I’m like you guys out there. I’m excited about new stuff that comes out and I follow pages on Facebook like I Fucking Love Science, Science Alert, and Futurism. When one of them posts something neat, like some new piece of kit that we’re all going to be racing to the electronics stores to get our grubby little paws on, I like it, comment on it, maybe come up with a funny thing to say. This was the case recently when Futurism posted this:
It’s a neat concept. Token is a ring you activate when you put it on by tapping on a fingerprint reader, then use it to unlock doors, enter passwords for computers, make transactions, and likely many more uses for the NFC technology hidden within. The video makes the tech look pretty promising as well:
Except there’s one thing I found terrifying about this video. Look at how many things these people touch on a daily basis. Now imagine that you’re wearing an active credit card on that hand and everything you touch could be used to steal your money.
Token’s website claims that the ring features an EAL5+ certified element that stores your information. Your card numbers are never stored in the cloud, and the chip is heavily encrypted. Knowing what I know about encryption, I’m not concerned that someone is going to secretly rip your card number off the chip; that would take far longer than anyone has time for. Brute force attacks like that take quite a long time. But take a look at the video again. There was a fingerprint authentication to activate the device, then… nothing.
No fingerprint authentication to approve a transaction. You never have to tell the ring that you’re looking to make a purchase. This concerned me because I immediately thought of situations in which a thief tricks you into touching something– anything– with an NFC reader they placed inside. A briefcase, a backpack, the railing of a park bench. You put your ring anywhere near it and you’ve just made a purchase for who knows how much.
So I made mention of it in the comments. That’s when all hell broke loose.
You’re right, Brandon, I don’t know what security measures these guys have taken and yes, Emmanuel, I should go to the website to find out more. So I did.
This is all that is available on the security of the device. Does it adequately explain away that they’ve considered the very real possibility of outside NFC card readers being misused to steal money from people that use the rings? No, it doesn’t. I still have questions. How does a user know if their ring is interacting with something? Is there some sort of haptic feedback mechanism to alert users that their ring has detected and interacted with an NFC reader? Does the app that it’s connected to give you a time stamp or GPS location of when and where the interaction took place? Do you have to alert the ring that you’re ready to make a transaction, such as tapping on the reader or swiping your fingerprint?
The answers to these questions are missing. There’s no information about it, no screenshot of the app, nothing. So am I wrong for questioning whether or not the company has thought of these? I don’t believe I am. In fact, I’m going to go one further and say that if you assume that a company has thought of these security measures despite no available resources stating or even implying they did, then you are wrong. The company throws around terms like 2FA (Two-Factor Authentication, which is debatable for this product) and encryption, but those are primarily just buzzwords with this product. You need to ask questions.
I get the excitement, I do. I get that when someone like me comes along and starts poking holes in it, it’s frustrating. I am simply saying that unless the company states outright that they have implemented these procedures, you can’t assume they know and have known since before production. The Token ring is set for launch later this year. To have a date set like that, they must already be at the point where they are looking at distribution models, and that’s well past the development stage. It’s too late to turn around and say “let’s add more security in”.
For the record, I have contacted the company to get clarification on these questions. As soon as I hear back, I will update this post.
Stay safe out there.
UPDATE: I received an email from Steve Dunkel at Token. He essentially says that if something like this happens, your bank will refund you. Having worked at a bank myself, I can tell you that the bank will look for whatever reason they can to NOT reimburse you. Wearing a ring with an active credit card attached to it is certainly something that is going to raise some eyebrows with your bank. So instead of avoiding a potential headache for your customers, Token, you’re passing the buck to the bank. Nice.