181 comments

[ 3.4 ms ] story [ 214 ms ] thread
Ships 2014, EMV liability shift 2015. So these are good for about a year or so.
What does that mean? EMV liability shift?
It means that as of 2015, merchants in the US who accept magstripe (as opposed to chip and pin) are responsible for any fraud that occurs when the payment was made with magstripe.

Even if US retailers were accepting magstripe and taking on the risk, I doubt they would accept a sketchy-looking unlabelled card.

It means merchants will be liable for counterfeit card fraud if the transaction mechanism used isn't EMV aka chip and pin, i.e. magnetic swipe cards are done.

Coin is betting the EMV deadline will be pushed out indefinitely or is using this gadget as a trojan horse for something bigger.

(comment deleted)
Maybe in the EU. The US is dragging its feet on the whole PIN/CHIP migration. I had to specifically request my Platinum Amex have a chip on it, and Amex still doesn't support pin and chip with it, only chip and signature (which means it still fails often enough for me in the EU to be a pain).
> Maybe in the EU.

*the remainder of the world.

> The US is dragging its feet on the whole PIN/CHIP migration.

Merchants are dragging their feet. The liability shift deadline is instituted by the card schemes themselves.

Okay, but I'm in the US and the US has ~300 million people (vs 500 million spread throughout the EU).

What happens in the EU doesn't always effect the US, and vice versa.

You mean the USA has non standard tech/standards and companies have to produce two SKU's one for export one for home - you fail production engineering 101.

The fiasco over not implementing GSM like the rest of the developed world did is a good example - less NIH might help.

It's not the entire world - for example, Square was able to bring their magstripe-only technology to Japan without much interference.
I will be hesitant to purchase without an incredibly transparent security policy.
I can't tell from the site if your card data is stored on your phone or not. If it is, then you're going to have to replace all of your cards if you lose your phone.

Also, shouldn't the merchants be checking the signature on the card?

They should but only 40-50% do, I write "Ask for ID" on the signature portion. The ones that read it, ask me for it. Better than a signature that a cashier won't question anyhow.
In Minnesota, I'm having more merchants threaten to take my card for just saying that. Visa seems to say you should write "See ID" and also sign it: http://usa.visa.com/merchants/risk_management/card_present.h...
I was curious about this and browsed through their operating regulations. It says something to the effect of "Visa considers a signature box that only says See ID to be blank".

So the pedantic response to your second sentence is that they consider the See ID irrelevant (and once there is a signature, it is apparently a violation of the merchant agreement to ask for ID, but I didn't look for that in the operating regulations).

I have had a debit VISA card for the last 8mo in SF with "SEE ID" in the signature part and I have been asked to show my ID probably 6 times so far.
This is the biggest downside in my opinion. Theoretically any merchant should deny any card without a signature, End of Story. In the merchant agreement they sign with Visa and MasterCard, they agree that any fraudulent charges where they did not check the signature are their responsibility.
How often are the cashiers checking the back of the card? Many of the card readers I see are on the customers' side of the counter, and I swipe it myself, often because I'll enter a pin. Also there are self-checkout kiosks with little or no supervision. I don't think that the lack of a signature line is the _biggest_ downside.
(comment deleted)
This product is overly restricting it's market, I feel, since in Europe EMV (or "chip and PIN" as it's known in the UK) is ubiquitous. Payments worldwide are moving over to this system from magnetic strip cards, so I fear that this (useful) product has been invented too late once the tech it relies on is already speedily in decline!

I imagine, due to how the cryptography works, it might not be as simple to create a product like this for chipped cards.

In the US the chip and pin is hardly used. None of mine or my wife's cards even have them. I can't say that I've even seen a card with a chip in it that wasn't in a commercial. The readers are nowhere near common here either, not even in major stores. We've still got a LONG ways to go on that front.
It appears that they plan to do EMV in the future. This is rather scary, since you're trusting their hardware, and probably your phone, with the private key in your chip card.
As far as I know, EMV has no way for the user (or bank's employees, for that matter) to get that private key out of the chip card; if it was possible then the whole concept would be pretty much useless and allow easy cloning of those cards just like the old magstripes.

