Featured

The Unfulfilled Promise of ‘Smart’ Credit Cards

Advertiser Disclosure

The editorial content on this page is not provided by any financial institution and has not been reviewed, approved or otherwise endorsed by any of these entities.

plastc card

The idea seemed brilliant in its simplicity: Combine all the credit cards in your wallet into one slick, card-sized gadget with a chameleon-like magnetic stripe that could be swiped anywhere. All-in-one cards promised the end of bulging wallets forever.

Coin, the first well-funded entrant into the category, made a huge first impression thanks to a slick social media campaign and viral videos — one was seen 10.2 million times on YouTube. Imitators like Plastc and Swyp jumped in on the excitement and into the fray.

Frank Barbieri, a tech enthusiast and investor, was among the first to spot and share an ad for Coin.

“I was excited about the promise,” said Barbieri, who paid $50 on the spot to get in line to be among the first Coin customers.

The company said it wanted to raise $50,000 via pre-orders when it opened the doors on Nov. 13, 2013.  It reached that goal — theoretically, 1,000 orders — within 47 minutes.

But minutes have turned into hours, days, and years … and those early enthusiasts are still waiting for their one card to rule them all. Coin has come and gone. Its wearable payments technology was sold to FitBit in May, and the company stopped producing its flagship product. What’s left of the category seems little more than Facebook pages where frustrated consumers beg for the status of their pre-orders.

Failure to Launch

 

Plastc, which was considered a close competitor to Coin when it launched in October 2014, is currently taking orders for its $155 product but has yet to ship a product. The company says it has 80,000 pre-orders and has raised $9 million in revenue since its launch. But it has repeatedly disappointed consumers with delays. Earlier this year, the ship date was bumped from April to August or September, according to a message attributed to CEO Ryan Marquis and posted on several online venues, including Reddit. The message offered consumers an opportunity to get a refund, but Marquis urged folks to be patient.

Graphic For Story Card

 

“I hope you stick around. Plastc Card is going to be an AWESOME product,” he wrote.

In July, the company announced another delay, blaming a typhoon that wreaked havoc with its parts suppliers in Asia. The release date was pushed into the fourth quarter of 2016.

When we reached out to Plastc, the firm said it was shipping orders “in late Q4 (Nov/Dec) of this year.”   But separately, CEO Ryan Marquis said on a Facebook video released in late September that only a small group of buyers would receive their cards this year, as part of a test group, and the rest wouldn’t be shipped until next year.

“Stop lying to your (way too) loyal customers about when this outdated product is going to ship,” wrote Steve Bierfeldt on the firm’s Facebook page. Bierfeldt, a 30-something who lives in the New York City area, told me he ordered the product more than a year ago. After this latest delay, he requested a refund.

During a Facebook Live chat on Sept. 29, 2016, Plastc CEO Ryan Marquis apologized for production delays.
Plastc CEO Ryan Marquis apologized for production delays during a Facebook Live chat on Sept. 29, 2016.

“I hope you stick around.”

“They’ve missed 3 or 4 public deadlines, and there is nothing to indicate they have a working prototype, much less a finished product,” Bierfeldt said. “It certainly seems they are stringing along customers and hoping the bottom doesn’t drop out. I hope they can pull it together because the idea of the product is a good one.”

Plenty of Plastc consumers aren’t convinced the product will ever arrive, and aren’t shy about complaining. On Plastc’s Facebook page, the firm is currently offering a T-shirt giveaway, leading another buyer to write, “Want my card not a damn T-Shirt.”

Plastc did not answer additional questions about the consumers’ frustration.

Michigan-based Stratos card got a lot of attention when it launched and began shipping some all-in-one cards in May 2015, but in another sign of how tough the market is, the firm nearly went under less than a year later. At the 11th hour, Stratos sold to Ciright One, a Pennslyvania-based firm working on a similar product. Ciright’s “One” card will pitch a slightly different angle, promising to help consumers keep track of their gift card balances, while also allowing use of credit cards.  The firm’s website says its One Card will ship in 2017.

Bad Timing and Mixed Results

Bad Timing and Mixed Results
Plastc, which is currently taking orders for its $155 product, says it has 80,000 pre-orders and has raised $9 million in revenue. But it has repeatedly disappointed consumers with delays

Why are all-in-one cards, and their elegantly simple idea, such a dud? There are plenty of reasons.

