Coin wants to combine all of your cards into one, but how well will it work?

The Internet has been buzzing about Coin, a credit card replacement announced last Thursday. Currently taking pre-orders, and planning to launch Summer 2014, Coin is a credit card-sized device which is capable of storing and behaving as pretty much any card with a magnetic strip: credit cards, gift cards, membership cards, etc. Coin allows you to select which card you want to use, and when you or a merchant swipe your credit card, the information for the appropriate card can be read from Coin. Replacing every card in your wallet with a single, card-sized device is exciting to think about, but obviously a product like this raises a lot of questions.

How secure is coin?

When you're putting a considerable amount of your payment information into a device, you want to know how well your information will be protected. Coin has answered many questions in their FAQ including several about security, but they leave some questions unanswered.

Coin states that their servers, mobile apps, and card use "128-bit or 256-bit encryption for all storage and communication (http and bluetooth)." This sounds nice, but doesn't mean a whole lot. The effectiveness of encryption depends greatly on its implementation. It doesn't matter how strong your encryption is if your implementation is flawed – a locked gate isn't very secure if somebody can easily climb over or walk around it. This is not to say that I think Coin's implementation is flawed – I have absolutely no clue what their implementation looks like because they haven't shared those details – I only mean to point out that Coin's answer doesn't tell us much.

How much does this matter? Not as much as you might think. It would certainly be preferable to see Coin use a rock-solid, peer-reviewed, highly-secure implementation, but it's important to remember that credit cards are pretty insecure to begin with. Not only are credit cards not encrypted, nearly all of the information necessary to make a clone of your credit card is printed visibly on the card itself. Even if Coin totally botches the encryption (and I'm not trying to imply in any way that I think they will), if a criminal acquired a Coin with several of your credit cards on it, and for some reason you didn't have it set to deactivate (a security feature offered by Coin when your card is away from your phone for too long), they would be in possession of the same payment information as if you had lost your wallet with several of your credit cards in it. Coin does offer several security advantages over actual credit cards (alerting you when you leave your card behind and automatic deactivation), but even if those fail, the information you stand to lose is the same. In fact, considerably less information is available from the physical appearance of Coin than the information printed on your credit cards.

The only possibility I see for greater exposure to fraud with Coin would be a scenario where a merchant has the ability to swipe your Coin outside of your presence, such as at a restaurant when a waiter or waitress takes your card. If they were taking cards in the back to run through a skimmer in order to grab all of your credit card info for fraud later, with a Coin they could copy the information for all cards on your Coin, whereas using a normal credit card they would only have access to a single card's information. This sort of fraud does happen, albeit to a relatively small percentage of card holders, so people will have to evaluate for themselves how much of a concern this specific type of scenario is. In cases like this, consumers in the are usually covered by fraud protection which only leaves them responsible for a maximum of $50 per card, and in some cases, none at all.

What's the fraud liability with coin?

This raises an interesting question: who is responsible for fraud committed when Coin is involved? U.S. consumers are protected from credit card fraud by the Fair Credit Billing Act (FCBA). According to the FTC, consumer liability for a stolen credit card is limited to $50 per card. If somebody uses your credit card number for fraud, but the card was never lost or stolen, you're not liable for any unauthorized use. This is noteworthy because it's unclear how Coin will be seen in the eyes of merchants, credit card companies, and the law. If you lost your wallet, you could be on the hook for $50 for every stolen card used for fraud. If you lost your Coin... well you never technically lost the actual card, so the argument could be made that you shouldn't be liable for anything. But this is where things get a little hazy, is Coin a credit card or not?

While consumer liability for fraud is limited, somebody has to pay when fraud is committed. The brunt of this responsibility falls on the merchant who processed the fraudulent purchase and the financial institution who issued the credit card. Merchants who process credit cards have merchant agreements with credit card companies that establish rules and guidelines between the two parties. The specifics will vary between merchants and financial institutions, but generally speaking if a merchant follows guidelines set forth in their agreement for taking payment, their liability for any chargebacks made as a result of fraud will be limited. However, if the merchant does not follow the guidelines and does not perform their due-diligence to ensure a purchase is not fraudulent, they may be the one liable for fraud.

Some of the most fundamental mechanisms for fraud prevention are the security features present on all credit cards. All credit cards include visible features to help verify the authenticity of a card such as the credit card company's logo, holograms, embossed security characters, and tamper-evident signature panels. Merchants have to be cautious about accepting suspicious looking cards because if they do, they could be held liable if it's a fraudulent purchase. While a Coin card may hold the credit card information necessary to make a purchase, it looks nothing like existing credit cards that merchants have been trained to accept. It doesn't include security features that all major credit cards companies specifically instruct their merchants to verify. Discover even offers a handy reference to help merchants identify valid cards. Many merchants may have no problem accepting Coin, but they also have no obligation to and may not for fear of being held liable for fraud.

