719 comments

[ 1.7 ms ] story [ 358 ms ] thread
The same link has been submitted thrice with different accounts and upvoted to 3 points.
It appears the release was embargoed for 12PM EST, so it's not surprising that people submitted simultaneously.

It is surprising, however, that all of them received a significant amount of upvotes.

It's not uncommon in this sort of situation for them all to get upvoted. Firstly, different people will upvote different ones, so if there's a popular story then a large number of upvoters split by 3 is still a decent number on each. Then there are people who will upvote more than one, either because they think it's important enough to deserve multiple links, or because they think the links offer enough difference in content, or because they upvote the first one they see, then see there's a better one (e.g. "oh shit, I upvoted blogspam, better upvote the official one now")
(comment deleted)
(comment deleted)
Swipe something user-programmable through a merchant machine.

That might not end well. But I guess that has been an open security hole for a long time now, hopefully has been addressed.

Merchants are not going to accept this, it's the same as a CNP transaction.
It seems to me that the creators would have investigated this before building hardware?
This is a very cool gadget, but I think it's a strange name.
"Works like a debit card when you swipe it" - I'd probably get this if I wouldn't effectively be paying several hundreds of dollars per year for it in losses of credit card rewards.
You won't lose any rewards. It's cloning your credit card number and info and using it like it was your real card. Their FAQ's address this.
Ah, cool, my mistake. Thanks for the clarification!
Are the card issuers going to be happy about what amounts to card cloning, or am I missing something here?
Probably not. I imagine they'll also absolve themselves of liability if your card is ever misused or stolen.
Seems crazy that it only holds 8 cards. I'm not about to go through all this effort only to replace some of the cards in my wallet but not all of them.
Out of curiosity, how many do you have? I think 8 would cover all of the cards I use at least once every 4 months.
About 15. And sure, most I barely use. But sometimes I want to use them and they're in my bag and not in my wallet. This would be a great solution to that problem for me if it could hold all of them.
I have a money clip, and only carry my most pertinent cards - ID, ATM, and CCs. The remaining cards, like reward cards or library cards, are in a tin can in my car - which I drive to wherever I'm shopping, and just remove the card I need. I can't imagine carrying 15+ cards in my pocket, especially if it is in your back pocket.
I carry around the following: 1 Debit card 1 Credit card 1 Drivers license (usually I travel with public transport, but I'm required to carry an ID by Dutch law) 1 Ov chipknip (card for public transport in the Netherlands) 1 Health insurance card 2 Loyalty cards for competing grocery stores (I attend both of them on a regular basis)

Even though Coin doesn't solve this problem, especially since it doesn't have EMV which is required in Europe, I'd love to have all off them one card. I have another boatload of cards at home that are rarely / never used because I never have them on me when I could use them.

So basically: very cool idea, needs some more thought for the european market though.

I guess it depends on how many cards you have. I suspect it's also a limit of the first run costs, and could increase in future.

Personally I only have one card, so I don't really have that problem :D

The app holds infinite cards, as long as you carry your phone.
Yeah, pretty easy to just store all cards in the app and switch out the infrequently used cards for things like loyalty programs when you actually need them.
If you do that the battery runs down faster, and since you can't replace the battery or charge it, once that happens you are out $100.

I was really thinking of buying one but $100 every two years is too much for this.

Most of the cards in my wallet aren't credit/debit cards anyway. Drivers license, health insurance, etc. etc.

This wouldn't be able to replace my wallet, so I'd still be carrying two things around with me.

For some reason, all the cards I keep in my wallet get destroyed. I have a decent leather wallet but they still crack and chip and the paint rubs off. I don't know if I want that to happen to a $100 device.

Does this happen to anyone else? It has happened with the last two wallets I've owned.

This happens for me only with one bank card and not my others. I think it's partly the fault of cheap material used for the card.
My ATM card always seems to start splitting right around the time my bank sends me a new one. Hopefully this device is more durable.
Some of the cards in my wallet are 7 years old and are in the same shape aside from the faded colors.