The system doesn't allow to "trust other hardware", the card itself has to sign every transaction.

This is potentially useful for the US market as chip/pin is very new to us and only recently rolled out via major banks this year (I literally just got my new Visa card with a chip). I can see how Europe is far ahead of the curve.

My initial questions/concerns are as follows:

Will this be usable in ATMs? I can't visibly tell if it's too wide to fit.

Is there any planned security functionality to lock the card via your paired mobile device? I'd like to be able to supply a password to unlock for a short period of time for usage.

Based on Coin's FAQ:

1. Yes, it should be usable with ATMs without issue.

2. You cannot lock your coin with a password, but it will deactivate after it loses contact with a phone after a user-specified amount of time. In theory, I'd assume you can disable Bluetooth on your iPhone and it will effectively "lock" your Coin until it can pair with your device again.

Would be nice if there was a way to physically unlock it. I can imagine my phone dying – preventing me from making any kind of purchase.
I think one of the hardest things about having one would be convincing retailers you're not trying to somehow scam them. Especially in the case of loyalty cards. Sure I CAN load my card onto the Coin, but what is a merchant going to do when I pass them something strange that looks nothing like their card?
Often, a loyalty card is nothing but a piece of plastic with a number printed on it. For example, for airlines and hotels I just give them the number, they never need to see the card.

However, if you mean a gift card with pre-loaded money, things may be different, but then it'd probably be a similar reaction if you tried to use Coin instead of a proper debit/credit card?

I'm just thinking about the reaction I would get if I walked into my grocery store and handed them my Coin. I'm not sure they would take it. Debit and credit cards may be a problem too, although they're diverse enough that unfamiliarity is less of an issue. Plus, you can handle the card yourself in many transactions. Usually loyalty cards need to be given to the merchant.
I can actually see myself using this. There are times where certain stores have these promotions where I can buy a $30 gift card for $20, but I never bother doing it because I know that I will probably leave the gift card at home the time I come back. I also like the automatic locking feature as well when it loses the bluetooth connection with your phone.

Another benefit I see is that it doesn't actually have the credit/debit numbers printed on the card, so nobody could take a picture of your card and use it to fraudulently purchase things online.

This + Simple would be perfect.

There's been another company working on this for many years: http://www.dynamicsinc.com/ I've seen the working models, they are decent, but it's a surprisingly hard problem.
I would totally pick wallaby over coin if they would put a picture of a wallaby on the card.
well if that's all it takes :)
Wallaby is a passive/proxy card, routing to a BIN range controlled by them. Cheaper to produce (it's just dumb plastic), more expensive to run (since they're sitting in the middle of each transaction) -- but that's also where they can build value.
Their website hurts my eyes
A lot of places ID you when you use a card. I wonder how that would work. I don't see a name on it.
Requiring ID is against the rules of every major card network; so are things like adding surcharges, and having minimum transaction amounts. Think about it, anything that adds friction to using a card makes it more likely you might use cash, eating into the card network's revenues. Anything that does that is likely to be frowned upon or prohibited.

Report merchants that do that.

For Visa, call your card issuer.

For Amex, call them.

For MasterCard - http://www.mastercard.us/support/merchant-violations.html

OK, but what says merchants are required to accept this "coin" card as your Visa?

Even if they aren't allowed to check ID, they certainly are allowed to check signatures.

Since merchants are held at least partially responsible for fraud, I would be surprised if most merchants accept the "coin" card. It doesn't look like a normal credit card.

> OK, but what says merchants are required to accept this "coin" card as your Visa?

Nothing. Coin is not an authentic card. BTW that wasn't my point, it was that it's a merchant violation to demand ID when presented with an authentic signed card.

I believe that as of January 2013 you can now legally[1]:

1. Add a surcharge for credit card payments. 2. Have a minimum of up to $10 to use a credit card.

See: http://money.cnn.com/2013/01/27/pf/checkout-fee/

[1] Not that it was ever illegal, only against the CC company rules. But now the law explicitly forces CC companies to allow it.

None of that is true.