Unanswered questions about coin

We have a few more questions that we're waiting to hear back from Coin on that seem worth mentioning here. We previously discussed the security of the Coin card itself and how it stacks up to losing a wallet, but what about information stored on Coin servers? The Coin FAQ states that your Coin is tied to your account, not your specific device. This means if you ever lose your phone, you can simply pair your Coin with a new phone using their app. Since the Coin card loads your credit card information from the app, this means syncing to a new phone would either require you to re-enter all of your cards and re-sync data to your Coin, or your Coin account holds all of your credit card information and can sync to the app once you sign in. The latter is obviously the more convenient route, but would require Coin to store all of your credit card information on their servers. We have yet to get confirmation that this is the case, but if it is, it obviously poses some security concerns. You're not just trusting Coin to securely store your credit card information on your Coin card and in their app, but on their servers. That's entrusting a lot of financial information into a single location in the cloud. And we're not just talking credit card numbers, but full track data. It's everything necessary to create an exact copy of your credit cards.

For their part, Coin has stated in their FAQ that they are currently in the process of getting PCI DSS (Payment Card Industry Data Security Standard) certified. PCI DSS is a payment industry standard for any organizations that handle cardholder information. PCI DSS is good in that it establishes a security baseline for organizations to follow who will be processing credit card information. It's bad in that it's pretty much limited to what most would consider common sense. PCI DSS requirements offer sage advice such as "Do not use vendor-supplied defaults for system passwords and other security parameters" and "Use and regularly update anti-virus software on all systems commonly affected by malware". The effectiveness of PCI DSS is certainly up for debate, but there's no harm in Coin getting certified – it at least shows a desire to meet industry standards.

That said, it's unclear if Coin will be able to obtain PCI DSS certification. One of the pieces of information that Coin stores for each card is the CVV. The CVV is the three-digit number on the back of the card and is usually required for "card not present" purchases, like online shopping or placing an order over the phone. The purpose of CVV is to prove that the consumer is in possession of the actual credit card. In order to ensure its effectiveness, PCI DSS requires that no organization that stores, processes, or transmits credit card information saves the CVV (or full track data for that matter). Coin doesn't (and can't, in order for its product to work) meet these requirements. However, PCI DSS does offer exemptions for "issuers and companies that support issuing services" if there is a business justification and the data is stored securely. Once again Coin falls into a big of a gray area. They're not a card issuer, but do they qualify as a company that supports an issuer? We've reached out to Coin asking about these requirements and look forward to getting clarification from them – we'll update this post when we do.

Can coin gain acceptance?

Technical questions aside, Coin has generated a lot of buzz, and the real question is: does it have what it takes to gain the traction needed to stick around? Square has been wildly successful at shaking up the payment industry, but there are two key differences between Square's approach and Coin's. First of all, Square established relationships with major credit card companies before rolling out. Square's situation was a little different than Coin's because Coin won't actually be processing payments, but being backed by credit card companies gave Square immediate trustworthiness with merchants and consumers. Square also targeted merchants first. Offering benefits over traditional card processing companies meant merchants had incentive to use Square. For many merchants, Square meant being able to accept credit cards for the first time. Consumers were on board because it meant being able to pay with credit cards in more places, and it had no negative impact on their ability to pay. Coin is targeting consumers first. In fact, Coin's CEO told CNN Money that they have no intention to talk with merchants:

"We don't plan to go out of our way to educate the merchant world about it, because we're focused on the consumer side, and anyone who works on the merchant side is also a consumer anyway."

Of course, in many cases merchants won't have a say. Anywhere that a customer can swipe their own card, merchant concerns essentially become a non-issue. Though Coin users may want to carry a backup card for any instances where a non-compliant cashier is the one who has to swipe.

In the long run, Coin would stand to benefit by getting merchants to recognize and willingly accept Coin. Credit card companies will need to openly support the product with clear policies for consumers and businesses. Once card companies state that merchants accepting Coin cards won't be liable for fraud, merchants will need to be educated on accepting Coin. Having a single Coin card to store all of my credit cards offers some convenience, but not nearly as much convenience as handing over a credit card to pay without having to explain my latest gadget to the cashier, or wait for the establishment to call the credit card company for authorization. Some credit card companies even have policies stating that if a merchant suspects a card to be fraudulent, they should keep it if possible. Tech-savvy gadget-lovers are intrigued by the idea of Coin, but some merchants might just be left confused as hell.

