[abalone]

> everywhere that accepts cards

Given the shift to chip-and-PIN, which can't be emulated like this -- Plastc claimed they could but never demonstrated it (because it's impossible) -- they were way too late to market with this idea even 3 years ago.

And if merchants are going to roll out new POS hardware they might as well jump to NFC as it leapfrogs cards on convenience. And security, if your device implements tokenization and fingerprints-instead-of-PINs (like Apple Pay and others). Also it's built in to lots of phones and watches now.

[hocuspocus]

I don't know what was promised by Plastc exactly but I assume you need to register your card numbers somewhere (like with Apple Pay) and then when you use your Plastc card to pay (with chip and PIN or not), their back-end issues a payment transaction using the selected card. Am I wrong?

Over here in Europe we have Curve that does exactly that, without the fancy hardware: https://www.imaginecurve.com

[X-Istence]

Yes, that is not what Plastc was. Plastc was like copying the data from the front of your card and displaying it on a different one (mag-strip included).

[hocuspocus]

Got it. EMV is clearly an issue then, I see the problem.

[abalone]

Curve has its own card number. The closest thing to Curve here was a card called Wallaby. It somehow redirected charges from one card to another... I think they were getting creative with the processing rules and got shot down. Not sure how Curve does it exactly but I'm skeptical of their long term viability. Either they're similarly creative or they are acting like a merchant and recharging every transaction and eating some interchange. Maybe they get away with that more in Europe where interchange is low but it's still a net loss.

Anyway Plastc was about trying to actually emulate a card. All this has been leapfrogged by Apple and Samsung Pay.

[hocuspocus]

As far as I understand, Curve is viable due to the fact they issue corporate cards (you can see "for commercial use only" on their cards).

Europe has capped interchange fees to 0.2% and 0.3% for debit and credit cards respectively. However, three-party schemes (like Amex) and corporate cards are exempt and charge more. But you're right, I'm not sure how MasterCard is happy with that (since the product is clearly targeted at consumers).

[abalone]

I see, so they're charging merchants high corporate card interchange and then recharging the consumer card. Yeah, that's sketchy. I wonder if they're pocketing the difference.

[schoen]

> Given the shift to chip-and-PIN, which can't be emulated like this -- Plastc claimed they could but never demonstrated it (because it's impossible)

If they'd had a whole lot of market share already, maybe they could have persuaded issuers to provide private keys in some way that could be imported into the Plastc device (which might itself then have a tamper-resistant smartcard processor like the one in the individual chip cards).

[abalone]

Horrible security and wouldn't work for the most secure chip and PIN cards which never share their private key. Apple Pay's approach is better: issuer assigns a unique number to the device along with its own authentication scheme, rather than trying to emulate another.

[NamTaf]

Yeh, this always seemed doomed outside the US, which in general appears to be ahead of the US for card security. Especially in AU, I don't even really go to bars with cash any more, I just use contactless payment with my card literally everywhere. Coffee, lunch, bars, etc. - pretty much everywhere has paypass/paywave now and has for years.

Even three years ago, the writing was surely on the wall that they were exploiting weaknesses in old tech to pull off their product, so there was an obvious sunset on their ability to operate their core product. Why would they invest in something that already has an end date on it?

[flashman]

Even though I have a contactless card, I still prefer cash because it reminds me how much I'm spending. It's all too easy to tap away $40 several times a month and wonder where it all went.

[sbarre]

I found the opposite was true.. Having cash in my wallet meant I didn't know where it got spent (not specifically in bars though, just in general so maybe we're talking about different things).

With tap + debit, I can track all my individual transactions via services like Mint, plus my bank sends me an email on every transaction that happens to my accounts, so I have redundant logging of where all my money goes.

[djanatan]

I find that both of you are right and this is why I'm always broke.

[ricardobeat]

> Given the shift to chip-and-PIN, which can't be emulated like this

I don't know the tech behind it but this Dutch startup is doing exactly that: https://www.bunq.com/en/

[GuB-42]

From the looks of it, Bunq is a bank. I didn't see the product you are talking about but I suppose it may be like a payment processor forwarding orders to third parties. Plastc is a purely technical solution, it has a rewritable magnetic strip so you can copy any card to it, not just payment cards. You can't do it with chips because chips are designed to be impossible to copy. They have secret keys inside and I don't think card providers are willing to reveal them and weaken their security.

[sjtgraham]

I think emulation could be possible with SDA cards. SDA is part of the EMV spec but I'm not sure how many cards these days support SDA applications.

[reubensutton]

What makes it impossible to emulate?

[nocha]

IIRC Chip and Pin uses a challenge-response type set up with public key crypto to authenticate your card with your bank. You cannot clone that, as processing is done on the card - not the reader, and the card never reveals it's secrets.

[thecosas]

https://squareup.com/townsquare/why-are-chip-cards-more-secu...

"To rip it off, someone would have to get into the physical chip circuit and manipulate things to get your bank information. Not only is this level of data surgery really difficult, but it also requires a set of high-tech equipment that can cost north of $1 million."

[bigiain]

That's presumably " … cost north of $1million in 2016, rumoured to have been done in 2017 by Bunny with $10 worth of decapping acid and a borrowed STEM revealing implementation details and flaws, then with a demonstrated contactless remote exploit working on a RaspberryPi with a $12 USB TV tuner and a hand-wound antenna at CCC or DefCon in 2018"...

[bitexploder]

So, not $10 if you needed a borrowed, expensive piece of equipment. It is not possible for most of us to jaunt out and borrow a fancy microscope. That only underscores the "expensive equipment required argument". The contactless payment hack is much more practical, though. (Oh you also need far beyond average hardware hacking knowledge and skill, which itself is generally more difficult to acquire and learn ).

[slededit]

They go for about $10k-$30k on EBay. But people have also DIY'd their own: http://makezine.com/2011/03/24/diy-scanning-electron-microsc...

[bigiain]

Or free - if you're in the right place at the right time (and have the right reputation and friends...):

https://tinkerings.org/2015/11/15/in-which-i-acquire-a-scann...

[bigiain]

Sure - but people _are_ doing this at home with stuff they buy off eBay right now: http://zacsblog.aperturelabs.com/2013/02/decapping-integrate...

And as for "far beyond average hardware hacking skill", I suspect if you got Bunny Huang, Michael Ossmann, and Travis Goodspeed together and curious - this might well be broken in a single weekend! ;-)

[blackguardx]

Your link just describes decapping and reading the state of mask programmable PROM. Reverse engineering a secure IC and coming up with an exploit is several orders (like 10) of magnitude more involved.

[abalone]

Great point. So for Plastc to work, all you'd have to do is mail in your card so they can treat it with acid and run it through a scanning transmission electron microscope, destroying it in the process.

I have no idea why they went under.