The key technology involved, which predates Coin, is called “dynamic magnetic stripe.” Installed on a gadget like Coin, it would theoretically allow consumers to load multiple cards onto the same device.  Then it would change, chameleon-like, so it would look like the original bank-issued piece of plastic to any point of sale terminal. Fine so far.

But Coin and its ilk had bad timing. Barbieri was lucky enough to get an early version of Coin, but he found he could hardly use it anywhere. Just as Coin arrived, stores began abandoning the magnetic stripe in favor of EMV chip debit and credit cards. Coin had no way to deal with that.

“So it was a complete bust. [I] had to carry cards anyway,” Barbieri said.

But the chip issue is just the beginning of the problem faced by all-in-one card makers, says James Wester, a payments analyst at IDC Financial Insights. He’s not surprised that gadget makers shipwrecked while trying to change the way consumers spend money. Many tech firms have run aground before.

“Trying to participate in the payments space is very hard,” Wester says. “A lot of folks who try, find out the hard way.”

For starters, Coin and its imitators had to do the near-impossible: compete against a product that’s free and simple. Bank plastic doesn’t cost anything and works pretty much immediately. Cards like Coin cost money and have to be loaded and maintained.

“Is [carrying too many cards] a problem worth paying $50 to solve?” Wester asks. “When your largest competitor is a free product, that’s going to be really hard.”

As is clear from the continuing angst over conversion from magnetic stripes to chips — not to mention the fits and starts suffered by giant entrants Apple Pay and Google Wallet — old consumer payment habits die very hard. People don’t want to have to think about how they spend money; they just want it to work.

Coin, which had shipped two versions of its product, gave up earlier this year and sold its technology to Fitbit. A message sent to CEO Kanishk Parashar wasn’t returned.

Silver Linings

The long-awaited Swype card shipped its first batch of cards this summer, after prolonged delays. However, the card has one major flaw: it is not EMV chip-enabled.

Swyp shipped its first batch of long-awaited cards this summer after prolonged delays. Users are already complaining about the card’s major flaw: it is not EMV chip-enabled.

Not that all all-in-ones are giving up. Swyp, which promises a similar product it calls the “smart wallet,” shipped a batch of cards this summer to consumers who pre-ordered them.  But these cards suffer from the same problem as Coin’s first batch: they only work as magnetic stripe cards, and can’t be used to complete EMV chip transactions.

Swyp is no longer taking pre-orders for them.  The firm says on its website that the cards will go on sale next year. It also says Swyp will support both EMV and NFC in the future, but doesn’t say when.

Wester, who comes across as very cynical of all-in-one cards, thinks that firms like Plastc might actually have a window of opportunity created by the current chaos in payments. Consumers are still frustrated by the clunky changeover to chip credit and debit cards, and the associated slowdowns at checkout. Adoption of mobile phone payment or other schemes using wireless Near Field Communication (NFC) tap-and-pay technology has been sluggish too.

NFC-enabled plastic allows “contactless credit cards,” which are popular in Europe, but are nearly unavailable in the U.S. And that could be an opening for a card like Plastc. (On its site, the firms says it will support NFC, but not chips, at launch). Tap-and-pay NFC transactions can be nearly instantaneous, which might attract consumers and create a value proposition, Wester said. And if they are integrated into wearable devices, which is Fitbit’s master plan, they could give runners an easy way to grab a bottled water without slowing them down.

Still, Wester repeated many times, creating a brand new form of payment is among the most challenging areas of technology innovation. It’s so challenging that he offers his entrepreneurial friends this advice:

“If you have money to burn on a smart idea, don’t go into payments,” he said. And if you have money to burn on a product, consider spending it on something other than a pre-order for a payments gadget.

TAGS: , , , ,

Featured

6 Things You Should Do Immediately If You Have a Yahoo Account

Advertiser Disclosure

The editorial content on this page is not provided by any financial institution and has not been reviewed, approved or otherwise endorsed by any of these entities.

Sunnyvale, CA, USA - Apr. 23, 2016: Yahoo Inc. Headquarters. Yahoo Inc. is an American multinational technology company that is globally known for its Web portal, search engine Yahoo! Search, and related services.

Yahoo says 500 million user accounts have been compromised, and they are telling users to change their passwords. That’s good advice, and below you’ll find better advice from security firm Sophos.