Coin isn't set to be available until Summer 2014, which gives them a lot of time to iron out any wrinkles and talk with credit card companies if they so desire. Should card companies choose to stay silent, it would likely have a minimal impact on Coin. Consumers have already shown a great deal of interest, with Coin hitting its $50,000 fundraising goal in only 40 minutes. The backing of a major credit card company could be what takes Coin from a niche product to gaining widespread public adoption – regardless, consumers are already showing significant interest.

Nick Arnott

Security editor, breaker of things, and caffeine savant. QA at Double Encore. Writes on neglectedpotential.com about QA & security, and as @noir on Twitter about nothing in particular.

More Posts

 

10
loading...
114
loading...
86
loading...
0
loading...

← Previously

iOS 7.1 beta now available for registered developers

Next up →

Solar and fuel cell farms for Apple's North Carolina data center now completely operational

Reader comments

Coin wants to combine all of your cards into one, but how well will it work?

59 Comments
Sort by Rating

Don't forget to mention this is pretty useless in countries with Chip and Pin. That is most places outside the US. Also.. US is planning to start implementing it in 2015.

You are correct: Coin does not currently support Chip and Pin, though they say they intend to add it in a future version of the product.

I'm skeptical they'll be able to. They say they intend to, but how? You can't copy the chip by reading it. They may know something about chip and pin that I don't, but if they're able to copy it's functionality, that renders the security provided by chip and pin useless as it's not supposed to be copyable.

I travel outside the US about once a year, sometimes more. If I'm going to pay $50-100 for Coin it needs to have Chip & PIN capabilities otherwise it's not worth the investment.

NFC is soooo 2012 already? ....oh please, I want to carry around other piece of hardware. *faceplam*

I wouldn't trust my data or $ to anyone other than the Banks or Credit Card companies...no thanks

Prefer this concept to using my phone. It disables if away from phone over 10 minutes. Wish my current cards did that! While I love the idea, I want to see it adjustable/configurable by me, amount of time, hours, days, etc. Also, a card is nice because I don't want to be handing my phone to some waiter in the future.. and if wife/kid needs it, I want the option of not having to fork over my phone, which I use to communicate with.

A card is simple and will not be going away any time soon... Having your phone do EVERYTHING has major drawbacks once you realize your without it for any amount of time. Loose your phone, it breaks, dies.. Not only can you not pay for anything but you can't call anyone to get help! DOH!

That last point is why I want to see some more advanced security options. Chip/Pin, for example. I also want to see the ability to enable the card away from my phone.. for the exact reason I named above. I've learned the hard way, don't rely to much on any one given device.. or you'll be screwed at some point.

Too bad it doesn't truly have a holographic interface...
This is interesting. It's a refreshing take on payment solutions. I like the idea of what it offers, yet I don't see myself being an early adopter of this tech... I have to say, though, I'd still rather be able to use my phone to conduct purchases, in fact, I'd dare say that I'd like to [securely] have legal forms of tender and identification available on my phone - then I wouldn't have to carry a wallet & a phone. ... Now I just have to find a way to replace that pesky, heavy key ring.

I barely trust my bank to handle money let alone a piece of hardware that "has too many questions". Good concept but more security is needed.

Sent from the iMore App

My cards work fine as well, however between my bank card, credit card, and loyalty cards, it makes my wallet thicker. Coin's premise appears to physically consolidate all those cards into one 'multipass' card instead of having to carry one if each. I like the concept of tethering to your phone for security reasons. Lots of security concerns are present, but this is some seriously cool futuristic stuff if they can prove it's secure enough. I'm intrigued.

Sent from the iMore App

Yeah, but if you have more than one or two credit cards, you're basically "doing it wrong" and all the loyalty cards can be consolidated on the phone already, either through Passbook, or through simply keeping a list of your numbers.

It says you can also load loyalty and gift cards in it, which I think that's what I'd use it for the most.

My question is what if you swiped a Coin card in a Square reader? Would it create some technological mobile payment paradox?

Sent from the iMore App

I don't think this is a good idea, most people have too many credit cards and are over extended on credit. Why do we want to give them a way to carry even more credit cards them they all ready have now.

Not all of us are financially irresponsible. I don't think that having to carry an extra card will make the difference between someone living within their means and spending themselves into massive debt. That's kinda silly.

Sent from the iMore App

I like the concept and chances are I will get one... But I will wait until the chip and pin cards becomes available.