Clearly you need a better wallet >_>

How will this work when CC companies finally migrate to cards with SIM chips?
"Q. Will my Coin work outside the U.S.? A. Not in all cases.

U.S.-based customers: Coin will work overseas, but we recommend that you bring a backup card when you travel.

Customers located outside of the U.S.: Coin does not support EMV yet. If the country you live it requires it we recommend holding off your purchase for now."

Found this in FAQ

I assume that the Chip-and-pin system isnt standard in the US like it is in the UK. Can a similar technology be applied to chips?
From the FAQ:

Q. Does Coin support chip and pin (EMV)?

A. Coin is currently designed for the U.S. market and does not support chip and pin (EMV), however, future generations of the device will include EMV.

How on earth is that going to work? Theoretically at least, you can't clone an EMV card. That's kind of the point.
Maybe they'll work with the banks to get the information needed to create the EMV card?
Why would a bank allow that? It creates all kinds of liability issues, hurts the issuing bank's branding, and there's no big source of fees to allow Coin to simply buy cooperation from them.

Heck, they're running a kickstarter for funding, while even dreaming about being a card issuer would require to start with posting multimillion security deposits.

Theoretically, you can put a large number of payment applications on a single EMV chip already, and a transaction will either use defaults or present you with a choice.

Unfortunately cross-bank and cross-scheme cooperation has never been there to the extent that this has been possible so far.

With my new card I always get a dialogue when I pay where I have to choose between something like "direct payment" or "pay in three installments". I suppose that's the kind of applications you're talking about? I didn't know this was possible before (and I don't remember my bank ever telling me about it, not that I really care, but it's a useless step slowing me down).

I see it on every terminal I use here in France, so it seems to somewhat work already here.

That's a weird one!

I've been out of the payments game a few years now (going back in on Monday though) but in EMV speak an 'application' is usually something like Visa, or Mastercard or something along those lines. Some cards I looked at in the past had a few on them for local schemes, for instance we had "Switch" cards here in the UK that were the equivalent of "Maestro" in Europe, but were different enough that a lot of UK debit cards had both applications on them.

If "pay in three installments" is a sort-of credit facility provided by your card issuer(?) then I suppose it could be coded as an on-card application. In fact if you wanted to give your customers that choice on every single transaction I can't think of a better way.

Would get damn annoying...

No, because chips, by design, can't be copied by the user. They are roughly small computers which encrypt messages with a secret key, but the key itself is never let out outside the chip.

You would need some cooperation from the card issuer to clone the card, or some sophisticated technical equipment to open up the chip and read it.

I was trying to look into this as well. Apparently the chips cannot be read from in the same way unless you authorize it. I don't know how that authorization process works, but I'm guessing it's possible. I'll be looking out for Coin in the future when they introduce EMV support.
You shouldn't be able to read EMV chips with any authorisation - it's supposed to be safe from bank employees who make the actual cards, so they can't clone your card before giving it to you.

In the EMV process the private key should be unique to the card (if you make a replacement card with the same number, it's a different key); the private key shouldn't exist anywhere outside the chip after the card is made; and there aren't supposed to be any ways to read the key. Well, cutting the chip and scanning with a electron microscope works, but it's impractical.

I'm not saying that there aren't any bugs in the implementation, but I'm quite sure that there are no known bugs that allow simply to get the key; even full control of the HSM which holds the bank's private key should allow you only to make/sign new fake cards, but not recreate an existing card.

Guess I have to stick to my shitty baby blue card then. Yes my bank IS Toys 'R' Us.
I'm not sure of the prevalence in the US, but does this support chip + pin transactions? They're the standard in the UK now, and I suspect it's a little harder to mess around with than the magnetic strip.
I understand chip+pin is still a novelty in the US.

Back in 2009, I was (apparently) the first person to use the chip+pin machine in one of the biggest bookstores in Toronto - the cashiers got excited and all gathered round to watch. It was a little bit bizarre.

