There's a new product that's been making the rounds called Coin that promises to reduce the number of credit and debit cards you need to carry around to just one. It has a great video by Sandwich Video, and I was almost swayed. There were just two things standing in my way. One is the price—even the $55 (with shipping) pre-order price is a tad too rich for me right now. It is perfectly reasonable, however, for the product. The second issue is that I don't use enough cards to make it worthwhile: a debit card, and occasional credit card. Both of them fit in my minimalist wallet with room to spare.
However, after a conversation with Patrick Rhone on App.Net, I've lost all interest in the Coin project. Patrick raised a very good question:
Is it just me who looks at this and immediately thinks, “Great, just what we need. One company to get hacked for all of my card numbers and data.”?
If, as implied in the FAQ, Coin stores all their card data on a server, even encrypted, a hack attempt could pull every card a user owns and the contents of the magnetic strip, making it trivial to clone the card. 1 Even worse, as Patrick asks, “What if Coin is served with a FISA order to provide all of your card and purchase data to a government agency?” If a hacker pulls a pile of encrypted data without the encryption code, there's still a challenge to pull real data out of the mess. If there's a government order to get the data, Coin could be under the onus to decrypt it for them. Naturally, the FAQ doesn't cover these issues.
Ben Brooks disagrees, saying that Coin doesn't seem “more risky than storing, or using, a credit card with any other company on the web.” It's true, Coin has some great security features, including automatically deactivating if it's away from your phone for too long by using Bluetooth 4.0. I'm not sure what the range of that is, but if you don't store your wallet near your phone at home, you may have to re-activate your Coin before going out. There's also some sort of safeguard to prevent adding cards you don't own, but details are scant on how that aspect works.
In the App.Net conversation around Ben's piece, user @evs notes that Coin “would remove any safety for the seller to prevent fraudulent chargebacks.”, and that “many of the newer card readers have mechanisms to reject duplicated/cloned cards, which Coin is essentially doing.” Elsewhere, @gross points out the method Coin uses to switch cards may keep it from PCI-DSS ceritifcation. All of these add up to a lot more risk than many ordinary people should be taking with their financial data.
There's some awesome technology inside of Coin. From an industrial engineering standpoint, it's a pretty impressive first generation product. It also solves a problem that is real for enough people that Coin should be able to turn their business into an ongoing concern—if they can overcome the very real risks and technical implementation issues. If Coin doesn't provide some more details on implementation: if they store card data on a server, in what form, the strength of the encryption, and if they'll fight FISA requests, the risks outweigh the benefits by a large margin.
Fundamentally, the technology behind Coin is similar to a card skimmer and recorder in one. When you set Coin to use the data from your debit card, it simply records the magnetic strip data onto its own strip. If they can do it, a malicious actor can too. ↩