Technological alternatives to cash and credit have entered the spotlight in 2013. New hardware and software solutions are designed to further computerize and streamline payments, and some of them have gone so far as to simulate currency.
For example, the cryptocurrency Bitcoin has risen to prominence among tech-savvy individuals attracted to its anonymous, tax-free nature. At the same time, these very features have raised concerns about the contributions of Bitcoin, and analogous offerings such as the Coin payment card, to facilitating theft and other malicious activity both on the Internet and in the physical world.
Coin: A new consolidated payments device with many potential risks
Coin isn’t as radical a creation as Bitcoin, but it should prompt many of the same security questions associated with Bitcoin. Designed to replace individual physical payment cards, Coin is a smartcard, powered by a rechargeable battery, that can store information from credit, debit and rewards cards. Original card information is uploaded to a user’s smartphone and synced to Coin via Bluetooth.
The practical use case for Coin is straightforward: It consolidates many payment methods into a single gadget, letting buyers carry fewer things in their wallets and opt into greater convenience. However, from a security standpoint, Coin is problematic on multiple levels.
Fundamentally, linking so many payment accounts to a single device dramatically raises the stakes for securing both the endpoint and all of its communications. Rather than getting info on just one credit card, a successful attacker could potentially scrape details on a user’s entire financial background.
On a more technical level, there are concerns about the security of the new, mostly unproven Bluetooth Low-Energy protocol that Coin uses to communicate with other devices. Coin’s reliance on smartphone and mobile apps means that securing it requires locking down several different fronts, and security professionals have found Coin’s efforts in this regard lacking.
There’s also the matter of compliance. The payment card industry is highly regulated, and it isn’t clear if or how Coin enables compliant transactions – it’s possible that swiping a Coin card is tantamount to duplicating a credit or debit card, which would run afoul of forgery regulations. As with Bitcoin, Coin demonstrates the diligence that the security community must pursue in regard to any solution that involves monetary transfer.
Security community raises concern about malicious Coin use cases
When users set up Coin, they swipe their payment cards using a peripheral that plugs into a smartphone. After that, they must take a picture of the front and back of the cards to complete the process, at which point the card data is stored on the phone, synced with a server and transmitted to Coin via Bluetooth Low-Energy.
Coin and the paired smartphone must be kept within a certain proximity or the card will not function properly. Under normal conditions, users can take out Coin, scroll to the card they want to pay with and have the merchant swipe it as if it were a normal card. The card has a rechargeable battery that is estimated to last for up to two years.
To its credit, Coin utilizes number of industry-standard security measures to protect users and their data. Communications involving the Coin app, device and associated servers are all protected with 128-bit and 256-bit encryption, and the company has kept an eye on fraud by implementing detection mechanisms for excessive numbers of swipes.
Still, some observers regard the Coin app as essentially a card skimmer that does some of the legwork for payment data thieves. On top of that, Coin may have insufficient authentication mechanisms – other than its Bluetooth pairing with a smartphone – to completely mitigate the risk of unauthorized access and misuse. Since Coin keeps data on multiple cards, gaining access to it would enable a rogue user to essentially have access to the victim’s entire wallet.
“[A] person that gets temporary access to your Coin device would be capable of recording magnetic stripe data from all the cards stored on it,” stated IOActive managing consultant Wim Remes, according to The Register. “Most cards currently get skimmed in retail environments and it is not too difficult to track down where a card got compromised. With Coin, however, a user could present a debit card that will get correctly charged while the credit card can be skimmed after the attacker has pushed the Coin button to select another card.”
Another IOActive researcher pointed to potential issues in Bluetooth Low-Energy. Many devices do not utilize the technology’s encryption, and the most secure transmission option – out-of-band – may be ill-suited for Coin.
Future of Coin uncertain as credit providers move to new technology
Moreover, Coin can only store magnetic stripe data, which is gradually being replaced by more secure Europay, MasterCard and Visa technology. EMV cards contain extra security features such as a hardwired microchip and user PIN. One of the main reasons for implementing EMV cards is that their chips cannot be skimmed, calling into question Coin’s entire setup, which depends on data duplication and may encourage, even if accidentally, fraudulent activity.
While EMVs have been popular in Europe for years, they are only now making inroads in the U.S. Payments processors are shifting fraud liability for magnetic stripe cards to retailers in order to force adoption of EMV technology. The introduction of Coin at a time when the payments industry is in transition puts the device and its users in an awkward position, which is exacerbated by Coin’s terms of service that free it from providing the protections that end users have come to expect from processors.
Coin won’t launch until 2014, giving it only a small window before EMV enters the mainstream. Early adopters will need to be careful and remain aware of the risk that they take on when using Coin. While the company has made concerted efforts to keep user data secure, Coin relies on old magnetic strip technology and unproven Bluetooth Low-Energy, which in tandem may produce more risk than many users find acceptable. Cybersecurity professionals should continue to push for safer payment methods, including adoption of EMV technology, to ensure data security and compliance.