How would you prevent mass credit card theft in this case? Couldn't an unscrupulous person, say a waiter at a restaurant, take your card, use his/her own Coin to make a copy of your card, add it to their own Coin, and then use that card at their leisure at a future date? I know, the same question was asked re: Square and the like, but the difference is that you need a Square account to steal other people's cards, and that's traceable, whereas here, you can use the stolen card easily and surreptiously with little notice. Except for the fact that using a Coin in itself is noticeable.
You can already steal credit cards really easily. When you hand your card to the waiter, there are machines that will save that number and you can write it to a blank card easily. They can also jot down your security number. This might make it marginally easier, but it is on one service and tracked.
I have a question - why is the guy in the video giving the card to waiter? What he is gonna do with it, he doesn't know the PIN number to charge it. Or in USA you can charge without PIN? Besides if he can just charge without PIN he also can just push button on the card to charge whatever account he wants, doesn't he?
That is exactly the entire problem with credit card payments, online or elsewhere. Too often it relies on just the number, just the mag strip, possibly with other information that is _right there on the card_ (like that stupud CVC). This is totally insecure, and yet everybody keeps using it.
Dutch electronic payment (online or otherwise) always relies on "something you have" + "something you know" (which is secret and not shared with anyone ever). It's not airtight, but it's a lot safer than relying just on "something that can be stolen".
I'm still constantly appalled and amazed at US/international online payments relying on something as outdated and backwards as just a string of numbers and some other public information.
Really strange. Here in Lithuania we had similar systems in some places several years ago, but everyone quickly changed to always require PIN. Even in restaurants they come with wireless card reader and you don't even let your card out of your eye sight.
Except that names aren't required to match on credit cards. For instance, my wife is an authorized user on my card. Her signature is on the back, my name is on the front. Similar situations abound for business use cards.
We seem to have stronger laws about this sort of thing in place at the moment. In the US, it seems, just swiping the magnetic stripe is still the way it's done. How quaint!
The company card I used had my name on it, as for all other cardholders; and cards with wrong gender are treated in shops as unacceptable if they notice, though in 90% cases they don't, unless if it's a large purchase and they want ID.
Card.io will scan cards and OCR them. Maybe they do something like this to ensure the name matches the registered name on the account? https://www.card.io
I go by my middle name, but some places have forced me to use my first name, so my cards are a mix of my first+last and middle+last name. So then I would look like two different people to this coin wallet?
But a waiter doesn't ask for ID when taking your card... so even if the Coin identifies you as John Smith when you pay your check, the fact that you are Steve Jackson who presented the card doesn't mean anything. And you can have multiple cards with multiple names in your Coin.
Currently, one assumes you can take a picture of any card and store it for visual purposes. There's zero explanation of how they authenticate a physical card (photo) with the swipe data.
Yes, card cloning devices have existed for decades, but this automates the process, allows you to carry a single (disguised) device that can store multiple cards. If one doesn't work, try another card, without eliciting suspicion, and simply replace / swap cards that are cancelled.
The old method requires use of credit card blanks, a duplicating device, and the card itself doesn't look like the card when presented in person. In this case, as someone mentioned, Coin doesn't display the card #s on the front, so it's like a Card Not Present (CNP) transaction, but needs to be treated as if it was.
This doesn't bring anything new to the card skimming operation, but it simplifies, optimizes, and can in some ways facilitate it. They need some sort of ideally biometric authentication and/or a server that identifies when two Coin devices carry the same cards on it to avoid this sort of fraudulent use.
This makes it less suspicious. Traditionally a lot of small-time (i.e. Vegas) skimmers write mag-stripes onto other cards ranging from hotel key-cards to expired credit cards, but in places where skimming is common gas attendants and cashiers are trained to watch out for warning signs including lots of expired cards, trying lots of cards, name on computer doesn't match name on card, and especially hotel keycards at gas stations.
This device defeats all these human security measures by letting me use a startup bling device to try up to 8 cards at once without looking suspicious at all. "Declined? shit, my newfangled e-bling card must have messed up - try it again!" (while silently changing cards using the button). "No name on the card? Card isn't signed? You want my ID? But this is the hottest new toy! Promise it's fine!"
This is interesting. You can just buy blank magstripe PVC cards in bulk for very cheap on Amazon. You can buy an ID printer for a couple grand. Why the need to repurpose old cards?
I'm not actually experienced with street-level card skimming beyond anecdotally, so I'm not sure. But my initial speculation is this:
- Centralized location / evidence. A stash of blank cards and an ID printer have to go somewhere, and look suspicious to start with. The gear to skim cards and write them onto existing magstripe cards can be stored in a small space or on one's person and thrown away quickly; there's no centralized location. I believe hotel keycards are used because of their availiability. There was a sensationalized national news piece a few years ago about pimps giving women hotel keycards with credit cards written on them to buy gas with.
- Start-up cost. A couple thousand $$ in an ID printer is more than $0; that's what would divide street-level carders from professionals who probably wouldn't be passing overwritten cards at retail anyway.
It affects the UX somewhat, but since it has to be in proximity (implying data contact) to your phone to operate, you could just move the "switch active card" feature to the mobile app, not the Coin itself, then you wouldn't have to worry about people in posession of the Coin (e.g., when you put use it to pay the bill in a restaurant) toggling through the other cards stored on it for nefarious purposes. Or, for less impact on UX, put a "lock active card" option on the mobile app, and still leave the actual card switching on the Coin.
I typically hand out a Google Voice # as a sort of DNS for phone calls so that I can change my device number at will.
Wouldn't this allow me to swap out credit cards in a pinch without having to carry new plastic? Or, as you suggest, if I lose my Coin do I have to get all new cards?
If you lose your coin, and someone else picks it up, then you've compromised not just one card, but multiple. Unless I'm missing some sort of authentication when using Coin? And if that authentication exists, how would the non-Coin holder use that card? Is there a timeout that requires the user to authenticate, select a card for presentment, and holds that card in the stripe until a timeout? if not, then there's problems here.
