, Coin won’t work in Europe due to the lack of an EMV chip; that’s not a surprise and something that they mention upfront. However, I doubt EMV adoption will move so fast that Coin will be unusable. I give it a good 2 or 3 years before you really need a chip in order to use a card in the US. There’s  lot of people with a lot of cards floating around that would need to be upgraded and there will be legacy point-of-sale devices for a long time coming. Thus, “a short time” could last quite a while.
    • Next generation Coin is already being designed with EMV.
  4. Card thieves would love to steal data from the Coin card.
    • Sure, as long as they’re within 25 feet / 7.5 meters of you. Also, the article is wrong in that you can actually lock the card. It auto locks when you go out of range and can be set to lock to just the selected card when you hand it over to a cashier.
    • It’s unlikely that a cashier is going to skim all your cards while standing a few feet away from you when all your cards are available. If a restaurant server whisks your card away to run it and wants to skim it, he’ll get just the one card you selected — same as if you handed him that one card.
  5. Conversely, the Coin app card reader could let anyone become a card thief.
    • Card skimmers already exist. Does that mean no one should use credit cards? Or that a product with legitimate uses shouldn’t exist? I don’t know how Coin prevents you from importing cards that you don’t own. My guess is that the same name has to appear on all the cards. Credit card skimmers are also much less conspicuous than Coin’s smartphone card swiper.
  6. If you pair it with your smartphone, it’ll be useless if you lose your phone, or if your phone’s battery dies.
    • Again, everyone should have a backup card. For example, I have an AMEX and carry around a MasterCard because some places do not take AMEX. You might as well tell me I shouldn’t get an AMEX because I can’t use it everywhere I want to be (cue Visa ad).
  7. If you break the Coin card, lose it or leave it behind, you’re stuck with the cash you happen to have on hand.
    • Again, everyone should have a backup card. I’d never walk out the door with one credit card. I’d never walk out the door with just Coin.
  8. Bluetooth Low Energy (BLE) security is unproven.
    • If you’re afraid of BLE then you should never do commerce on WiFi, either. With WiFi, you can be 100 feet away and capture data being transmitted. With BLE, someone is going to have to be pretty close to capture your data during a transaction. It doesn’t seem like an efficient strategy for high-tech credit card thieves. Maybe if you setup a computer in a Silicon Valley Starbucks near the cashier you can capture a couple Coins over the course of a day assuming the patrons sit down after buying their drink so you have time to hack the card.
    • To be clear, the phone doesn’t do anything in the course of a transaction except tell Coin it’s close by so it’s okay to let it be charged. Quite a bit of hacking has to be done to actually break into either the phone or Coin.
  9. Hackers might be able to access credit-card data by hacking your smartphone.
    • If you’ve ever bought or logged into anything that has your credit card saved (e.g. Amazon) on your phone, you’re still at risk. Hackers can also get into corporations and merchant servers where they store credit card data.
    • The Coin app is a potential liability because it’s yet another place where your data can be stolen from, but the risk is small that they’re going to spend effort breaking into or creating malware targeted at an app used by such a small pool of people.
  10. Hackers might be able to steal your credit-card info by breaking into Coin’s servers.
    • Or hackers might be able to steal your information by breaking into Target, TJ Maxx, Sony, the University of Maryland server that has every student who graduated since 1998, and so on. It’s a more efficient (and profitable) use of a hacker’s time and effort to set his sights on a large corporation rather than skimming individual early-adopters or targeting a start-up’s small user base.

If none of the above convinced you of how overboard the article has gone, the last paragraph really clinches it:

“It’s not a good idea to let ANY online company, from Amazon.com down to Pa Kettle’s Hi-Fi Repair, store your credit-card data. The consequences of a data breach, all too common these days, are just too high.”

If your level of risk tolerance of privacy/security is such that you are comfortable, like many people, with saving your credit card in your Amazon.com account, then Coin is fine for you as it presents an equivalent level of risk. If you are risk averse to storing your credit card in such a manner and find it to be a “nightmare” storing your information online, Coin isn’t going to be any better as it won’t offer you any more peace of mind. The rest of us can breathe easy. In short, are there liabilities? Of course, but the chance of experiencing them is miniscule.   Fear of an unlikely event (like getting struck by lightning) shouldn’t be a reason to prevent adoption of a useful tool (forgoing an umbrella during a rainstorm) — quite simply because, like with Coin, the benefits outweigh the costs.

I’ve happily ordered Coin and I’m looking forward to having it arrive shortly. Look for a full review soon once I’ve had a chance to use it.

coin_horizontal_brand

Get Coin prior to summer for $50 before the price jump to $100.

Mario Stylianou

One Response so far.

  1. The1Aljo says:

    Well written. From what I’ve read, coin is basically like keeping all your keys on one key chain. Similar risks, similar benefits.


 

  • RSS
  • Delicious
  • Digg
  • Facebook
  • Twitter
  • Linkedin
  • Youtube

Sponsors

Popular Posts

Coin: 10 Reasons It's Not a Nightmare

Tom's Guide published a piece called 10 Reasons Coin Card ...

Mario with Google Glass at NYC Glass Headquarters

Google Glass Explorers Invitations Avail

As most of you can tell, I've been beta testing +Google ...

iPhone 4S

iPhone 4S: Too little, Too late

I had big hopes for this little phone. A bigger ...

Facebook Smart Lists

Facebook Smart Lists

Way to be creative Facebook. Let's create auto-populating Smart Lists of ...

Netflix+Qwikster

Netflix: Scheming for a Sell-off? Nope.

After a series of uncharacteristically bad mistakes, I thought maybe, ...

Twitter updates

No public Twitter messages.