I was in the UK with my non-chip and pin card and there was a similar response. It took like 5 people at Tesco to figure it out.
Yeah, I can't remember the last time I saw someone sign for or swipe a credit card in the UK: it's all chip-and-pin now, all the time. This looks like cool technology but it just wouldn't work here.
Pro tip: if you're in the UK and think Chip+PIN is a really good way for the bank to shift liability to the cardholder and want to make your life miserable, ask the bank for a Chip+Signature card. That'll fuck things up for you on the regular.
Which will fuck things up? I can't tell if you're saying Chip+Signature will avoid the problems or make them worse.
Chip+Sig makes things worse in terms of day-to-day purchasing. Vastly worse. Your card no longer works in ATMs, retailers pitch a fit when they figure out your card is making their PDQ spit out a receipt to be signed (some even will try to refuse your card), and automated machines, like the ones found on the London Underground don't take Chip+Sig cards so you actually have to line up to see a human.

I eventually just gave up and got my cards reissued as Chip+PIN.

It depends where you are, I suppose. I live in an area with a lot of transient foreign nationals working in banks nearby, and they're used to dealing with non-chip cards at my local Tesco. The person in front swiped a Venezuelan Visa with no trouble the other day.
I had to use ye olde magnetic stripe and signature at a Morrison's a couple of weeks ago. The card reader was broken for some reason. Naturally the magnetic stripe on the first card I tried was also broken and wouldn't swipe...
It's totally standard in Canada now. Usually when a place doesn't take chips it's a US-owned chain.
For a view on another part of the world, just in 2012 in Japan it seemed like about nobody knew about these. Some stores didn't even know they had a pad for entering a PIN, and some didn't know what was the "enter secret code" instruction.

I only understood that after a week and maybe ten or so places had told me "your card doesn't work", when some hotel tenant called her daughter to translate things, and she knew about chip and pin and was excited to see how it worked.

I'm pretty sure all the other places just saw some message they didn't really understand, and just thought "the card doesn't work", when in fact they probably just had a pad somewhere that was waiting for my input.

Just before that, we had stayed in Taiwan and used the same card pretty much everywhere with absolutely no problem.

Japan is still highly cash based per transaction.
That's odd, how far out in the sticks were you? I've used my european chip card extensively in Japan for the past 3 years with no confusion whatsoever, and most places that take cards have a chip reader that they use immediately. Nobody has ever said my card doesn't work. There's actually way more confusion when I pull out a WAON card or something.

It's been more of a problem in places in Thailand and Singapore where they're not really equipped to hand over the card terminal and sometimes I have to go behind the desk or something.

The first place I had a problem was actually a Honda (I think?) car rental office in Shinjuku, not a place where I expected a problem (and not the easiest thing to pay in cash, though that's what we eventually did).

Then a few hotels and ryokans mostly around Nagano and Toyama. The 7/11 ATMs worked fine though (but the card didn't work to pay directly, it did at Lawson though, IIRC) so we just used cash everywhere, but I liked to keep trying to use the card, as I was really not sure what was happening.

It's in a small hotel in Obama that I finally understood what was happening, after the woman first asked me to "write my secret code" on a piece of paper (she didn't know the keypad was attached to a long cord and that she was supposed to let me enter the PIN myself, her daughter figured - or knew - that).

I don't really remember but I think we just didn't have many issues afterwards, once in the larger cities of the Kansai.

It was kind of a pain to have to use cash so much because my card had a rather low limit on cash withdrawal at foreign ATMs (of course, my other card had been mailed by mistake by my bank to my former place just before I left). I just didn't expect at all that it would be so difficult in Japan.

Swipe only? What is this, 1980?
NFC support would be pretty slick.
I think copying an NFC or smartcard is slightly more complicated :)
I think he meant that swipe-only cards are a dying breed(at least here in EU) and most places don't even take them anymore. If your card does not have a chip+pin system it won't be accepted anymore, even if it's a Visa or Mastercard card.
80% of this product already exists in Simple (https://www.simple.com/).
Simple looks like a completely different thing to me. It looks like a debit card connected to a fancy budget tool. It looks like a tool for people who have basic finances and need help to avoid overspending.

