Banks generally hate anything that takes away their branding. Less sleek of this -- i.e. reprogrammable Visa cards -- have been around for a few years but banks never supported them, again because of branding.
• "Chip and PIN is Broken" (Murdoch/Drimer/Anderson/Bond, 2010) [PDF] http://www.cl.cam.ac.uk/~sjm217/papers/oakland10chipbroken.p...
• "Chip and PIN is Broken" (Murdoch, 27C3, 2010) [Video]: http://www.youtube.com/watch?v=Ks_w352BS-Q
• "Chip & PIN is definitely broken" (Barisani/Bianco/Laurie/Franken, 2011) [Video]: http://www.youtube.com/watch?v=JABJlvrZWbY ...and slides [PDF]: http://dev.inversepath.com/download/emv/emv_2011.pdf
Knowing the transaction amount is not possible from the "sender" portion of a magstripe. You're simply handing over a credit card number. The credit card amount is negotiated over the phone/internet between the bank & merchant.
This means that the Plastc card likely has one hardcoded number that switches payments serverside. Similar to the Wallaby card or Google Wallet card.
This works perfectly fine with chip & pin. The merchant charges the Plastc card which in turn forward the transaction to the correct bank.
They clone the magnetic stripe part of a chip and pin card and then have their own chip and pin layer that they put on top.
In the UK the only reason you can't use magnetic stripe is because no shops allow it (if they do then they are completely reliable for the authenticity of that transaction) - if you could add a chip and pin layer on top of mag strip data then this might work (would still require a lot of fiddling and as far as I can see transactions would have to go via platc like google wallet).
They probably don't have to worry about fraud, since the barrier to entry is $155 and they charge your card immediately.
The only thing that might be tricky is whether they get the 'card present' rates or not.
"*Plastc card will be available to use across all participating locations and with all participating payments types following an over-the-air firmware update in 2015 to enable Chip and PIN and contactless payments."
Sounds like they are working on those partnerships.
If this is using the EMVCo tokenization stuff, which it is widely believed that Apple is using, I don't think they would have to partner with banks. They'd just have to register with a Token Service Provider.
Here's an interesting article on this: http://www.aviso.io/apple-pay-brings-new-problems-acquirers/
The chip contains an application for Plastc, this is (like Amex) always acquired by Plastc (and will probably then only be allowed at participating retailers). Part of the Issuer Private Data sent in the transaction is which one of your pre-registered accounts you wish to use. That account is then charged in the background. It would work a bit like a physical Paypal.
Because unless something major has changed, I can't see banks being keen to hand over private keys to third parties.
They may get the NFC component to work with all the providers which allow them to, just like you can currently use your phone to make NFC payments. :)
The interesting bit is how they're fitting the battery and getting anything remotely like reasonable life. Even down in the single digit micro-Amp consumption range (typical for low power microcontrollers plus some resistive touch), a battery small enough to fit inside a credit card will likely only have a few mAh, at best. This will lead to needing to recharge quite often if the bluetooth turns on or eInk screen updates more than once in a blue-moon.
its like too little too late
I downloaded it and went frame-by-frame and you can see the card display contents move around with changing margins. It's all CGI.
Not that it's inherently wrong to do simulations, but this is notable because they don't include a "this is a simulation" disclaimer (AFAICS).
According to TNW "Plastc didn’t have a prototype for me to see during a meeting" and what they showed was a UI inside of a fake card.
http://thenextweb.com/apps/2014/10/07/plastc-one-payment-car...
Go look at the actual thinness of a credit card.
The battery would have to be 90% of the surface area even with e-ink.
This solution doesn't reduce the height or width of the encumbrance at all, and reduces the depth only by n*.76mm, where n is the number of cards that will be replaced. I don't get it.
This would let me get away with a much slimmer wallet and is therefore quite convenient. If it works.
And I don't really see why I should need or want more cards
For users, this must be some retro fad jumping the gun. Given the value of the transaction data going through this thing, it should be free at worst.
That being said, it's certainly attractive. If the 'bubble bursts' (whatever that means), I expect this is the kind of start up that will be first against the wall. Just remember frivolous != worthless.
With remote wipe, when I lose my card I just remote-wipe it and order a new one. Also, this card will warn me when I'm too far from it so I won't be as likely to leave it behind.
I do something similar already, where I never carry around the debit card associated with my primary checking account.
If you're a lady wearing jeans, this could make the difference in whether you need to bring a purse.
For me, it makes the difference re: whether I need to carry a wallet at all, or whether I replace it with a phone case that has a pocket for this and my drivers license.
It's going to be supported unless the merchant is happy eating fraudulent charges, which will make them a hotspot for people committing fraud. There's various dates for when that liability kicks in[1]. General trend is 2015 for PoS and 2017 for gas station pumps.
