Coin, the card of cards, is back with a couple of updates: a “tap-to-unlock” feature, and a video demonstration of their latest prototype.
If you remember from our original review, we described Coin as a reasonable idea with one well-intentioned but fundamentally flawed feature: it disables itself when out of range of your smartphone. It makes sense they would confront concerns about the security of their device head-on, but what happens if the battery on your phone dies? Well, it seems they have a solution:
Depending on (1) the complexity of the passcode and (2) what protection they have against brute-force attacks (e.g. will it lock you out after repeated failures?), this change may completely undermine the value of the feature. Still, it means users won’t be completely screwed if their phone gets stolen and Coin can still claim it among their list of features.
There’s a new video demonstrating a Coin prototype cycling through several cards, then completing a purchase. It’s all very convincing. Unfortunately, you’ll have to take my word for that because the video is not publicly available.
That’s right. Rather than posting their demo to the main Coin page, they’ve hidden it on a separate password-protected backer’s club page. The security is pretty weak (I was able to get in if that’s any indication), so it’s less about protecting information than affecting an air of refined exclusivity. I mean, just look at this:
I appreciate good branding as much as the next guy, but this video is exactly the sort of thing I’d want to see before backing the project, not after.
I still have reservations about this product, but none of those reservations are technical. It seems they have a good chance of launching this product when they’ve promised.
Consider this, however. Coin’s terms of service place all liability for stolen data and fraudulent use onto users, but users do not have access to the technical details of Coin’s implementation to make an informed assessment of the risk involved. The product could be airtight, or it could include obvious, fundamental design vulnerabilities. We simply don’t know.