Coin looks like a device that replaces my existing cards, which is a problem I want help with. I don't want to close my business bank account or get rid of my credit cards, I just want a lighter wallet.

I'm a simple user but I don't see any % of this existing in my Simple account. If I've overlooked a glaringly awesome feature in Simple I'd be happy to find out.
(comment deleted)
How? Simple is a bank. This is a magnetic-stripe card consolidator.
How would you prevent mass credit card theft in this case? Couldn't an unscrupulous person, say a waiter at a restaurant, take your card, use his/her own Coin to make a copy of your card, add it to their own Coin, and then use that card at their leisure at a future date? I know, the same question was asked re: Square and the like, but the difference is that you need a Square account to steal other people's cards, and that's traceable, whereas here, you can use the stolen card easily and surreptiously with little notice. Except for the fact that using a Coin in itself is noticeable.
I see it as possibly the reverse opportunity.

I typically hand out a Google Voice # as a sort of DNS for phone calls so that I can change my device number at will.

Wouldn't this allow me to swap out credit cards in a pinch without having to carry new plastic? Or, as you suggest, if I lose my Coin do I have to get all new cards?

If you lose your coin, and someone else picks it up, then you've compromised not just one card, but multiple. Unless I'm missing some sort of authentication when using Coin? And if that authentication exists, how would the non-Coin holder use that card? Is there a timeout that requires the user to authenticate, select a card for presentment, and holds that card in the stripe until a timeout? if not, then there's problems here.
Credit card theft like you describe is already possible and already happens
This sure makes it easy tho, no?
(comment deleted)
You can buy a 20$ card reader and just copy someone's magnetic strip. It's already pretty easy!
But with Coin, they can potentially copy all your cards, instead of just one, by pressing the button multiple times.

It's not obvious how to prevent that without affecting the UX.

It affects the UX somewhat, but since it has to be in proximity (implying data contact) to your phone to operate, you could just move the "switch active card" feature to the mobile app, not the Coin itself, then you wouldn't have to worry about people in posession of the Coin (e.g., when you put use it to pay the bill in a restaurant) toggling through the other cards stored on it for nefarious purposes. Or, for less impact on UX, put a "lock active card" option on the mobile app, and still leave the actual card switching on the Coin.
Yes, card cloning devices have existed for decades, but this automates the process, allows you to carry a single (disguised) device that can store multiple cards. If one doesn't work, try another card, without eliciting suspicion, and simply replace / swap cards that are cancelled.

The old method requires use of credit card blanks, a duplicating device, and the card itself doesn't look like the card when presented in person. In this case, as someone mentioned, Coin doesn't display the card #s on the front, so it's like a Card Not Present (CNP) transaction, but needs to be treated as if it was.

This doesn't bring anything new to the card skimming operation, but it simplifies, optimizes, and can in some ways facilitate it. They need some sort of ideally biometric authentication and/or a server that identifies when two Coin devices carry the same cards on it to avoid this sort of fraudulent use.

This makes it less suspicious. Traditionally a lot of small-time (i.e. Vegas) skimmers write mag-stripes onto other cards ranging from hotel key-cards to expired credit cards, but in places where skimming is common gas attendants and cashiers are trained to watch out for warning signs including lots of expired cards, trying lots of cards, name on computer doesn't match name on card, and especially hotel keycards at gas stations.

This device defeats all these human security measures by letting me use a startup bling device to try up to 8 cards at once without looking suspicious at all. "Declined? shit, my newfangled e-bling card must have messed up - try it again!" (while silently changing cards using the button). "No name on the card? Card isn't signed? You want my ID? But this is the hottest new toy! Promise it's fine!"

