• TREND MICRO
  • ABOUT
Search:
  • Latest Posts
  • Categories
    • Android
    • AWS
    • Azure
    • Cloud
    • Compliance
    • Critical Infrastructure
    • Cybercrime
    • Encryption
    • Financial Services
    • Government
    • Hacks
    • Healthcare
    • Internet of Everything
    • Malware
    • Microsoft
    • Mobile Security
    • Network
    • Privacy
    • Ransomware
    • Security
    • Social Media
    • Small Business
    • Targeted Attacks
    • Trend Spotlight
    • Virtualization
    • Vulnerabilities
    • Web Security
    • Zero Day Initiative
    • Industry News
  • Our Experts
    • Ed Cabrera
    • Rik Ferguson
    • Greg Young
    • Mark Nunnikhoven
    • Jon Clay
    • William “Bill” Malik
  • Research
Home   »   Industry News   »   Compliance & Regulations   »   How much of a skimming risk is the Coin smart payment card?

How much of a skimming risk is the Coin smart payment card?

  • Posted on:January 2, 2014
  • Posted in:Compliance & Regulations, Current News
  • Posted by:
    Trend Micro
0

Technological alternatives to cash and credit have entered the spotlight in 2013. New hardware and software solutions are designed to further computerize and streamline payments, and some of them have gone so far as to simulate currency.

For example, the cryptocurrency Bitcoin has risen to prominence among tech-savvy individuals attracted to its anonymous, tax-free nature. At the same time, these very features have raised concerns about the contributions of Bitcoin, and analogous offerings such as the Coin payment card, to facilitating theft and other malicious activity both on the Internet and in the physical world.

Coin: A new consolidated payments device with many potential risks
Coin isn’t as radical a creation as Bitcoin, but it should prompt many of the same security questions associated with Bitcoin. Designed to replace individual physical payment cards, Coin is a smartcard, powered by a rechargeable battery, that can store information from credit, debit and rewards cards. Original card information is uploaded to a user’s smartphone and synced to Coin via Bluetooth.

The practical use case for Coin is straightforward: It consolidates many payment methods into a single gadget, letting buyers carry fewer things in their wallets and opt into greater convenience. However, from a security standpoint, Coin is problematic on multiple levels.

Fundamentally, linking so many payment accounts to a single device dramatically raises the stakes for securing both the endpoint and all of its communications. Rather than getting info on just one credit card, a successful attacker could potentially scrape details on a user’s entire financial background.

On a more technical level, there are concerns about the security of the new, mostly unproven Bluetooth Low-Energy protocol that Coin uses to communicate with other devices. Coin’s reliance on smartphone and mobile apps means that securing it requires locking down several different fronts, and security professionals have found Coin’s efforts in this regard lacking.

There’s also the matter of compliance. The payment card industry is highly regulated, and it isn’t clear if or how Coin enables compliant transactions – it’s possible that swiping a Coin card is tantamount to duplicating a credit or debit card, which would run afoul of forgery regulations. As with Bitcoin, Coin demonstrates the diligence that the security community must pursue in regard to any solution that involves monetary transfer.

Security community raises concern about malicious Coin use cases
When users set up Coin, they swipe their payment cards using a peripheral that plugs into a smartphone. After that, they must take a picture of the front and back of the cards to complete the process, at which point the card data is stored on the phone, synced with a server and transmitted to Coin via Bluetooth Low-Energy.

Coin and the paired smartphone must be kept within a certain proximity or the card will not function properly. Under normal conditions, users can take out Coin, scroll to the card they want to pay with and have the merchant swipe it as if it were a normal card. The card has a rechargeable battery that is estimated to last for up to two years.

To its credit, Coin utilizes number of industry-standard security measures to protect users and their data. Communications involving the Coin app, device and associated servers are all protected with 128-bit and 256-bit encryption, and the company has kept an eye on fraud by implementing detection mechanisms for excessive numbers of swipes.