Sent from the iMore App

Thanks for looking into much of this and asking more questions than most of us have thought of. I preordered one and have been wondering if I made a mistake. Hopefully we see more information as summer 2014 approaches.

Sent from the iMore App

Another concern is the cost - $100 every other year? The cost after pre-order is $100 and the non-replaceable battery lasts 2 years.

I'm weary of products that store my financial information. It took me a lot of convincing that ordering stuff online was safe and secure. I love the convenience of this product but need to find out about the security before I can be on board. But it looks like a awesome product if it's 100% safe.

Sent from the iMore App

So if I have a coin, how much info from someone else's card do I need to clone their card? In other words, when I hand my regular card to a server and they have a coin can they clone my card?

Yep, just like they can skim your current card. The only difference being with Coin they can skim all your cards instead, not just the one you gave to the merchant.

I'm not actually sure that's correct. Adding a card may require more info than what's on the card itself (for example they could require a zip code to confirm against the billing address kept at the credit card company.)

While clearly they could get a skimmer to clone a card, this actually short circuits a number of steps. For example, a skimmer collects the info but doesn't make the cards. they have to take the collected info and put it on cards. With Coin they may be able to store the card info and go and use it immediately. As soon as one card stops working just flip the Coin to another card without having to carry a whole bunch of cards with them (which looks suscpious.) Improperly implmented Coin could make it faster to clone and easier to use cloned cards.

From the FAQ: "The Coin app requires that you take a picture of the front and back of the card, type in card details, and then swipe the card (using a reader we provide) to ensure the card’s encoded magnetic stripe data matches the card details provided. It is not possible to complete these steps unless you are in physical possession of a card. As an additional safeguard, the Coin app will only allow you to add cards you own."

Very interesting, detailed and timely essay on the pros and cons of Coin. Several important questions have been raised.

As a gadget–freak, I've already preordered mine. Upon reading this piece, I have my doubts now. Since I carry only two cards - a debit and a credit, I'm seriously thinking of canceling my preorder and wait until Coin becomes more mainstream.

If you want to use card A, you hit the button until it shows up on the screen and give it to the server. What's to stop the server from accidentally hitting that button, charging card B inadvertently?

Though we won't know the effectiveness until Coin can actually be tried out, they address that question in their FAQ with this: "We’ve designed the button to toggle cards in a way that makes it difficult to trigger a "press" unintentionally. Dropping a Coin, holding a Coin, sitting on a Coin, or putting the Coin in a check presenter at a restaurant will not inadvertently toggle the card that is selected."

The author of this article lost me with:

"[blah blah blah]...would be a scenario where a merchant has the ability to swipe your Coin outside of your presence, such as at a restaurant when a waiter or waitress takes your card. If they were taking cards in the back to run through a skimmer in order to grab all of your credit card info for fraud later...[blah blah blah]"

That would've best been edited out completely after 'outside of your presence'. The blog article turned useless with that sentence, unless it's 'insult and belittle your worst-liked profession' day ;-)

No insult intended, it's simply the first example that came to mind, and I wrote in what level of detail I felt was needed to properly illustrate the point.

No explanation is really needed -- it digresses from explanatory to commentary -- if someone has the ability to read, little idea balloons will form above their heads when they read that sentence as they think of different situations where someone might step away to swipe their credit card.

Ooh, finally, I already preordered mine after I saw Michaluk post about it on G+. Love the idea, love everything about it, can't wait for mine to be delivered.

Sent from the iMore App

Maybe after all the wrinkles are out and the price is free I will be down with it. How are they making their money aside fromthe initial 50.00? If that is the only way coin makes money then I guess it will never be free and it will be a no for me.

Sent from the iMore App

This looks pretty cool. If I actually had enough cards for this to be useful I would try it! Depending on the $$$$

Sent from the iMore App

The thing that intrigues me is the ability to put multiple gift cards and reward card on coin. I only have one debit card as of now and I only intend to get one credit card, so that's not that much of a hassle. But the gift cards can be a but cumbersome especially when you forget to lug one around with you and your eligible for 20 or more percent off. I would love to see how coin develops and if it can be truly secure. Because lord only knows that I need that 20 percent off

Sent from the iMore App

It's a cool concept but is it truly thought through? All the comments and concerns are the same valid concerns I have as have but that being said great idea as my cards are constantly damaged from use. If I had the extra 50 bucks is give it a shot.

Sent from the iMore App

I agree there are a lot of questions that need to be answered, but I for one am rooting for this. I would absolutely purchase and use this exclusively. I have three personal bank accounts, three credit cards, and a business corporate card. To be able to just carry one would be awesome. Hopefully this isn't just a pipe dream

Sent from the iMore App

This seems like one of those great ideas of a future that will never be.