Not for any particular technical reason (although I'd be very interested to hear how they plan to make this work with Chip & PIN) but from a risk/liability perspective.
At the moment most banks that I'm aware of provide an online fraud guarantee and a credit card fraud guarantee, so as long as you keep your credentials secure, they'll pay back if you get defrauded (I know it's not quite as simple as that but for the purposes of this comment I think that'll do)
so the problem with this kind of product is that you're adding another company (plastc) to the trusted list, you're going to have to provide them with all the card details. So unless the banks agree to this not affecting your fraud guarantee, you'd be taking a real risk by using this solution.
For the banks to agree that there would need to be something in the deal for them, to compensate for the loss of branding on their cards and the additional fraud risk.
Loss of branding is a fair point, but I think this would reduce fraud risk. Automatically deactivating itself when lost or stolen more than makes up for the risk of trusting Plastc.
Plastc is $155 and you still have to:
1. pull something out of your wallet
2. select a virtual card
3. enter a PIN to unlock it
4. share your real card number with the merchant with all the fraud potential that carries
5. sign the receipt or enter your card's PIN (another PIN!)
Apple Watch is going to leapfrog all that so hard.
- it lives on your wrist
- it stays unlocked as long as it's on your body
- you just tap, no signing or card PINs
- it uses tokenization so you never have to worry about stolen card numbers
- it does craptons more stuff than payments too
One advantage Plastc has is it will work everywhere right away while Apple Pay needs NFC terminals. But those upgrades are happening thanks to chip-and-PIN.
2) I would like to know what target demographic, if any, that that ad was not intended to irritate.
But realistically, I think mobile payment systems are much more likely to succeed. Plus, I already have my phone with me anyway, and it doesn't seem too far fetched that it could provide all the info on my driver's license. So with that and widespread adoption of ApplePay (or whatever ends up succeeding in that space) I'm down to just leaving the house with my phone and whatever cash I want to carry.
- Remote RF-based attacks on the card.
- Attacks on the phone app.
- Leaks at the point credentials are transferred into the card. It turns out that most chip and pin cards do not use a public key/private key pair, with the private key inside the card. Visa actually recommends against this. (http://usa.visa.com/download/merchants/bulletin-chip-recomme...) So getting the credentials off a chip and pin card is possible.
- Leaks from the servers at "Plastc".
- Customer liability beyond US law limits for bank credit and debit cards. (What if it's Plastc's fault? The bank blames Plastc, and Plastc dumps the liability on the customer, citing their "it's never our fault" EULA).
- The device is a great tool for "carders". Previously, "carders" using stolen credit card info had to make sure nobody saw them putting a white card in the ATM. Using a stolen credit card required access to convincing-looking blank cards and an embossing machine. Now, with Plastc, anybody with a list of stolen card numbers can easily create fake cards. At least if businesses are willing to accept Plastc cards.
All I'm seeing is an expensive ($155?!) solution to a non-existent problem.
(And you'll still want a backup card in case it fritzes.)
Having any credit card number which you've ever used only usable for one single purchase would make fraud have to change to adapt. But you could probably sell such a thing easily today with all the recent loss of credit card number news. Granted, the vendor of such a card has to partner with a bank to enable this feature set, and then only a small number of people will want such a card as it imposes a new workflow for paying for things.
My concept is basically just "mobile payments" but enabling it for locations where merchants don't have the infrastructure yet. The added benefit is every transaction has a different card number, so merchants who store card numbers and get hacked provides no benefits to the thieves. Granted, any of the mobile payments things should be doing this kind of security thru obscurity, but I have no idea if they are.
This is not novel.
One of the costs associated with fraudulent card use is turning a set of number into a physical object. Several retailers will avoid the "Just write the number onto an existing card" approach by verifying that the last four digits on the card match the number on the magstripe, which increases the cost per cloned card by a reasonable margin. Using Plastc instead would break that assumption. It'll be interesting to see how merchants react.
But, more problematically, this answer:
> What happens if one of the cards stored on my Plastc Card is declined?
> The acceptance of any transaction has nothing to do with your Plastc Card. In this event, we recommend you contact your bank.
seems like a problem if the auth failure that comes back is one that requests that the merchant retain the card…
The only way I could imagine it would work is if you have the support of the bank that issued the card. However, I doubt any bank would agree to a scheme to allow a 3rd party to generate a clone of an EMV card.
At the end of https://www.plastc.com/wallet there's a list of participating banks, so I assume that's exactly how they do it.
There are brick and mortar businesses that don't even support credit cards. It could be a long time before all brick and mortar businesses support phone payments.
