The Universal Card

retro128 writes "Wired News is carrying a story about a new product from Chameleon Network that's supposed to replace all of your credit/debit/customer cards. It can read the information off of the magnetic strips of credit/debit cards, scan the barcode off of customer loyalty cards, and even memorize the RFID signals of devices like the Mobil SpeedPass. All of this information is stored in a device called the Pocket Vault, and is unlocked with the user's fingerprint. If you wish to use a magnetic strip card, you select the card from the touch screen and put a Chameleon card, which looks like and can be run in standard readers like a credit card, in the Pocket Vault. The Chameleon card will then assume the identity of the card you selected, but only for 10 minutes. In this way, if the card is lost or stolen, nobody can use it. In the case of RFID, you just hold the Pocket Vault up to the RFID scanner for a reading. For barcode-based cards, the barcode will appear on the screen and can be scanned by a standard barcode reader. Chameleon Network says this technology will be available in early 2005 and is expected to cost under $200."

Pros and Cons

[Anonymous Coward]

While it would be great to have everything on one card... there is a lot more inconvenience to be expected if it is lost. However, the security features may trump that.

At college, I have a meal card and a key card, and as long as I only lose one at a time, I can always either eat or get into my room. If one card served both functions, I would lose food and shelter when I lost it. On the other hand, maybe it would be simpler to only have to keep track of one card and I therefore would not lose it. Who knows.

Re:You want me to pay for that?

[Turgon33]

yeah, just what i need. one single device that can decide to call 'home' with all of my purchasing habits on it.

Big Ouch at the ATM

[breakinbearx]

One has to wonder... what happens if the ATM eats your card? Then again, if the ATM is likely to eat your card, you probably don't have the cash for this gadget anyways.

Re:Great idea....for thieves!

[mauthbaux]

Well, since it supposedly only works for 10 minutes at a shot.... I don't think that using it for illegal means would be that easy. However, the problem is that from the sounds of it, the needed input signal (fingerprint that is then translated into a digital activation signal) is already stored on the card itself. I'm sure that it wouldn't take too long even without the owners fingerprint to crack whatever signal they're using, and make stealing cards a very very proffitable business. Makes Identity theft all the easier....

Stacks of Credit Cards?

[wideBlueSkies]

I don't know about other folks, but I've got 3 credit cards, a NYC Metro Card(transit fares), an Employee IS and a drivers license in my wallet.

I wouldn't call that a stack and it's manageable. Never even though of this as being a problem before reading the article.

If someone were to use this gadget, they'd have the 'stack' of cards, AND the gadget to worry about. Right?

Sounds like a waste to me.... Nothing to see here, move along please.

wbs.

Did you read the parent post?

[Anonymous Coward]

He wasn't saying it would be easy for thieves to steal the universal cards themselves; it would be easy to actually store stolen cards (be it credit cards, debit cards... whatever) into memory very easily and efficiently! He makes an excellent point and I think it's rather scary. A thief would only need the card for a second, and they would have card in their little database.

Re:OMG you are a genious.

[John Courtland]

You can remagnetize a carelessly discarded card. ALWAYS cut your discarded credit cards. Use it at a shop that is lax on security (why do you think some clerks ask for photo ID and are supposed to type in the last 4 digits of the CC #?). However, this wouldn't even need that. It comes with a "chameleon" card that can change its number. Use that and you're set.

What about replacements?

[sydbarrett74]

What if my Chameleon Card is lost or stolen? With conventional plastic, I can call the issuer, report the card lost/stolen, and have a replacement sent within a couple of days for free (be wary of those companies that would charge you for this service). What is my recourse with Chameleon? Ponying up another $200? Also, what if I destroyed my original cards when transferring their data to the Chameleon device? Is there an online backup somewhere? Or am I shit out of luck?

Re:Gimmie your wallet!

[Anonymous Coward]

You joke but it seems to me that just by handling this thing you've foiled the security on it because you've left the "password" (your thumb-print) all over it. If you drop it, everything a thief needs is right there. I seem to remember a Japanese professor creating gum-drop fingerprints by lifting prints off handled items.

Re:OMG you are a genious.

[Anonymous Coward]

Having to post anonymously, due to a previous life of crime that my present life must not acknowledge.

The criminal element factor was my first reaction to this. Back in the day, I worked as a bartender in a restaurant. I also knew a few people who were 'connected', as it were. These nefarious people had access to a magnetic card writer. I had access to a great many credit cards. I'm sure you can make the connection.

I was paid a non-trivial sum for every credit card number I delivered to them, and more for American Express Platinum cards. I was also paid another amount for pilfering credit cards from the office safe -- you'd be surprised how many people leave their cards behind at a bar and never reclaim them. We would always get at least 5-10 a night, and there was a stack of 100's that people had never claimed.