The card brands explicitly train merchants to check signatures against government-issued ID. [1] [2]

Card brands may not prohibit minimum charges per federal law. [3]

Visa and MasterCard agreed to allow credit surcharges in a settlement agreement for a long-standing class-action suit by retailers. [4]

1: http://usa.visa.com/merchants/risk_management/card_present.h...

2: http://www.mastercard.com/us/merchant/pdf/Unsigned_Credit_Ca...

3: http://en.wikipedia.org/wiki/Dodd%E2%80%93Frank_Wall_Street_...

4: http://usa.visa.com/personal/using_visa/checkout_fees/

No. You are wrong.

> The card brands explicitly train merchants to check signatures against government-issued ID.

When the card is unsigned. Every card I have is marked "NOT VALID UNLESS SIGNED". It absolutely is a merchant violation to demand government issued ID when presented with a valid signed card. A card signed "SEE ID" is clearly not valid.

As far as you're other points, the US is not the only legal jurisdiction or market in the world.

I'm not wrong.

It is a violation to make ID a condition of accepting Visa at all. It is not a violation to ask for ID from specific customers, regardless of whether the card is signed or not. It says this very clearly in the "Card Acceptance Guidelines for Visa Merchants" booklet. The closest they get to forbidding it is a recommendation that you don't make it part of your standard procedure as, and I quote, "it can slow down a sale and annoy the customer".

In the case of a suspicious transaction, the merchant is also supposed to call Visa for a "Code 10 Authorization". One of the things Visa may do is instruct you to check the customer's ID.

If a store asks you for your ID, calling up Visa to report a violation won't do you any good as they haven't violated anything. As far as your jurisdiction punt, we're talking about a product intended (and only really usable) for the US.

On all of my cards I have not signed them but written "REQUEST ID" instead. And yet I very, very rarely get asked for my ID when using them. So rarely, in fact, that I make a point to thank them when they do. Some even turn it over to look and then just move on.
This seems a great way to steal other people's credit cards. You can literally duplicate someone's card on your "coin".

Now there's a super easy way for someone working in a restaurant to get your credit card information and sell it.

Easier than pen and paper? Or the camera on their phone?
Its a bit hard to read the mag stripe by eye - unless your a mutant in which case call in Phil Coulson's team stat
The majority of credit cards still have actual numbers on them.
Except that the CVV from the magstripe is missing - wich means ypu can only use the printed CNP CVV, ie. only use the card data for internet transactions.
I assume it's easier in the sense that your waiter could add your card to his Coin, then immediately go buy a TV at the store with it. Not having to make a fake card or needing the address of the card holder to use it online.
As with some other people in cousins comments to your post, I think you may not realize that that attack is already perfectly feasible today. By "feasible" I mean real criminals already do this today, not merely that some academics hypothesize that it may be possible. It's all very off-the-shelf stuff. If you're worried about this attack, the solution isn't "don't use Coin someday in the future", it's "don't use anything with a magnetic strip, today".
Couldn't they just require the name/address to match for all cards? Including the one you used to pay for the device?
The FAQ says that they do indeed require the names to match.
Yes I really want to have a reprogrammable CC that I hand to a waiter NOT - Why not just have the fed mandate Chip and Pin after a certain date like Europe did.
Because it's not worth the cost. On the consumer side, chargebacks are easy. Credit card companies bear the brunt of the cost of fraud. They all have the incentive in the world to start rolling out chip and pin technology. The fact that they haven't probably demonstrates that the math doesn't work out.
> Because it's not worth the cost.

Neither are airbags in cars, yet the government stepped in and made them mandatory.

> [Credit card companies] all have the incentive in the world to start rolling out chip and pin technology.

No, their incentive is to make sure people keep using credit cards.

They've done the math and concluded that the amount of user confusion resulting from chip and pin technology resulting in less credit card use is less than the cost of fraud. The fact that chip and pin works in Europe, and also that credit card processors still exist in Europe proves that implementing chip and pin isn't going to drive Visa and Mastercard out of business.

>> because it's not worth the cost.