If 90-95% support this, and they will, very soon, that's plenty.
Do not give these people your money, nor the other tech companies that pull this kinda shit when so many real innovations are in the market.
I want to punch the designer in the face who ever thought this was a good idea.
Haha, no.
I turn my phone off at movie theaters and airplanes.
I rarely keep bluetooth on to save battery (I don't really use it save for once in a while) and I also quite often turn mobile data off unless I take my phone out to use it.
Sometimes it runs out of battery.
Quite often I keep my phone in a different room of my house than I am in, especially when it is charging.
Sometimes your phone breaks or malfunctions (hopefully not often).
Sometimes I just plain forget it.
It's easy to throw up a list of tech specs on a website, it's a lot harder to actually ship those features. I'm highly skeptical of their support for chip-and-pin. In my (uneducated on this matter) mind it seems like the ability to do this undermines a large security consideration with chip-and-pin. What's to stop a crook from swiping my card on his reader? Does this not just make it all the easier to clone cards?
Also the battery life is an annoyance. Not one that I couldn't live with (I look at my Pebble and Pulse battery levels every few days to determine if I need to plug it up at night) but Coin's approach to this problem seems cleaner. Coin was a reach for me, this is way out of what I would spend to "fix" this problem. Also as other's have said with Apple Pay entering the fray Coin is rapidly losing its appeal as neither Coin nor this card offer the consumer protection that Apple Pay does (like not giving them your real CC number).
My biggest concern would be pre-ordering anything like this for the time being. I was left pretty jaded with Coin promising for a year that they were running on time with shipping. Summer 2014 came and went and they finally admitted just two weeks after the previous update that they wouldn't be able to make it for at least another 6 months. Now this product is advertising a more advanced feature set to be released at around the same time. I wouldn't bet on it.
Another option is just proxying your card; their card has a valid chip & pin and credit card number, and when they process the charge, they pay for it by charging your actual card. If I recall correctly, the credit card companies don't particularly like this, but maybe things have changed recently.
You can't afford an expensive phone, but you can afford to spend $155 for the convenience of not carrying around 3-4 additional cards?
An Android phone with NFC is not as expensive as you think, and it will be cheaper by summer 2105. And by summer 2105, payments by phones/smart watches/wrist bands would be ready as well.
Situations: 1) someone steals your pin code (there are overlay devices for ATMs, could happen), after that they steal your card (they can't clone it since it does not have a magnetic stripe). They can't use it since it has locked itself (default state being locked, unlock before transactions).
2) Buy something online, specify that you buy with plastc, it guides you to a challenge response authentication page. Type the challenge in the card, type back the response to the page. They hack the site, get every credit card info and your money on your bank account remains safe.
(1) Durability was my biggest question -- how much flex and bend can this thing survive? How about being chewed on by a toddler, put through the washer and dryer (high heat), taken into a hot tub by mistake, dropped and stepped on with hard-sole shoes, etc.
(2) Ditto the other skeptical questions re: chip and pin.
(3) How big is the niche for this? I mean, I only have one debit card I use routinely and one credit card I use rarely. Carrying two plastic cards is not that big of a deal. I wouldn't pay $155 just to merge them into one card that can run out of battery power.
(4) Speaking of recharge... now there's another device I need to plug in or otherwise mate with some kind of charger? No thanks.
It seems like they are making an age-old start-up mistake. Swift death to the founders so they can move on to something far more interesting than a re-imagined credit card.
I have a sneaky feeling that Coin's long radio silence and pushed ship dates are them re-engineering to have chip & pin at launch.
I appreciate the point you're making in that stealing this one card is equivalent to stealing a whole wallet-full. But isn't it usually the case that you lose the whole wallet in one go?
It's security theater...
Will retails at the mall accept these cards? Usually the bigger chains are picky about credit/debt cards.
I really can't see these things taking off.
No way you could make something as thin as a real credit card do all this in 2015 and have a battery, etc.
Maybe by 2020, but not yet.
How do they propose doing that ?
Pick pockets aren't as common as they once were, at least in the U.S., but I never use my back pockets for anything. Even disregarding pick pockets, it's much easier to lose stuff that way, like when getting on and off a bus. So pocket space is at a premium for me, especially after I relented and bought a cell phone, which keep getting bigger and bigger. (And I would never keep my financial data on a cellphone, even if they promised it was safely embedded on a crypto chip... I just wouldn't trust them to have done it properly.)
Frankly, I think Plastc seems quite useful, at least superficially. The devil is in the details.
Apparently according to plastic, it is rechargeable, therefore once you buy it, you never have to buy another. Another interesting point was it's wireless rechargeable from the video, which is interesting.