This is interesting. You can just buy blank magstripe PVC cards in bulk for very cheap on Amazon. You can buy an ID printer for a couple grand. Why the need to repurpose old cards?
I'm not actually experienced with street-level card skimming beyond anecdotally, so I'm not sure. But my initial speculation is this:

- Centralized location / evidence. A stash of blank cards and an ID printer have to go somewhere, and look suspicious to start with. The gear to skim cards and write them onto existing magstripe cards can be stored in a small space or on one's person and thrown away quickly; there's no centralized location. I believe hotel keycards are used because of their availiability. There was a sensationalized national news piece a few years ago about pimps giving women hotel keycards with credit cards written on them to buy gas with.

- Start-up cost. A couple thousand $$ in an ID printer is more than $0; that's what would divide street-level carders from professionals who probably wouldn't be passing overwritten cards at retail anyway.

From the FAQ: "As an additional safeguard, the Coin app will only allow you to add cards you own."

So it sounds like if the name doesn't match, it won't work (you have to take a picture of the front).

And how exactly is this verified? I don't think there's OCR there to verify that it's your card you just snapped a photo of.
The magstripe data has all the name information in it.
Swiping a card passes along the name on the card.
But a waiter doesn't ask for ID when taking your card... so even if the Coin identifies you as John Smith when you pay your check, the fact that you are Steve Jackson who presented the card doesn't mean anything. And you can have multiple cards with multiple names in your Coin.
I believe the coin app will only put cards on the Coin that match the name that is on your account.
Please look at the context of my comment.
Card.io will scan cards and OCR them. Maybe they do something like this to ensure the name matches the registered name on the account? https://www.card.io

Edit: And it's on the magnetic data, too.

Couldn't you technically bypass the OCR by taping a piece of paper with a different name or number over it? Does the magnetic data store the name?
I go by my middle name, but some places have forced me to use my first name, so my cards are a mix of my first+last and middle+last name. So then I would look like two different people to this coin wallet?
Except that names aren't required to match on credit cards. For instance, my wife is an authorized user on my card. Her signature is on the back, my name is on the front. Similar situations abound for business use cards.
That's strange. My girlfriend is an authorized user on my card in Canada and it has her name on the front and she has her own PIN that I don't know.
We seem to have stronger laws about this sort of thing in place at the moment. In the US, it seems, just swiping the magnetic stripe is still the way it's done. How quaint!
If you're an authorized user on a credit card, you're issued a card in your own name. I'm not sure what you're doing is compliant.
The company card I used had my name on it, as for all other cardholders; and cards with wrong gender are treated in shops as unacceptable if they notice, though in 90% cases they don't, unless if it's a large purchase and they want ID.
Match? How? With OCR and image processing?

Currently, one assumes you can take a picture of any card and store it for visual purposes. There's zero explanation of how they authenticate a physical card (photo) with the swipe data.

You can already steal credit cards really easily. When you hand your card to the waiter, there are machines that will save that number and you can write it to a blank card easily. They can also jot down your security number. This might make it marginally easier, but it is on one service and tracked.
Yeah, and even without that machine you can just look at the number on the card
Yea but most places require you to swipe the card or have it physically there.

Online they make you provide information that is not written on it. With this you could easily copy a card and buy anything later on that day.

This thing should be outlawed

You can write the magnetic strip information to the a new (blank magnetic strip) card, which could look authentic enough to fool most merchants.
I have a question - why is the guy in the video giving the card to waiter? What he is gonna do with it, he doesn't know the PIN number to charge it. Or in USA you can charge without PIN? Besides if he can just charge without PIN he also can just push button on the card to charge whatever account he wants, doesn't he?
Yes, in the U.S you can charge credit cards without a PIN for whatever amount you want. Yes, it's silly.
Really strange. Here in Lithuania we had similar systems in some places several years ago, but everyone quickly changed to always require PIN. Even in restaurants they come with wireless card reader and you don't even let your card out of your eye sight.
That is exactly the entire problem with credit card payments, online or elsewhere. Too often it relies on just the number, just the mag strip, possibly with other information that is _right there on the card_ (like that stupud CVC). This is totally insecure, and yet everybody keeps using it.