> Neither are airbags in cars, yet the government stepped in and made them mandatory.

that's simply untrue.

http://www.riskworld.com/news/97q1/nw7aa029.htm

this testimony is from 1997, and even with mostly first generation airbags in play at that time it's still wrong.

They are even more effective at saving lives now, and many of the problems with passenger side airbags have now been alleviated.

saved lives = saved money (unless you're looking at cost-to-state of an entire life rather than cost-to-state for medical/funeral costs, but that's outside the scope of this)

Dead customers can't be returning customers?
It's actually the end merchant (seller) that bears the cost of fraud. So credit card companies have little incentive to fix this, beyond customer support costs.

Say you sell a camera to someone using a stolen credit card.

The real owner of the card gets his money back after doing a chargeback. The thief keeps the camera. The merchant loses a camera, the money, and gets a ding in his credit card merchant reputation.

Seems like the legislative solution then would just be to shift (at least some of) the burden to the credit card processors then.
I agree. It's a tricky problem. Chargebacks are really easy for the consumer - too easy. There has to be a happy medium, but I can't quite think what it is.

Bitcoin, on the other hand, is sided on the other extreme. The merchant has almost all the power. However, the merchant still has a reputation, which might be sufficient incentive.

Doesn't the merchant bear the cost of the fraud ONLY if they'r e using obsolete equipment?
Merchants bear the brunt of the cost of fraud. Credit card companies and consumers bear none. And as the credit card company oligopoly currently* has no viable replacement, merchants are stuck bearing the cost of fraud.

* the replacement will be when folks like Square, PayPal, etc grow large enough that merchants can replace credit card systems with them for a decent % of customers

Why not just pay with Bitcoin? Really, after Bitcoin, using credit cards seems like an invitation to be robbed.
Because chargebacks are relatively easy with credit cards and the merchant bank bears the cost of fraud. With Bitcoin, if you steals your coins, there's no way to undo that.

On top of that, there's all the convenience issues that plastic brings when out in the real world. Using bitcoin requires a computing device of some sort that's significantly less robust than Coin, a chip & pin card, or a piece of plastic.

it takes too long to confirm a transaction with bitcoin. Also the risk of having your bitcoins stolen is high - the reason credit cards exist is because reversible transactions are preferred to using cash. The credit card company acts as an escrow system.

I could imagine someone making a credit card that was denominated in bitcoin, but that would be a whole different technology stack than using raw bitcoins.

Because Bitcoin as a replacement for credit cards is currently just a pipe dream since less than 0.01% of people even know what it is, let alone have it. That plus its insane volatility is why it's only accepted by a handful of online merchants, mostly only for virtual goods and mostly just for show.
that insane volatility should drop with increased adoption.
Only you are able to reprogram your Coin, it is paired with your phone. Two things which admittedly do get lost together, but still ..
Pretty sure a magstripe writer isn't really that hard to get.
Two notes:

1) This can already be done using a simple stripe reader.

2) Coin can identify, investigate and proactively block anyone who has more than the average number of cards, so Coin actually seems well positioned to reduce fraud. Also, Coin could identify that multiple Coin cards have the same credit/whatever cards on them and, the next day, prompt you to swipe your card again to confirm. [Provided that Coin uploads suitable data to its servers...] In fact, using a Coin card could be a signal to fraudsters not to commit fraud against your card.

And by using the location of your phone, and the timing of the swipes, Coin can learn a lot about your shopping habits.

Not as much as the credit card company (e.g. not the amount of the purchase), but still quite a lot.

Just because I am using coins hardware doesn't necessarily mean I need to use their software. And if it does catch on in the main stream, I doubt many people will check to see if it is your card if a check actually exists.
You have to take pictures of the cards. I assume it would work similarly to how I can take photos of checks to deposit them where, within some tolerance, you have the check/card inside of a "frame" allowing the check to be read. Maybe they can also sort of OCR the card name and make sure it matches your own.
Yes, credit card duplicators have been available for a long time, but the average minimum-wage worker doesn't know that. This changes the game -- kinda like how how the prevalence of high quality camera phones changed the game for sexting. You could do it before, but it happens a lot more now that it's so convenient and the technology is available to the masses.
It's so easy to steal someone's credit card that I can name at least 10 people off the top of my head who have had it done, and I'm not even trying. I myself have had it happen twice. The good news is, you just cancel it, there's a paper trail to track the people who did it, and you have fraud protection.

