The Universal Card

retro128 writes "Wired News is carrying a story about a new product from Chameleon Network that's supposed to replace all of your credit/debit/customer cards. It can read the information off of the magnetic strips of credit/debit cards, scan the barcode off of customer loyalty cards, and even memorize the RFID signals of devices like the Mobil SpeedPass. All of this information is stored in a device called the Pocket Vault, and is unlocked with the user's fingerprint. If you wish to use a magnetic strip card, you select the card from the touch screen and put a Chameleon card, which looks like and can be run in standard readers like a credit card, in the Pocket Vault. The Chameleon card will then assume the identity of the card you selected, but only for 10 minutes. In this way, if the card is lost or stolen, nobody can use it. In the case of RFID, you just hold the Pocket Vault up to the RFID scanner for a reading. For barcode-based cards, the barcode will appear on the screen and can be scanned by a standard barcode reader. Chameleon Network says this technology will be available in early 2005 and is expected to cost under $200."

You want me to pay for that?

[ObviousGuy]

200 bucks for you to know everything about me?

How about YOU pay ME.

My vote: the current system

[DaHat]

This just seems too complicated. I enjoy the simplicity of looking in my wallet, and having only a glance of the card I want, pull it out and use it, no need to select any menus or buttons on it, just pull it out, insert, replace.

Warning: Vaporware Company Detected

[LostCluster]

Any company that has a hyperlink marked "Investor Information" above-the-fold (shown without a need to scroll down on a typical 800x600 setup) is automatically a bit suspect.

I fear that Slashdot's logo is now going to get added to their brag-about-press-coverage page [chameleonnetwork.com]. For the record, the "Boston's WB in the Morning" program they brag about was canceled in 2002.

I'm not suggesting that this company's technology doesn't exist, but their product is pure vaporware [chameleonnetwork.com] and they have lists of good reasons why a merchant, bank, or large company should partner with them, but they can't name any merchant, bank, or large companies who have agreed to partner with them. At least they have a patent appilcation pending [chameleonnetwork.com].

Great idea....for thieves!

[Damiano]

So I can grab any card I get my hands on for even a second (as a waiter or working at a gas station for example), run it through this toy and it saves the mag strip info to its internal memory. After getting several hundred (or when I max out the devices memory) I and my friends can then go on a HUGE shopping spree using stolen credit cards. Conveniently, as soon as I think the credit card companies might realize the first number is being used by an unauthorized person, I just switch to the next one. Sign me up! *sigh*

potentially inconvenient

[sjalex]

This sounded cool to me for a few seconds until I thought, what happens when the cashier at the quick-n-go tries to verify your credit card against your license? Stephen

A card is more than just a magnetic strip...

[LostCluster]

It's not quite clear if Visa or Mastercard will allow its member stores to accept Chameleon Cards in place of real plastic cards. Afterall, that card won't be able to mimic the Visa or MS holigram, the color-printed signature strip with code number on it, or the physical impression of the card numbers.

Accepting non-original cards opens up the risk of accepting any card with a magnetic stripe as being a stand-in for the real credit card. It would effectively turn all in-person credit card transaction to being as insecure as a web transaction. There's a reason why web merchants have to pay more for their credit card services, and it's that insecurity.

So, it's near certian that Visa and Mastercard accepting stores will be ordered by the card networks not to accept Chameleon Cards from customers. Game over for this technology... it works in the lab but won't work in the real world.

completely compatible?

[way2trivial]

what if you want to imprint the card?

or verify a signature?
not too good..

give up one digit or four?

[Daniel Quinlan]

and is unlocked with the user's fingerprint

I don't know about you, but I'd much rather have it use a password. I think most people would happily give a sufficiently threatening criminal their 4 digit PIN number (or any style of password) without too much of a fuss, but I'd rather avoid giving anyone any incentive whatsoever to leave me short one digit. It would be a very small consolation to cancel my credit cards after such an incident.

Been done (errr, thought of)

[irokitt]

That's right, this is the card that Ford Prefect swipes from his new Editor so he can hack into the basement computers with the help of his pet robot and....

This just in, new tool for ID Theft just released!

