The FUZE Card lets users store as many as 30 credit cards on one piece of plastic. But its claim to be secure might be giving users a false sense of security, a researcher claims.

Secure, affordable and convenient. That’s how the makers of the FUZE Card describe their creation, designed to act as a whole wallet in a single thin device. It can store up to 30 different credit cards and uses a lock to protect the data within. Such a hit was it with consumers it raised nearly $2.5 million in Indiegogo funding, with the original cost starting at $160.

But the claim that the card is secure might need reconsideration, after security researcher Mike Ryan told Forbes he came up with code that can easily bypass the FUZE Card’s lock to steal credit card data, as long as the hacker has access to the device. Ryan said he reported the vulnerability to BrilliantTS, the manufacturer behind FUZE, but the company had not yet released a fix at the time of publication. He published a video and a blog describing the attack.

Ryan said his hack, consisting of just a small number of Linux commands, was “extremely simple” and claimed it could be incorporated into a basic smartphone app. “All the bad guy needs is physical access to the card (e.g., a waiter at a restaurant). They pair with the card and can steal up to 30 credit card numbers from it,” he told Forbes. It’s not just numbers that could be pilfered; Ryan said expiration dates and CVV numbers were open to theft too.

The attack relied on the fact the FUZE Card allowed anyone with physical access to pair with it and didn’t carry out additional authentication checks, thereby trusting anyone. “To exploit this, I wrote some Linux code that emulates the smartphone app performing legitimate actions, such as unlocking the screen and downloading credit card data. The card is unable to distinguish between my malicious attack tools and a legitimate smartphone app, so from its perspective everything is normal and it will unlock the screen and send the card data,” Ryan added.

“Some ‘payments’ companies like BrilliantTS are not taking protecting their customers’ data seriously enough since they had no way for me to report a security bug and the tech support person I eventually reached didn’t seem to fully understand it… I think they’re providing a false sense of security.”

https://www.forbes.com/sites/thomasbrewster/2018/04/06/fuze-card-bluetooth-hack-exposes-credit-card-data/