A 2012 post on this blog discussed the renewed commercial interest in programmable magnetic-stripe (also known as “dynamic mag-stripe”) technology that allows a single plastic card to represent multiple credit/debit/loyalty/rewards cards by changing the information encoded on the fly. At the time, crowd-funded Coin was leading the charge. ArsTechnica recently reviewed other entrants in this increasingly crowded space including Wocket and Plastc, which have more advanced features including NFC. But the article still fails to answer a simple question: can these cards work with the upcoming shift to chip & PIN in the US? (More precisely, chip & signature initially—true to their conservative and cautious nature, US banks are planning to roll out EMV without changing the user-experience at least initially. The chip will participate in the transaction with point-of-sale but card-holders do not have to authenticate by entering their PIN.)
Somewhat confusing matters is that at least Plastc is described as being EMV compatible. On the surface that would suggest one could take a chip-card, somehow “load” it on Plastc and use the Plastc device in place of the original card for EMV transactions going forward. But that can’t work short of a serious vulnerability in the design of the original. While Plastc may possess all the necessary hardware and software required to participate in EMV transactions, emulating an existing EMV card requires access to the information provisioned on that card. Therein lies the problem: some of that information- card number and expiration date- are readily obtained, some of it is designed to be very difficult to extract.
A plain magnetic-stripe card is trivially copied: readers can be bought for a few dollars, or even free thanks to Square handing them out to anyone that asks. Card-writers that can encode new information on to the magnetic stripe are more expensive but within reach; entire kits complete with blank cards can be purchased for a few hundreds dollars off the shelf. “Cloning” such a card is as simple as reading the information on the magnetic stripe from the original card, and writing it into a new one. (A convincing replica for fraudulent purposes would also need to recreate the visual design features such as the embossed numbers, hologram and background image. Coin and similar programmable cards are deliberately designed to look distinctive; they are not attempting to pass for a perfect copy of the original card.)
EMV cards by design resist such cloning. Unlike the fixed information encoded on the magnetic stripe, the chips produce slightly different responses for every interaction with the point-of-sale terminal. These responses are generated using secret cryptographic keys stored inside the chip. They are deliberately difficult to extract: keys themselves are never output as part of the protocol and there is no “reader” to view the contents of internal storage. The card-holder can not look it up on a web page or swipe the card through a gadget; that would defeat the point of keeping the keys secret. Absent vulnerabilities in card software responsible for wielding those keys, only esoteric hardware-level attacks would successfully allow extracting them: monitoring RF output or power consumption with high precision, inducing calculated faults by aiming precisely timed laser pulses, peeling the circuitry layer-by-layer under high magnification. It’s a safe bet consumers will not be asked to repeat those procedures at home.
That rules out the type of do-it-yourself provisioning possible with magnetic stripes. While card-holders can easily “load” plain magnetic stripe cards into Coin without involvement from the issuer (whether issuers condone or object to that practice is another story) that same approach will not fly for chip cards. Succeeding with EMV provisioning model requires buy-in from banks and card networks. Plastc could pursue agreements with issuers to provision card data directly on the Plastc hardware or they could pursue the tokenization approach of creating a proxy card that forward transactions to the original. But all of these require getting buy-in from banks, one risk-averse institution at a time. Apple took that route for Apple Pay, and despite its market power has not achieved 100% coverage among issuers. The odds look daunting for a start-up.