All of that can be done better though when you get off the credit card rail, which is what I'm working on. tommy@thecityswig.com if you wanna talk

> Coins are designed to last for 2 years under normal usage and do not need to be recharged.

Awesome!

> Once the battery dies you will need to replace your Coin.

Does the replacement cost money? If yes, I think I'll stick with my current situation. Awesome idea though.

.... and when the waiter accidentally presses that button and changes the card which your business lunch is being charged to?
Maybe the button only works when the card is near the phone?
That would be a pretty neat solution, but still has a window where it could be an issue.

Perhaps do the card selection from the app? Or at least an option to require confirmation in the app?

That's a neat solution to the security problem also.

You go to the app on your phone and select the card you want. The coin will now function as that card for the next 5 minutes only. Otherwise, the coin is nothing.

Now even if your wallet is stolen, without your phone (+ unlock code, etc.) they don't have any of your cards!

Looks pretty cool. Too bad the holograms are not included :)
Super cool idea! but, terrible name choice, no one is ever going to call it just "Coin" they're gonna call it their "coin card". "Coin" is already slang for money in general like, "dough" or "clams" and is also already a form of money.

    Do you have a coin?
    I lost my coin.
    Check out my coin.
    I paid for that with coin.
    Coin is so convenient.
    I got rid of all my credit cards, I just use coin.
All of those will be "coin card" if this catches on.

Similarly, I have an account at Simple. And while it's a product I absolutely love it's hard to explain to people what I mean by "I do my banking online at Simple" or "I like simple because they charge no fees" It seems like I'm just being grammatically incorrect and I honestly feel like it contributes negatively to peoples perception of the company. Also search is a bitch when you've got such a crappy name.

"BankSimple" was a better name, I think.
Agreed, they had to change it due to legally not being a bank.
Moving beyond all the security concerns and potential technology shifts in this space, I'd be concerned with durability. By the time my credit cards expire, I typically have had to replace them at least once due to wear.

I'm not charged an additional fee to get those cards, but this would cost me.

(comment deleted)
Sorry - I think the leather wallet and credit card are already going to be replaced by the cell phone itself, not an additional card accessory.
I love this idea, but I don't think it would solve one of the biggest reasons why I would want something like this:

Royalty Cards. I simply don't use them because that's way too many cards to have in your wallet. But say I'm at a restaurant, without coin, you give the waiter your credit card and your royalty card. With coin, do you make him run back twice so you can hit the button to switch from your credit card to your royalty card?

I guess you could get 2, one for credit / debit cards, another for royalty cards, but that seems to start defeating the purpose.

I will get one for loyalty cards only, will reduce major clutter. For credit/debit transactions, Canada has high penetration of chip/pin terminals and Coin will be useless here.
It doesn't seem to apply to inserting, and in Europe we don't really use swiping (also we have to type a PIN code).

Although as a US product only it seems surreally cool and practical. I wouldn't use that for my credit card, but for a membership card? I have way too much H&M card, Levis' card, Virgin Megastore card, Cinema Card...

Same for me. Canada also uses chip/Pin method. Membership cards is where I will use one.
Great technology solving what's a small, but real inconvenience with a great, simple UX and product. Just bought mine.

My only question was can I use for my ATMs too (which pull card in vs. being swiped)?

And the answer is yes, great FAQ by the way:

https://onlycoin.com/support/faq/

The answer is actually no

Q. Where can I use Coin? A. You can use a Coin everywhere cards are accepted including dip-style card readers and ATMs. Use a Coin just like you use your cards now at gas stations, restaurants, the mall, the gym, or other places you frequent.

Dip-style card readers do not pull the card into the machine.

"Q. Will my Coin work outside the U.S.? A. Not in all cases.

U.S.-based customers: Coin will work overseas, but we recommend that you bring a backup card when you travel.