Dutch electronic payment (online or otherwise) always relies on "something you have" + "something you know" (which is secret and not shared with anyone ever). It's not airtight, but it's a lot safer than relying just on "something that can be stolen".

I'm still constantly appalled and amazed at US/international online payments relying on something as outdated and backwards as just a string of numbers and some other public information.

You wouldn't.

You actually increase the chances of fraud/loss/theft/errors with Coin.

It creates more problems than it solves (which is unfortunate, since it does have the "cool" factor going for it) That only goes so far.

So I have to turn this over to a bartender to keep behind the bar when I go out and drink? If I forget to grab it before I take a cab, now I'm out $100 and ALL of my credit cards. No thanks.
In theory, your phone will alert you that you forgot it. Also, you'll still have the original cards at home.
Is that system still popular? I've started lots of tabs in the last few years, and it's always been purely an oral conversation - they only get my card at the end when I'm settling up.
Still happens quite a bit here in Chicago, they'll take your card and sometimes your ID when starting a tab.
I find the lower quality the bar, the more stuff they want to keep you from skipping out on a tab.
Sure. If you are a regular they probably and some small bar they won't need anything, but if you head to a large nightclub with hundreds of people they'll want a card to keep behind the bar while you have your tab open.
So no holography technology like that in the video? I'm disappointed.
agh. i have preordered coin because of that feature...
How about an altcoin card with all my cryptos in it? Pick a coin, swipe and deduct from my account?

There is a huge window of opportunity in the altcoins market right now.

I'd really like the ability to add all my shopping cards, membership cards, and whatever else that constitutes 98% of my wallet. Replacing two credit cards/bank cards isn't that compelling.

And then really, while I'm dreaming....I just want my phone or an app on my phone to deal with paying because carrying around a card just feels so 2000s.

This is a slick implementation, though.

I'm also more worried about actual merchants refusing to take something like this.

This is innovative, really like this concept. Wish them Good Luck !
(comment deleted)
Dear downvoter , please tell me something innovative you did in life , other than throwing downvotes . What is happening to HN ? I work in a small start-up and I know what efforts it takes to build something instead of downvoting or discouraging.
What happens when the waiter accidentally clicks the button & charges your business card when it should have charged your personal card? I guess they can just peruse your cards, see what you've got, and pick which one to charge. :p
I thought the same thing. Must have some sort of double click or click pattern that only you know.
Presumably when the card is away from your phone (and BT connectivity), it would disable the button on the card. Or you could lock it into selecting that card via the phone.
Imagine you've dropped your phone somewhere (or had it picked out of your pocket) and tada, now your credit cards no longer work! As a result you're temporarily part of the nouveau poor and can't call anybody for help if you're out and about on your own.
maybe the card still works but you just can't select another card.
> Presumably when the card is away from your phone (and BT connectivity), it would disable the button

See the FAQ, It doesn't. It's designed to be standalone with only periodic checkins (once a day probably) with the phone to make sure you still have the card.

From the FAQ: Q. What if I lose my Coin or someone steals it? A. In the event that your Coin loses contact with your phone for a period of time that you configure in the Coin mobile app, it will automatically deactivate itself.
Perhaps when the card is away from the phone you can't push the button? Not sure, but this is definitely my top-of-mind question.
Needs TouchID just for that!
they have an FAQ item for that. But I would submit that the answer seems to be skirting around the issue of an actual (accidental or not) "finger" press.... Especially like when the cashier takes takes your coin out of the check presenter? Grab it by the edges, you say? Suure....

Q. Can someone accidentally change which card is selected on my Coin?

A. We’ve designed the button to toggle cards in a way that makes it difficult to trigger a "press" unintentionally. Dropping a Coin, holding a Coin, sitting on a Coin, or putting the Coin in a check presenter at a restaurant will not inadvertently toggle the card that is selected.

Obnoxious website
No kidding about the soufflés. Even walking by the oven at the wrong time can spell disaster.