But first: For the next several days, or even weeks, beware emails that appear to come from Yahoo. Now will be a great time for phishers to trick users into following alleged “change your password” links that actually lead to hacker-controlled sites.

Now, onto the better advice:

  1. Change your Yahoo password immediately.
  2. Reset this password, if you’re reusing it on other online sites. Cybercriminals are now using tools that sniff out passwords reused on other, more valuable sites to make their work easier and to make the stolen passwords and other hacked data more lucrative on the dark web.
  3. Make all new passwords different and difficult to guess – yes, you need to create different passwords for every site you visit.
  4. Include upper and lower case letters, numbers and symbols to make passwords harder to crack – refer to the Sophos Password Quick Tips guide for creating stronger passwords.
  5. Don’t trust password strength meters – these are unreliable and inaccurate.
  6. In general, it’s always good practice to update your passwords, password manager and security questions if you hear of a potential data breach that might affect you. Even data breaches from several years ago could still impact you today.

I disagree about using a new password for every site. I mean, it’s a lovely idea, but it’s just not realistic.  Instead, I’m an advocate of having password families.

One simple password for throwaway accounts you don’t care about, like newsletters;  one medium-hard password for sites that require a registration, but don’t involve money; and then one really strong password for financial accounts that you change on a regular basis.

For that tough password, use something clever, like the first letter of every word in a sentence.  Like this: I Was Born on November 1 in North Dakota — IWBoN1iND (I wasn’t, by the way).  Change a number to a symbol and you are in good shape, like IWBoN!iND.

Now, as for how often you should change your password — I asked a bunch of experts that question not long ago and got some interesting answers.

Graham Cluley – Independent computer security analyst, formerly of Sophos and McAfee (more about him)

I only change my password if I’m worried a service has been hacked/compromised. I have different passwords for each site. In fact, I reckon I have over 750 unique passwords. I use password management software. I think requiring people to regularly change their password is a bad idea. it encourages poor password choices, (such as) ….passwordjan, passwordfeb, etc.

Depends.

Mikko Hypponen – Chief Research Officer, F-Secure (more about him)

For your corporate network account? Several times a year. For an online newspaper that requires registration in order to read it? Never.  As always, it’s about threat modelling: Figure out which services are the important services FOR YOU. Then use a strong, unique password on those, and change it regularly. For non-important sites: who cares.

James Lyne, Global Head of Security Research at Sophos, speaking specifically about corporation passwords (More about him)

The requirement to change your passwords is a preventive measure that is designed to minimize the risk of your already stolen password being cracked and used. Over 2014 there have been a huge number of attacks which have led to the loss of password hashes (or other representations). These password ‘representations’ require time and effort for attackers to crack and reverse to their plain text form. Depending on the hashing scheme in use and the resources of the attacker this can take little, or a very long time. Changing your password regularly helps manage the risk of an attacker stealing your password hash from the provider (without you knowing) by increasing the probability you have changed it before they use it.

There is a real balance to be struck with password rotations. Some enterprises set painful rotation rules that require staff to regularly learn a new password and commit it to memory – ironically this can lead to staff producing poor passwords to meet the requirement which again ironically makes it much easier for the attacker to break. Providing the service provider does their part and secures your password with an appropriate storage mechanism often using a significantly longer, complex and hard to guess password is a much better defence. Good luck to the cybercriminal going after a 128 character password stored as a (moderately poor) SHA1 hash.

Password managers help you generate long and complex passwords that will be hard to crack even if lost, that said, if you go this far and implement a manager you may as well rotate your passwords once in a while as you don’t need to remember them and it helps minimize the risk of attackers using stolen credentials (particularly on sites that store your password poorly).  Most enterprises would do well to consider how to improve their password storage security and the strength of the original password over a 30 day rotation period.

Harri Hursti – independent security researcher, famous for “The Hursi Hack” of voting machines (more about him)

This is not (an easy question) … because also changing the password too often can become a security risk

It greatly depends. Passwords I use more often, over the internet and are in sensitive sites are changed 2-3 times a year. Then there are very important passwords which are either used very seldom or are used in more secure environment and those I change once a year, or not even then.

Chester Wisniewski and Paul Ducklin, senior security advisors at Sophos. (More about Chester and Paul)

The answer, loosely, is this.

Change a password if any one of these is true:

  1. You suspect (or know) it has been compromised.
  2. You feel like changing it.
  3. You have been re-using passwords and have decided to mend your ways.