Customers located outside of the U.S.: Coin does not support EMV yet. If the country you live it requires it we recommend holding off your purchase for now."

Found this in FAQ section.

I've got a few cards and travel somewhat regularly to Europe. I've specifically been asking various card vendors that I have for chip and pin/EMV based cards. For the most part, they seem to be rolling them out at the high end rather than making them available at the normal "consumer"/reward cards.
"Coin does not support EMV" is an interesting statement - I can't see how they could ever support EMV without explicit cooperation from every issuing bank, which they won't have.
With all the news about Bitcoin these days, why would they choose a confusing name like Coin?
I like the double meaning of coin:

1) Represents money 2) Creating a new phrase - or way to think about credit cards

I haven't seen a merchant where you swipe in ages. This seems really ancient and insecure.
Clearly you don't live in the U.S.
Hopefully you don't mean to imply that just because something has been around for more than 20 years (much more in this case) that it is inherently insecure.

Conversely, you hopefully don't mean to imply that technology that is newer is much more likely to be secure.

I am not making a judgment call one way or the other as to your intentions. I just think it is important to the discussion.

It seems easy to me, in modern cultures, to think that newer always equals better/faster/bigger/smarter and in all other ways superior. I think this is exacerbated by the fact that modern technology has made so many things possible that most people 200 years ago would never have dreamed of. From automobiles to computers to smartphones, the technology of today is very impressive. Because all of those things are "modern" it is easy to develop the mindset that anything over a certain age is likely to be inferior. However, we need to remember that all of those technologies were built upon things learned by people in the past. Also, often newer technologies make things cheaper, but manufacturers often chose to make those with poorer materials, and thus they don't last as long. In some cases, newer isn't better. Right now I'm wearing a sweatshirt that is over 20 years old. It was a high-quality product to begin with (and I recognized that when I bought it), and it has been worn very frequently. The silk-screened logo on it is still intact, and looks very good. The material has a few small tears here and there from abuse, but overall the shirt has held together very well. A lot of the clothing I've purchased recently (in the same cost-adjusted price range) has turned out to be junk that doesn't last. There are probably better examples of newer != better, so do what you will with that one.

There is also an inverse mindset which is equally as bad. That is the idea that anything older is bound to be better. Not surprisingly, the first mindset is often held by younger people, and the second by older people. As people get older, they often fall into thinking the "old school" way is always better. The important thing to realize is that, yeah, sometimes the old way is better (and probably more often than many young people realize). However, it is equally bad to assume that just because an item or an idea is older that it is better. I certainly don't want to get out of my car and turn the engine over by hand to get it started, and I'm glad I don't have to hitch up the horses to go into town (though, admittedly a lot of things about having horses would be cool).

The long and the short of it is this, we should evaluate thing on the basis of their own merit, not on their age. There are new treasures and old treasures, new junk and old junk. I realize that this is probably just common sense, but even so I still think it is worth talking about.

... I'd like to again point out that I'm not saying that Kiro was implying a direct newer=better/older=worse relationship -- I just wondered if he might be.

Oh, and yes, if you "haven't seen a merchant where you swipe in ages", then it is very unlikely that you live in the U. S. (at least, not in any part of it that I've been to recently).

This would not work in my country, since most places also ask for an ID to check you are the owner of the credit card. Maybe for debit cards ( because of the pin), but I can see it raising some fraud alerts ;)
One of the things I noticed about the chip and pin migration in Canada was that when merchants all upgraded their point-of-sale terminals to handle EMV, many new terminals also happened to handle contactless payments.

I've been on two internships in the valley, and despite the availability of Google Wallet, I couldn't find a merchant that would accept it (apart from McDonald's) because everyone was still using magstripe-only terminals. (There were even a few merchants at trade shows who were still using triplicate carbon-copy forms...!)

I think Coin is a product that makes sense for the US market right now as a transitionary product, and wouldn't be surprised if Google acquired them some time in the next year or so and rolled them into the Wallet product offering. When and if US merchants upgrade to chip-and-pin capable offerings, (almost) everyone who owns a Nexus device made in the last two or three years will be ready with unified wallet offerings that already exist.