Seems clever and cool, but if we are all going to carry around a digital device that stores all of our credit cards... It's going to be our phone.

Sent from the iMore App

This might have been useful 20 years ago when people used to carry 20 or so credit cards from various stores and gas stations. I don't think many people do that anymore, maybe a debit card and 2 credit cards at most. Doesn't seem worth the extra hassle.

Great overview of Coin. I don't see it catching on due to the fear of consumers trusting it. Also, having to pay $100 every two years after the battery dies is a little costly for this type of convenience.

Sent from the iMore App

I agree. I don't think it will catch on. Pretty slick little ad, but I hate to think that this is as good as it gets. After decades of swiping and carrying around cards, someone finally makes another card where you have to swipe all your cards into it so you can carry around one card and swipe that. How genius. Did I mention it has a battery, costs $100 and dies after 2 years? No thanks.

There is little, to no, real "inventing" going on today. Why do I still carry all this crap? Car keys are finally becoming blocks instead of metal shaped objects and even those don't work right. I started another model (same brand) with a different model's key the other day. Can't believe more of this stuff is not controlled by voice and biometric data. After all, I am still signing a legal agreement to promise to pay a company back for some money they lent me for a pack of gum. Signatures, keys, cards, and receipts are something I want to be rid of.

This is a game changer. I've been wanting this for a long time. I would pay a lot to be able to use this .

Sent from the iMore App

I'd rather pay $100 for the next generation device with the RFID instead of paying $50 plus interest to wait 8+ months for to receive their first-gen product.

Sent from the iMore App

Seems like a very interesting concept. I'm interested to see how it is accepted by merchants and consumers alike.

Sent from the iMore App

I guess it's pretty interesting to see how it will turn out in general. It's one if those things that can either make huge waves in the field or totally flop. For me, I don't think I'll partake with this Coin business.

Sent from the iMore App

A good read, and well written article covering many aspects of usage of credit card. Good job, looking forward for more from you.

I am an early adopter in coin. That being said I haven't received my preorder yet. (Obviously) but I will be reporting on this as soon as possible. I'm honestly excited about this but only time will tell.

Sent from the iMore App

This sounds like an an amazing idea. I hate having a bulky wallet so the more cards I can get rid of the better. However many if the questions raised will probably keep me from being an early adopter. Having to buy one every 2 years or sooner also sucks. I'd like it for reward cards but I already have an app for that so it's not worth the cost.

I'll be interested to see how this is adopted by the public and merchants. If stores will accept it and they prove secure, I'll probably snag one in a year or so. Kudos to Coin for bringing out a cool new use of technology and giving it a go. I hope it takes off.

Sent from the iMore App

I agree that the obvious flaw in this card is the fact that the US is actually behind the rest of the world in this area and has already switched to chip and pin which would be essentially impossible to integrate into a system of this kind. I haven't swiped a credit card for at least five years or more.

Another possible flaw came up when watching the video though is that they show the guy selecting which card he wants used with a simple button on the back that appears to have no lock or security. I would be constantly worried that the waiter had inadvertently touched this button on the way to the kitchen and thus altered which card is being used for the transaction.

It seems like a very faulty implementation at best and with the one card, you can't actually see what card was used or how much was taken off. I would rather have the cards implemented right in the app, (much like how Apple's Passbook is supposedly going to work one day) and use the phone to pay for things. It would be way more secure, the card being used would be crystal clear and there would be no way for the waiter or a third party server to get in the middle of the transaction either inadvertently or on purpose.

This is clearly a technology that will be obsolete before it's even ready to ship and anyone investing in it is probably a bit of a fool.

Add Chip and NFC and I'm sold.

Sounds like a good idea. I have wayy to many cards in my wallet. Almost need a second.

I can see the practicality of such product, and I think there's certainly a need for it.

$50 is a fair price, but let's put it through its paces after launch and see how far it goes. Security is essential, so I need to see some tests, and watch how reliable the companies can be with a third party product, If you will

Sent from the iMore App

Pretty cool, especially if you have access to someone else's credit card for a minute. Clone it, then give it back to them. You can wait a while and then go on a shopping spree. They won't know how it happened because they still have their card. I think this will be a big hit with thieves!

Sent from the iMore App

Agree it is a great concept but too many unknowns for me to want to use it right now. My biggest concern is the what happens if it is lost or stolen. As Nick points out, there is no guarantee credit card companies and banks will view a lost-stolen Coin in the same way they are legally bound to view a lost-stolen credit card.