Still, some observers regard the Coin app as essentially a card skimmer that does some of the legwork for payment data thieves. On top of that, Coin may have insufficient authentication mechanisms – other than its Bluetooth pairing with a smartphone – to completely mitigate the risk of unauthorized access and misuse. Since Coin keeps data on multiple cards, gaining access to it would enable a rogue user to essentially have access to the victim’s entire wallet.

“[A] person that gets temporary access to your Coin device would be capable of recording magnetic stripe data from all the cards stored on it,” stated IOActive managing consultant Wim Remes, according to The Register. “Most cards currently get skimmed in retail environments and it is not too difficult to track down where a card got compromised. With Coin, however, a user could present a debit card that will get correctly charged while the credit card can be skimmed after the attacker has pushed the Coin button to select another card.”

Another IOActive researcher pointed to potential issues in Bluetooth Low-Energy. Many devices do not utilize the technology’s encryption, and the most secure transmission option – out-of-band – may be ill-suited for Coin.

Future of Coin uncertain as credit providers move to new technology
Moreover, Coin can only store magnetic stripe data, which is gradually being replaced by more secure Europay, MasterCard and Visa technology. EMV cards contain extra security features such as a hardwired microchip and user PIN. One of the main reasons for implementing EMV cards is that their chips cannot be skimmed, calling into question Coin’s entire setup, which depends on data duplication and may encourage, even if accidentally, fraudulent activity.

While EMVs have been popular in Europe for years, they are only now making inroads in the U.S. Payments processors are shifting fraud liability for magnetic stripe cards to retailers in order to force adoption of EMV technology. The introduction of Coin at a time when the payments industry is in transition puts the device and its users in an awkward position, which is exacerbated by Coin’s terms of service that free it from providing the protections that end users have come to expect from processors.

Coin won’t launch until 2014, giving it only a small window before EMV enters the mainstream. Early adopters will need to be careful and remain aware of the risk that they take on when using Coin. While the company has made concerted efforts to keep user data secure, Coin relies on old magnetic strip technology and unproven Bluetooth Low-Energy, which in tandem may produce more risk than many users find acceptable. Cybersecurity professionals should continue to push for safer payment methods, including adoption of EMV technology, to ensure data security and compliance.

Related posts:

  1. Target breach shows need to create more secure payment systems.
  2. Hackers breach payment processing firm; 1.5 million card numbers possibly exposed
  3. Securing payment card data against identity thieves
  4. This Week in Security News: Payment Card Skimmer Attacks Hit 8 Cities and Survey Finds 72% of Remote Workers Have Gained Cybersecurity Awareness During Lockdown

Security Intelligence Blog

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits

Featured Authors

Ed Cabrera (Chief Cybersecurity Officer)
Ed Cabrera (Chief Cybersecurity Officer)
  • Ransomware is Still a Blight on Business
Greg Young (Vice President for Cybersecurity)
Greg Young (Vice President for Cybersecurity)
  • Not Just Good Security Products, But a Good Partner
Jon Clay (Global Threat Communications)
Jon Clay (Global Threat Communications)
  • This Week in Security News: Ransomware Gang is Raking in Tens of Millions of Dollars and Microsoft Patch Tuesday Update Fixes 17 Critical Bugs
Mark Nunnikhoven (Vice President, Cloud Research)
Mark Nunnikhoven (Vice President, Cloud Research)
  • Twitter Hacked in Bitcoin Scam
Rik Ferguson (VP, Security Research)
Rik Ferguson (VP, Security Research)
  • The Sky Has Already Fallen (you just haven’t seen the alert yet)
William
William "Bill" Malik (CISA VP Infrastructure Strategies)
  • Black Hat Trip Report – Trend Micro

Follow Us

Trend Micro In The News

  • Cloud-based Email Threats Capitalized on Chaos of COVID-19
  • Detected Cyber Threats Rose 20% to Exceed 62.6 Billion in 2020
  • Trend Micro Recognized on CRN Security 100 List
  • Trend Micro Reports Solid Results for Q4 and Fiscal Year 2020
  • Connected Cars Technology Vulnerable to Cyber Attacks
  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © 2017 Trend Micro Incorporated. All rights reserved.