These people would then re-encode the pilfered cards with the stolen numbers and go on a spending spree. In the event of a store with a last four numbers check, or if security was a concern, they just used another corrupt employee like me to type in the correct four digits. I even recieved a few of these cards as bonus payments myself.

Luckily for me, I got out of the business before it attracted too much attention on my part. However, to this day, I will not use a debit card in place of a credit card. At least with a credit card, you have protection. A debt card just comes right out of your bank account. I certainly tried to not give the criminals debt card numbers, but I'm sure a few slipped through the cracks, and I know that there were co-workers less scrupulous than me.

However, I also wonder if you'd be able to use this device in any store. With all the security in place today, I wonder who would accept this as a valid credit card. I can't even buy things without having the back signed half the time. Then again, it's not like the self-checkout lines at Wal-Mart ever physically inspect my card.

Re:Warning: Vaporware Company Detected

[FearTheFrail]

So does this mean I should scale back the work on my planned competing product, the "Carte Blanche?"

On a more serious note, how much of a far-fetched idea did universal remotes appear to be when they were first being developed? While they can be a little bit cumbersome when switching between multiple devices (for those of us who still rig our cable between the VCR, satellite dish, microwave, Bose wave radio, ham radio, heat pump and Tesla coil), it still seems to be generally less hassle than having to switch between remotes to find the appropriate one(s) to use.

Of course, the likelihood of needing multiple cards at one location would be rare, but could this be just the first shot at a product that's bound to come to us eventually, anyway?

Re:A card is more than just a magnetic strip...

[Anonymous Coward]

I am always _very_ surprised to hear, you american people, describe their credit card system.

It sounds like middle-age era to the europeans.

For more than ten years now, we have anbandonned the use of the magnetic tape (not to speak of imprinting...).

Every credit card is equipped with a chip, is protected by a password (a four-digit code) that has to be typed on the card-reader for _anything_ you buy. And if the price is higher than some limit (say $100), the system contacts your bank.
No signature is ever used.
If you want to steal a card, you have to ask for the code (still better than to be asked for your thumb, btw).

It is difficult to copy a card. You cannot simply read it and make a copy. There have been some breach in the past, they have been somewhat fixed afterwards. They have remained small in their extend, and the bank had to cover any subsequent loss themselves (by law). It would be possible to do something even better, but apparently, the costs of upgrading the system are higher than those induced by fraud.

I guess it is the same issue that makes you keep your aging system.

Seriously.

[cryptochrome]

That's $200 you're whipping out in front of everyone. So easy to lose, and so tempting to steal (even if they can't get the data in it).

Here's what would make more sense: All credit/debit cards require the reader to verify and register the purchase. Instead you open up a meta-account with a debit card that you register ALL your cards and bank accounts with, and then use just that card, allowing the meta-account to distribute your money for maximum savings or returns. Since interest is compounded daily, paying/investing daily could save/make you a fair chunk of change. Hell, just make it a free government service and make it your driver's license or id, so you don't have to carry anything extra.

Oh, and if you lose it you're not out $200.

Re:OMG you are a genious.

[Ironica]

However, to this day, I will not use a debit card in place of a credit card. At least with a credit card, you have protection. A debt card just comes right out of your bank account.

It comes down to bank policy. My credit cards, by law, have a cap of $50 of personal liability if they are stolen. But my debit card, by WFB policy, has a cap of $0. Which card will *I* use? Hm...

Re:Netherlands has chipknip.

[mtenhagen]

The netherlands has chipknip (free translation: chipwallet)

See this pdf for a nice english description about.
http://www.protonworld.com/downloads/pdfs/ netherla nds.pdf

It isnt such a succes as they planned. But it is used pretty much and most stores accept chip payments.

There where some rumors about security leaks do. Chipknip is integrated with your bankcard so not anonymous

Re:A card is more than just a magnetic strip...

[Jonah Hex]

I am always _very_ surprised to hear, you american people, describe their credit card system. It sounds like middle-age era to the europeans

I think it's probably due to the different economic and social pressures involved, the strongest being the fact that most US card producing companies are mostly of the large, monolithic type. I've been in an actual room where First Chicago - National Bank of Detroit produces CC's, and not only is the entire Haggerty Road Tech Center building under tight security but the CC creation room itself has several additional layers of security that would be more at home in a maximum security prison; all protecting it and all those rolls of magnetic tape, holograms, cars, and of course the weird "loom and stamp" machine that winds it all together. Speaking as a computer geek not as a security expert, I'd guess the security on the CC room was 10X greater than for their large mainframe computer area. I'd say that tells much about how the large financial institutions view CCs.