We explain better in the podcast “busting password myths,” I think.

The podcast is 15 minutes, however, the first two minutes address this very question and may be worth your time.

 

TAGS: , , , ,

Featured

Banks Aren’t Losing Sleep Over Credit Card Fraud. Neither Should You.

Advertiser Disclosure

The editorial content on this page is not provided by any financial institution and has not been reviewed, approved or otherwise endorsed by any of these entities.

Photo Credit:

Credit Card Fraud

Infomastern via Compfightcc

Banks are willing to tolerate some credit fraud losses in order to maximize sales.

Mention fraud in any group of friends, and you are bound to hear someone tell a breathless story about their credit or debit card getting “hacked.” After all, the Justice Department says about 7 percent of U.S. adults are hit with ID theft – mostly card fraud – every year. That number might be even higher. A survey of MagnifyMoney readers found more than 22% had dealt with credit card fraud before.

Dealing with fraudulent charges can certainly be a hassle. Changing your account number at all the places where you use automated payments — from Netflix to Hulu to the electric company — can take some time, and you risk a late fee if you screw up.

Here’s the thing no one in the financial system likes to talk about when it comes to fraud: just how little banks—and even merchants—care about fraud.

“Banks don’t lose sleep over it, so neither should you,” says Gartner fraud analyst Avivah Litan.  “Sure, [getting hacked] is upsetting, but consumers should be very relaxed, because they’re almost always going to get all their money back.” To be sure, nearly 100% of our readers received full refunds after their credit cards were hacked.

Banks and merchants could dial up their security systems so tightly that fraud would be nearly eliminated. But they don’t, because that would only make it tougher for legitimate customers to spend money. When fraud security is too tight, legitimate consumers would inevitably get tangled up in the security checks. Merchants and banks would lose sales and irritate customers. In the end, they’d rather tolerate some losses in order to maximize sales.

That’s not to say banks and merchants do nothing to protect their customers. Most use a variety of systems they employ to sniff out potential fraud.  If you are an online shopper and have ever tried to ship something to an address that differs from your card billing address, you’ve probably encountered these fraud checks. Many involve scores, not unlike credit scores, that work like this:

A transaction that involves an international credit card shipped to an unusual address for a small but valuable item would get a high fraud score;  an item purchased repeatedly by a customer and sent to their known address would get a low score. Companies make their own decisions about how much risk to take — how high a fraud score they allow — before stopping transactions.

It’s a tricky calculation, but Litan says some banks are willing to set the dials so low that they only detect 65 percent of fraud.”They’re not going to get in the way of their consumers,” she said.  “That’s just the way they do it. It’s not like they don’t have fraud protection. They just aren’t going to tune it as tight as they can.”

Here’s a recent example that shows just how laissez-faire banks can be about fraud.

Remember when the Target credit card hack began a wave of database thefts that led to hundreds of millions of credit card account numbers being compromised?

Many banks, knowing that criminals had these stolen numbers, didn’t even bother to cancel associated cards and issue new ones. Instead, it became common practice to put the accounts on a watch list, and only cancel them once actual fraud incidents arose.  That generally gave the criminals one or two bites at the apple before a hacked account was shut down.

That being said, more critical transactions, sure as cash wire transfers, often come with tougher fraud standards, requiring up to 99 percent fraud detection.

The bottom line:

The next time you fret about fraud, or see an ad for a service trying to sell you fraud protection, remember that there’s no need to be hyper-vigilant. Your liability is capped in most cases at $50 as long as you report the theft quickly, and most banks waive that, too.

Take reasonable steps to avoid credit card fraud: Don’t use your credit card at a suspicious website.  Check your statements every month for fraudulent charges.  But don’t lose sleep over it, because banks aren’t.  Save your digital anxiety for far more serious hacking incidents like the theft of healthcare data or a ransomware attack against your hospital.  Those hacks involve far more valuable personally identifiable information, like Social Security numbers or health conditions, that you can’t simply cancel and reissue. Recovering from that kind of hack can be a lifelong ordeal, rather than a simple phone call. So, don’t sweat the small hacks.

What to do if you’ve been hit with credit card fraud:

MagnifyMoney has published a free Credit Monitoring and Identity Theft Guide. This guide can help you create a strategy to reduce the risk of identity theft happening, to identify fraud as soon as it does happen and to make it as easy as possible to resolve any fraud that does happen on your account.

TAGS: