Wednesday, March 21, 2012

Will Geode be Safe to Use?


Thanks to Twitter, I stumbled upon an innovative new solution to reducing or replacing the wallet. You can read the details for yourself, but Geode basically copies your credit card information, and regurgitates it into its own reprogrammable card as you need it.
http://www.cultofmac.com/154808/geode-turns-iphone-into-universal-credit-card-rewriter/
Without more details about their security procedures, I'd assume this is a big liability in your pocket at this point. I'd urge iCache to use some of that Kickstarter surplus to get some 3rd party validation on their security.
It's not that we can't be nice guys, but in the security world, we deem a product insecure until a third party has an opportunity to validate the robustness and validity of security claims.
There is a lot of room for abuse from where I sit. The software piece of Geode (an iPhone app) appears to be storing track data (should never be stored, according to payment brands) and the CVV/CVC2 codes which are never supposed to exist except on the physical card. That's the whole point of the security codes - they are supposed to prove you have physical possession of the card. I understand the product aims to "replace" your cards, but the payment brands (VISA, MC, DISC, AMEX, JCB) have final say where that is concerned.
The FAQs on the website put a lot of emphasis on the safety of your data from the perspective of an attack that seeks to access the app directly. There is no mention of what an attacker could do with direct access to the phone data, or a forensic image of iPhone data. It also seems that the encryption key is the user's fingerprint.
At a minimum, this needs cryptographer, mobile device security expert and payment brand blessings before I'd be comfortable recommending it to friends or using it myself.