

Your Credit Cards Will Never Be the Same Again: Meet Card 2.0 - Garbage
http://mashable.com/2010/09/17/card-2-0-dynamics

======
Cushman
Bleh. I hate to see all this new tech trying to drag the credit card
infrastructure into the 21st century.

The way credit cards work is exactly wrong— to make a purchase, I have to hand
over every single piece of information the merchant needs to convince my bank
to give them money. Then they ask the bank for as much money as they want. My
bank will /maybe/, in extreme cases, double check with me if I actually want
to give it to them.

Now that smartphones are everywhere, we finally have the tech to implement
electronic payments the way they should be— where the merchant provides me
with /their/ id, and then /I/ tell my bank to make a payment.

But no, not today. "Card 2.0" makes my financial information more secure right
up until the moment I swipe it, at which point it's just as stupid and broken
as classic credit cards. Not intending any offense towards the founders, but I
hope the era of your tech is short-lived.

~~~
proexploit
That's true, there's still a security concern once you've swiped a payment,
but in terms of this secure card, the fact that you need the correct PIN to
even see what the credit card number is would make me feel a lot better about
losing my wallet.

I've got no data on this, but I'm personally more concerned about a
lost/stolen card being intentionally used by someone else rather than a
merchant screwing me over.

Is it world changing? No, probably not. Is it a significant improvement? In my
opinion, yes.

~~~
mikeknoop
Most (if not all?) credit card companies will not hold you liable in the event
your card is stolen. They also require you to get a new credit card number and
report the old as stolen in order for this protection to exist.

Now the question is, are you going to trust that just because you have this
security card you don't need to report the card as stolen / get a new card?

~~~
kjuhyghjk
Except of course with the new super secure card it can't be the banks fault
because it's secure - so any fraud must be your fault and so you are liable.

That's what they tried here with chip+pin cards

~~~
Qz
Actually I'm fairly sure it's only legal for them to hold you responsible to
~50 dollars in case of ID theft. Don't you think the CC companies would _want_
to make you liable? Of course they would.

~~~
jedbrown
In Switzerland, you get a 6-digit PIN, a chip in the card, and SecurID to log
into online banking, but _you_ are held responsible if unauthorized
transactions go through.

~~~
bananaandapple
Just if the transactions went through with your personal secret pin code. And
even then it's certainly a case by case basis.

------
jasonkester
Actually, I just wish that US banks would get up to speed with the Chip & PIN
thing Europe has been doing since the '90s.

Every time I buy groceries here in England, I get grief about my ancient relic
of a Visa card that doesn't even have a chip on it, and thus requires
_swiping_ through a reader like the cavemen used to do and then signing a
piece of paper.

About every 3rd visit, I get to have a manager called over and explain that I
come from a primitive country where the banks still do things the old way.

It's embarrassing.

~~~
poutine
Chip and PIN have one major drawback for you though: they shift the liability
from the merchant to the consumer. With conventional cards you can contest a
purchase and the merchant is out of pocket. With Chip and PIN it's like a
debit card and typically you the consumer is out.

~~~
henrikschroder
Yes, but the card never leaves my hand, and since it's a challenge-response
system, you can't skim the data off of it with a fake reader. This means that
for someone to buy stuff in my name, they would need to steal my card and peek
at my pin-code, and unless I'm a bumbling moron, I will notice if you steal my
credit card.

~~~
aristus
Chip and pin was broken pretty thoroughly early this year:
[http://www.lightbluetouchpaper.org/2010/02/11/chip-and-
pin-i...](http://www.lightbluetouchpaper.org/2010/02/11/chip-and-pin-is-
broken/)

------
sbierwagen
This is cool, but it solves the wrong problem.

The two biggest sources of credit card fraud are:

1.) Credit card numbers stolen from merchants with insecure systems.

2.) Credit card stripe information stolen by skimmers installed on legitimate
terminals.

To combat these, you either need an entirely new system, (which would require
every bank, everywhere, to buy into a new system, and thus will never happen)
or something that generates new credit card numbers on the fly.

Hey, that would actually make this workable.

Have your bank generate ten one time use credit card numbers. Upload them to
your smart credit card. Each time you swipe it, it uses up a CC#. After ten
swipes, it's an inert piece of plastic until you reauthorize it.

~~~
henrikschroder
I know there are banks here in Sweden where you can get one-time VISA numbers
for online purchases. You enter a maximum amount where you guess your purchase
will end up, you get a VISA number and expiry date and all that, and it's
valid for one purchase. If someone stores that number or tries to use it
again, they're shit out of luck because the thing isn't connected to your
account, you are not liable in any way.

However, those are only practical for occasional purchases, I'd assume you
would run through the numberspace pretty quickly if everyone had that by
default on their cards. But it's a neat idea. :-)

~~~
qeorge
Chase offers this, as well as PayPal. In addition, you can generate MasterCard
numbers that only work with a specific merchant, but can be used many times.

------
lockesh
The biggest source of credit card fraud is that there's no standard way of
proving that someone is in physical possession of the card.

Online transactions only require CC#/Exp/CV2 name/address etc which are stored
on merchant machines and then compromised and released to the while.

A much more secure option would be to have CCs with built-in RSA key gen.
Stealing the CC#s would no longer be enough to make a fraudulent transaction.

~~~
brazzy
The CVV2 is _not_ supposed to be stored in any merchant system, that's it's
entire point! A merchant who does store it is actually violating their
contract with the card issuer.

~~~
jedbrown
They are also violating the terms of their contract if they make fraudulent
transactions on your behalf (to put it mildly). Which is why we're not worried
about above-board merchants committing outright fraud, but we are worried
possibly internal security holes through which your credentials may leak. The
CVV2 is on their hardware while the transaction runs, which makes it
vulnerable to unauthorized internal snooping.

I don't know how merchants like Amazon handle fraud, but they don't use CVV2
because they don't bill you until items ship.

------
acgourley
Can someone explain the benefits to me? Thinner wallet, I guess? I don't know
if consumers have much to gain from the security, so is this targeted at banks
trying to reduce fraud?

It's funny I remember the square guys telling me you can get in a lot of
trouble for re-programming credit cards, surprised this technology isn't
violating some obscure laws.

~~~
dangrossman
Visa/MasterCard, which create those regulations, are basically owned by their
member banks. It's banks that issue credit cards. So if banks want to issue a
new kind of credit card with technology like this, they'll rewrite their own
regulations to allow it.

~~~
poutine
Visa and Mastercard are no longer owned by the banks, they both went public in
the past couple of years and are increasingly acting as independent
organizations.

------
evilhackerdude
I like the idea, but I’m putting my money on NFC integration into mobile
phones.

Yes, manufacturers and services providers alike have been trying for years.
Last time I checked there are huge issues with the security. This site seems
to have good information on the topic: <http://weblog.cenriqueortiz.com/touch-
nfc/>

Anyhow, I see much more potential when the ability to transfer money quickly
is paired with an all-powerful computer in your pocket.

So we need someone to both figure out a secure process and provide apps/APIs
to leverage that. Apple, anyone?

------
andreyf
Meh. Looks like more trouble that it's worth. With the new(ish) RFID chips, I
can "swipe" a credit card without taking it out of my wallet. If I wanted a
"secure PIN" feature, I could use my ATM card. Maybe I'll change my mind if my
credit card were ever stolen, but until this, this seems like an sounds-good-
but-is-actually-useless kind of feature.

~~~
melling
Banks seem to be backing away from the RFID cards. My new card came without
one. I called and asked them why and they said they were less secure.
Personally, I love the new cards. Unfortunately, NYC cabs and CVS are the only
place where you can find the readers.

------
ulf
Looks cool, anybody knows how the handle the energy issue?

------
sukuriant
I notice that the cards consume electricity. I wonder how long the battery
lasts, and how they're replaced. Furthermore, there's the whole pressing
against your card, and looking at the actual pressing action, it looks like
you have to press them pretty hard (or maybe he just was). How durable is the
card, really?

------
v4us
+1 I voite for thesi card + chip on the card. I really love it.

------
noelsusman
> the cards are as versatile as they are secure

I highly doubt that. History has proven to me that there's no such thing as
secure when it comes to technology.

~~~
hugh3
They never said that they're perfectly secure, they said that they're as
versatile as they are secure. As in "You're as smart as you are handsome".

------
adn37
'Consequences' will never be the same. (bring the down votes, or just enjoy)