I also want to touch on the social aspect, as you can see by a few posts thru this topic many folks are very much against the idea of combining all their cards into an all-in-one, and I will bet that most of them are from the US as I am. We are all trained into considering our cards much the same way the banks do, as well as having the added social pressures of both: freedom from privacy violations by biz and government (real, imagined, or socially engineered by some faction), and the "group trends & fads/social network/urban legend" aspect which plays such a large part (along with advertising/entertainment) in how the American people live.

While I'm mildly aware of the one card situation over in the EU, and also both one card and replacing cards with cell phones over in Japan, it seems like there are probably the same factors at play in both those situations, only in altered ways due to CCs being introduced at different times and ways in the different areas. Often times being the first country to implement an idea or proccess is not necessarily the best way for innovation to occur, especially where a large amount of infrastructure and/or business processes are put into place to support the early versions. Countries that implement such ideas later have the luxury of buying into second, third or even higher generations of the tech, which may very well be an almost totally new system such as comparing the US's credit cards with the EU chip card and the Japan cellphone "card". However having such widely varied systems in place in geographically seperated areas will give future innovations in this industry a chance to select the best aspects from three real-world viable and operating systems. I'll take a stab in the dark here and say this also might help keep the "keepers of the cards" from becoming a monopoly.

Jonah Hex

Re:Great idea....for thieves!

[Genda]

I'm not as frightened about misuse with credit or debit cards (since those have a fair variety of built-in security.) I'm much more concerned with the ability to scan somebody's card key and enter virtually any building that uses an RFID card key system.

This is going to be the kind of tool that buglars stay up all night praying for!

Genda

its a strip and a chip

[DavidDeLux]

Well, Visa and Mastercard are moving over to smart credit cards - with the embedded ICC - so the Chameleon Card will not only have to produce the right magnetic strip, but also the right applications to the ICC... and you can't just stick a smart card into a reader and duplicate it. BTW, anybody else notice that the team members of Chameleon contain more than one Unpublished name... so if some of the people behind it don't want their name public, what faith can you put in their product.

Re:Yes but what about bluetooth?

[dnoyeb]

Also seems like BS. You are not going to read an encrypted speed pass. I am assuming its encrypted like other RFID tech I have worked with.

I this case you require the cooperation of the card producer. Just like HomeLink universal garage door opener has cooperated so we get UGDO. But car alarm companies and car manufacturers have not so we do not have universal keyFobs.

I am more confortable with distribution/decentralization of my money access tools. This is why I dont use .NET universal login feature. though admittidly I tend to use the same id and pwd in most places...I have a spreadsheet full of ids and pwds I keep on my linux box.

Is it just me.....

[L0rax23]

Or is this just an open invite for an even more high-tech form of identity theft.

Who do you want to be today?

o)

Re:Small Problem

[ilsa]

Don't forget his new wife: Jane Marie Average-Public, who is still trying to get her Social Security Card re-issued with her married name. Double the fun if she answers to her middle name, triple if people routinely mispell any part of her name (Jayne Mary?)

Card Reader

[severoon]

What do you think of this?

You get a single card that can store all your info, and a card reader at home. You slip the card in before you head out and unlock all the elements of it using the card reader and some kind of authentication thing like a public key (I like codes that thieves will not expect you to know off the top of your head, like a 4-digit PIN--that's dangerous...but can you see a crook saying, "Give me your Universal Card and your public key"?). You could say, unlock all my credit and debit until 8pm tonight, and leave the Visa and Mastercard unlocked until 10pm.

You have to choose a default credit account that stays on all the time, but if you make too many purchases with it while the rest of the card is locked, the credit card company calls you and lets you know. That's it. They don't shut it off, they don't even have to have a live person call you. They just call you and say, "Someone's charging on your locked card, is it you?"

Of course, if you prefer the credit company to be liable, then you have to allow them to shut it off if purchases don't match your typical buying profile whether it's locked or unlocked. If you want the freedom to never have your card shut off, then you agree to pay the charges.

I don't see the point of keeping things the way they are. I don't know about you guys, but I keep all my credit cards right next to each other, so if I ever get mugged, I'm going to lose them all anyway, along with my ID. So I say stick 'em all on the same piece of plastic so I only have to track one thing. And you have to admit, it's definitely more secure than cash any way you cut it. Someone gets your cash, and what recourse do you have?

sev

I hope you never travel

[grahamsz]

In the UK at least if you dont have a real signature on your signature strip then they will most likely refuse the transaction.

I know someone who on some occasions had the write the words "check id" to the upper right of her signature because people interpreted it as part of her sig.

Stores REALLY need to start reading the smart chips on cards. I've got 4 or 5 cards with those, but since moving to the USA they haven't been checked once.

well

[Anonymous Coward]

what do we do about all the cut off fingers that will be laying around?

What's to stop me from stealing our hand (ala Demolition Man) and uising your finger prints?