Wednesday, March 21, 2012

Will Geode be Safe to Use?


Thanks to Twitter, I stumbled upon an innovative new solution to reducing or replacing the wallet. You can read the details for yourself, but Geode basically copies your credit card information, and regurgitates it into its own reprogrammable card as you need it.
http://www.cultofmac.com/154808/geode-turns-iphone-into-universal-credit-card-rewriter/
Without more details about their security procedures, I'd assume this is a big liability in your pocket at this point. I'd urge iCache to use some of that Kickstarter surplus to get some 3rd party validation on their security.
It's not that we can't be nice guys, but in the security world, we deem a product insecure until a third party has an opportunity to validate the robustness and validity of security claims.
There is a lot of room for abuse from where I sit. The software piece of Geode (an iPhone app) appears to be storing track data (should never be stored, according to payment brands) and the CVV/CVC2 codes which are never supposed to exist except on the physical card. That's the whole point of the security codes - they are supposed to prove you have physical possession of the card. I understand the product aims to "replace" your cards, but the payment brands (VISA, MC, DISC, AMEX, JCB) have final say where that is concerned.
The FAQs on the website put a lot of emphasis on the safety of your data from the perspective of an attack that seeks to access the app directly. There is no mention of what an attacker could do with direct access to the phone data, or a forensic image of iPhone data. It also seems that the encryption key is the user's fingerprint.
At a minimum, this needs cryptographer, mobile device security expert and payment brand blessings before I'd be comfortable recommending it to friends or using it myself.

3 comments:

  1. Another good use for this thing would be credit card skimming. Snag a bunch of credit cards, store them on one device and be whoever you want to be whenever you want.

    ReplyDelete
  2. A very good point! There are cheaper skimmers out there, but it is a one-stop shop with this device. Steal the card and use it with the same product.

    ReplyDelete
  3. Almost similar to other services which involves third party provider, there is always a doubt to save our credential information.

    Sergio
    Palm Z22 Handheld

    ReplyDelete