[Tmack]

To me this just screams Identity theft. All a clerk has to do is have one of these in their pockets and swipe customer's cards to get a copy of it. No more need to cash it out on the spot (as with carrying around a second whole credit card scanner), they can use it anywhere they want, and have it report their name on the peice of plastic. And by capturing rfid tags? Doesnt that beat the "security" Speedpass and others like it are supposed to have built in? This thing doesnt seem to check whos card its scanning in, just asks for a finger print. This is essentially a credit-card coppier thats pocket sized. Sure its a little secure against itself being stolen and used by ID theifs, but what about ID thiefs using it against other consumers?

Tm

Credit cards are free, why pay $200?

[eddie can read]

Let me list the reasons why

1) Cumbersome

2) Breakable

3) All eggs in one basket

4) A lost/stolen card is replaced by the credit card company. Who replaces that lost/stolen $200 computer?

5) What do you do when the batteries run out

6) What happens when the OS crashes and the information is wiped out?

So many reasons...

OMG you are a genious.

[Tensor]

This is without a doubt the best thieves's tool!

The only thing that could be done to prevent this is to make it hold only a small number of each type of card. Like only 10 Credit Cards. Still, its pretty much simplyfies the "printing" of stolen cards.

OTOH, i wonder if this will ever work. CC companies must back this up to work, i mean try taking the mag strip off your AmEx (or visa, or ... ) card, and pasting it on a cardboard card, and write your name and number up on the front. And then TRY to use it in any shop. I am sure they'll just ask for some other card.

If it goes by fingerprint...

[eurleif]

Then how do you let a friend borrow your card?

Re:Did you read the parent post?

[Tensor]

Not only that ... the stolen card database would be encrypted and protected by his own fingerprint should he ever be caught.

Making him decode the cards would be akin to making him testify against himself, hence making it unadmissible in court.

Plus he could always claim (farfetched, yes, but possible) that it was all some kind of equipment glitch or Chamaleon card mixup in a bar or something along these lines

Re:A card is more than just a magnetic strip...

[dj245]

Its been my experience that merchants give a crap what your card looks like as long as it scans the first or second time and doesn't create problems for them. My personal card has a hole drilled in it (to facilitate key-chaining), the hologram is worn off. The 3-digit security number on the back is also unreadable (memorized). A good chunk of the Mag stripe is worn to the bare plastic and its actually plastic-white. Merchants couldn't care less. They need it to scan, and little less.

If nothing else, credit cards are remarkably resiliant to damage.

And the difference is...

[algf2004]

So I should stop using my wallet because it is too big and instead use a handheld computer that is as big as my wallet?

Right...

Start simple -- digital cash

[code_rage]

I think it would be much easier to start with a simpler problem: digital cash. I would love to have a card that can hold up to about $100 that is anonymous and which I could use for bus fare, parking meters, road tolls, or small purchases like meals. This would be a natural for on-line purchases of paid content (iTunes, archived news stories).

By being anonymous, my privacy would be protected (at least in theory). It would also be completely unconnected to my credit cards and bank accounts, so it could never be used to steal more than $100 from me.

This is not a trivial problem -- it has some of the same problems as voting (anonymity & non-repudiation).

I think this is already being done in Europe. If only the US would catch up.

Re:Credit cards are free, why pay $200?

[pboulang]

1) Cumbersome

Picture shows that it fits in a wallet

2) Breakable

You can always use your real credit cards. What if a palm pilot breaks? You write things down on paper. . .

3) All eggs in one basket

Agree with this.. would rather not have everything linked in one breakable / trackable / hackable system.

4) A lost/stolen card is replaced by the credit card company. Who replaces that lost/stolen $200 computer?

You spill pasta sauce on your sweater, you buy a new one and are much more careful if it is expensive.

5) What do you do when the batteries run out

Considering the plethora or small handheld devices out there, why is this one so much harder to track charge for?

6) What happens when the OS crashes and the information is wiped out?

Well, you reload the data from either the credit cards again or the backup that was made

and even memorize RFID signals of SpeedPass

[frovingslosh]

and even memorize the RFID signals of devices like the Mobil SpeedPass.

Hey, slick, it can memorize a SpeedPass code. Gee, what could posiably go wrong with this?

Now we gotta wrap our speed pass in tin foil too!

Re:Warning: Vaporware Company Detected

[C10H14N2]

...it will not be implemented because it would be far to easy to use the little bugger as a swipe-and-steal device. Even if the things were ever actually manufactured and sold, I imagine 99.99999% of vendors would not honor them. I sure as hell wouldn't. Besides, they've been circulating this idea for YEARS and they have yet to get beyond the gee-whiz idea stage.

Database Backup

[osmodion]

According to the article, you can just restore from an online or local database, which has to be the stupidest feature of this gadget. If something goes wrong, being able to restore from database won't save you in the middle of a restaurant or at a mechanic in the middle of nowhere. Even with this carry-all, you would still need to carry at least one real credit card with you at all times.

Then there's the security for their online database, which just screams "hack me!"....

Re:Credit cards are free, why pay $200?

[LostCluster]

1) Cumbersome
Picture shows that it fits in a wallet
Picture is clearly photoshopped. The real consumer product has yet to ship.

2) Breakable
You can always use your real credit cards. What if a palm pilot breaks? You write things down on paper. . .
That's nice, but you're still out the $200 device.

3) All eggs in one basket
Agree with this.. would rather not have everything linked in one breakable / trackable / hackable system.
Good, so there's no risk of you wasting $200 on this.

4) A lost/stolen card is replaced by the credit card company. Who replaces that lost/stolen $200 computer?
You spill pasta sauce on your sweater, you buy a new one and are much more careful if it is expensive.
My solution is to not wear $200 shirts very often, and definitely not to eat pasta while doing so. A $200 device had better be durable if it's going to live in my pocket.

5) What do you do when the batteries run out
Considering the plethora or small handheld devices out there, why is this one so much harder to track charge for?
Because having my MP3 player stop playing music isn't as embarassing as not being able to buy what I just took to the checkout.

6) What happens when the OS crashes and the information is wiped out?
Well, you reload the data from either the credit cards again or the backup that was made
You're most likely to discover such a failure while shopping... again, the embarassment situation.

Re:Yes but what about bluetooth?

[sjwt]

no,
all your cards are belonging to others..

1) Steal/borrow wallet
2) Copy cards
3) ???
4) profit

but im sure theres a way to stop it reading
in someone else credit card details..

Re:A card is more than just a magnetic strip...

[LostCluster]

Yes, but when a physical transaction goes fraudlent, the store is to blame for being fooled, and therefore the store eats the loss. When a non-physical transaction goes frauduent, the credit card companies have to eat it.

Re:Warning: Vaporware Company Detected

[Kris_J]

It's also stupidware. I might have enough IR remotes for it to be worth me investing in a universal remote, but I do not have enough cards in my wallet to equal the bulk of a unit like this. And with a ten minute TTL, you've got to carry it everywhere.

Meanwhile, I've got a bunch of Swatch Access watches with contactless smartcards built-in. Why can't we upgrade to something like this instead?

This will never fly

[Jarnis]

- It's expensive. Too expensive for a trinket that might be lost/damaged in everyday life. Credit card lost? No biggie - you just cancel it, request new one. At worst you pay few bucks fee for replacement card.

- Lose this trinket, and you just gave *every damn card/id thingy ya had* to a thief. Yeah yeah its fingerprint keyed. So what? The data is inside and everything is ultimately hackable.

- It can obiviously be used to swipe magnetic strip data off other people's cards you may be able to handle. As a bonus if it can 'dupe' smartcards, Visa & co wont be happy - they just spent gazillions in moving every (insecure) magnetic card to ones with chip inside. I think their timetable is something like by end of 2005 every Visa card is a smartcard. I'd expect credit card companies to sue the pants off this company for unauthorized reverse engineering of their security features against duplication in the cards. DMCA will be used to pwn these guys. (And if it does *not* dupe smartcards, it will be useless in couple of years when every card becomes one)

- Big credit card companies will just tell to the retailers not to accept anything except Genunie Visa(r) Card(tm) :) - logos and all. And if you expect chameleon cards to be allowed to display those logos, think again. Not to mention that a chameleon card would either have to display gazillion different logos (fishy, wouldn't pass in most stores without tons of education and approval of credit card companies), or you'd need a custom card for every card you have - in which case the whole toy is useless.

- Huge hassles with most clerks refusing the cards 'swiped on' with this trinket even without guidance from credit card companies - "that's not a visa card, are you trying to fool me with some thieves tool with copied card data?". The education required to train every damn minimum wage clerk in the world to identify and accept this thingy in place of a real card would be astronomical - EVEN if the card companies would go along with it.

Dot.com boom coming back? This company is beyond loony to even attempt to develop something this stupid.

Re:Use fake telephone numbers

[FreeForm Response]

Remember, /. people are intelligent, and intelligent people conceal identity whenever possible.

So Linus, RMS, that ESR guy... they're all dumbasses then?

There's a difference between concealing your identiity and making sure that your private data stays that way.

Re:Seriously.

[Anonymous Coward]

The Benefit of this thing is essentially that, lacking your fingerprint(the value of biometrics can be discussed elsewhere), it cannot be used

But that's the complete opposite of the truth. It needs the fingerprint of whoever owns the vault, not whoever owns the original credit card. This scheme simply means that if I DO get access to your credit card briefly that I may also have a cheap consumer device, that I don't need to be coy about using, that allows me to easily copy your card. Instead of walking round with a pocket full of stolen cards I have a single vault that nobody else can access.

Any "security" features of the original card are rendered irrelevant because of course I do have a completely valid chameleon card.

Signature confirmation goes completely out because either there is no signature on the chameleon card or, again, it's the signature of whoever owns the chameleon card not whoever owns the original.

To try to spin this as giving added security to owners of genuine cards is absurd.

Re:Did you read the parent post?

[Kierthos]

Er, no. I mean, fingerprints are routinely used as evidence in court cases. Just because one is needed to decode these silly things does not mean that it would, all of a sudden, become inadmissable. And, you know, they do take your fingerprints when they arrest you.

Furthermore, even assuming you had some wierd judge who bought that claim, do you honestly think the company that makes these gadgets wouldn't have some back-door into their own system that would allow them to retrieve information if necessary?

And, odds are, they'd want to help the cops because any continued risk on stolen cards makes their little gizmo look bad.

Kierthos

Free?

[bryanp]

Hell, just make it a free government service

Free? Free to who? There are no such thing as "free" government services. They cost tax $. My tax $. Maybe I don't want to pay for your personal convenience. Maybe the guy next door doesn't care to pay for it either.

Re:Seriously.

[Zeinfeld]

But that's the complete opposite of the truth. It needs the fingerprint of whoever owns the vault, not whoever owns the original credit card.

This is the real problem. These guys sound like they have done a great job of protecting the consumer. In the process they have completely ignored the fact that they have created a method of forging credit cards that requires no expertise or special tools.

I think it will not be very long before the card associations tell their merchants that they must not accept these cards.

Re:This will never fly

[Jarnis]

USA is bit behind Europe in this regard, but they are coming - in five to ten years magnetic strips will be history. Who would invest in a technology that is known to become obsolete in a few years? Especially when the usability and value of the whole trinket is dubious at best. The company in question is TOAST.

Not to mention - here in europe mobile phones/SIM cards are rapidly trying to wrestle themselves into this position. At first they'll be used as coin replacements - you can already buy soda from a vending machine or a bus ticket using a phone in Finland. Next step is to allow you to pay your purchases using a phone in stores. Naturally this bit has much more resistance from the established credit/debit card companies as phone operators are dreaming of taking the cake from Visa and other heavyweights. I'd guess than when the dust settles, there will be something like 'MobileVISA' - basically allowing you to pay using your mobile phone and the purchase showing up in your credit card bill, with the phone operator getting teeny cut out of the action for providing the authentication and linking to the customer's credit card data. Yes, there are naturally security issues - mobile handset theft would become a lot more lucrative if you could pay with one - but give 'em time... sooner or later you have one thingy that you always carry around that functions as a phone and an 'electronic wallet'.

So what's the reason to have this trinket then? There isn't one...

This is bad and misunderstands cc theft

[BeerSlurpy]

Credit card thieves dont physically steal the card anymore. Most often they have their own card reader like this device and they will swipe your card an extra time under the table and pretend it didnt go through the first time.

A week or two later they make a fake card with your magnetic stripe and usually go on a 5000 dollar (the usual single day limit on most cards) spending spree and then fence the goods. The consumer discovers 5000 dollars on his card, usually from stuff purchased when he was in another state, at work, on the international space station, etc and calls the bank up. They issue a new card and reimburse the money.

This happened to me, and not ONCE did my card leave my wallet.

The only real solution to credit card thievery is to have intelligent software that tracks the spending habits of the legitimate user and requires extra verification before allowing out-of-the-ordinary purchases. Like if someone normally buys nothing but gas and groceriers with a credit card and suddenly buys 3000 dollars worth of stereo equipment 200 miles from where they live.... red flag!

Re:Yes but what about bluetooth?

[tambo]

all your cards are belong to us?

Yeah, that's the obvious problem. Who's to say that the information in the card database is for your credit card? Couldn't it be anyone's credit card?

Credit card companies have taken steps to link the physical card to the bearer - putting your photo on the credit card, printing on the card that merchants should request ID confirmation, etc. This completely sidesteps those mechanisms.

In short,this is the perfect tool for credit card theft. Work at a diner for a month, and scan every customer's credit card into your Chameleon. You can then take a great free vacation to another state and pay for every expense on a different credit card.

It took me about 14 seconds to realize this. And yet, some company spent $beeleeons developing it - probably relying on the old "we can paper over the problem with marketing hype" tactic/fallacy. Any chance the Chameleon is made by Diebold?

- David Stein

Re:Yes but what about bluetooth?

[The Only Druid]

One obvious solution (which admittedly isn't mentioned in the article, and thus shouldn't be assumed to be true) is that the device could/may refuse to hold cards for more than one name.

The average person (i.e. almost everyone) has precisely zero reason to carry someone else's credit card (and if they had them, many stores wouldn't accept one that wasn't yours since they're not supposed to do so). This device may simply make the valid assumption that all of your cards should have the same name (which is stored magnetically in the card, if I'm not mistaken).

This would, at least, prevent stealing more than one person's card.

Small Problem

[Rick the Red]

"John Q. Public"

"Jonnie Public"

"Johnathan Public"

"J. Q. Public"

"Johnathan Quincy Public"

Re:Yes but what about bluetooth?

[tambo]

One obvious solution (which admittedly isn't mentioned in the article, and thus shouldn't be assumed to be true) is that the device could/may refuse to hold cards for more than one name.

But everyone has to trust the device to enforce that restriction. A hack for this device, or a copycat device, would exploit that trust quite easily.

- David Stein

Re:Gimmie your wallet!

[Phurd Phlegm]

and your thumb!

I see the parent is modded as "funny," but this is actually a realistic threat. If someone steals my current batch of credit cards, all they need to do is forge my signature, or maybe not even that. No real inducement to harm me, and actually an inducement to keep me from even knowing a theft took place. Now there's a bonus for taking my thumb.

My suggestion: use your little finger. Then either you'll be able to convince them that they should take the less valuable digit, or if they're real Dr. Doom types, they'll mistrust you enough to just take both entire hands. D'oh!

Secondary suggestion: use a toe. This will also put a lid on those impulse buys that have been blowing your budget, since it takes more effort to take off your shoe during a purchase....

Re:Size DOES matter!

[malachid69]

I have to admit, even with the various concerns I have (and the ones listed here), I pre-ordered.

Why? Because I have thought of designing something like this for myself in the past. Even though I no longer carry half my cards anymore (BiMart, et all), I somehow still manage to have WAY too many... Obviously, i could not replace my drivers license (no Mr. Officer, really, this is valid)... looking through my wallet while replying to this, I found 12 cards that I could easily get rid of. Wierd thing is, I thought there would be more, but 1/2 my cards wouldn't work with this (I think), like Social Security Card, OMMP, etc -- because there is no barcode/smartChip/magStripe/RFID on them. IF it was able to simply show me the front and back of any of my cards, like a jpg or something, then I could easily double the number I could get rid of. Of course, at that point, it would probably be really useful for all those damned business cards that manage to get into my wallet too.

Malachi

May not be as insecure as you think

[TekMonkey]

You have all posted very valid reasons why this new system would be unsecure, but don't you think Chameleon would have taken some measures to secure this?

I have no proof or way of knowing if this is what Chameleon does, but if they're smart, they've done something along these lines:

If someone stole your chameleon card, they wouldn't be able to use it without your fingerprint.

I assume Chameleon wouldn't let just anyone load any Chameleon card into their pocket vault. I'm sure they assign a single card to each pocket vault/user, and it won't accept cards that do not match the pocket vault's number.

So if someone stole your card (account #001) and tried to put it in their pocket vault (account #002), it would deny it because the card isn't account #002.

If someone stole your credit card and scanned it into their pocket vault, again I assume each pocket vault would have one user assigned and if it didn't match, it wouldn't accept. For those of you who say "What if a wife wants to use husband's card and vice-versa?", Chameleon probably lets you assign both the wife and the husband's name, so she can use his cards and he can use her cards.