Hello IcIc_,

We have built HeliosCard with as many anti-malware features as possible, but ultimately these are all best-effort solutions and trust in the phone is still required. 1) When the HeliosCard smartphone app first connects to the HeliosCard, a secure pairing key is generated which the app stores in secure private storage, and uses to authenticate later connections to the card. In order to switch phones/apps, a number from the back of the card must be re-entered. 2) When the HeliosCard application is in the foreground, it locks other applications out from using the NFC radio. 3) Given the relatively few apps that use NFC, as a user, you can be especially scrutinizing of installing applications that use NFC permissions (or even not install such apps altogether), thus preventing giving other apps permissions to use the NFC radio and potentially talk to the HeliosCard.
These are all best efforts, and trust in the phone will ultimately be needed. However, we believe benefits of HeliosCard, including 1) payment-industry standard physical resistance to attack 2) the wonderful user experience of simply tapping your HeliosCard to your phone and have your phone instantly becoming your new wallet 3) its relatively low price point at $20-$30 USD 4) Its extreme portability, requiring no battery and charging as a result of its having no display
Give HeliosCard truly compelling use cases as a cold storage or even day-to-day use. A user might use multiple HeliosCards to use as cold storage and at its current price point, that would be a great way to use it. Given that a user does not touch their cold storage solutions that often, putting a keyboard/display on such a device would increase the cost and make it less compelling.
We are also investigating the possibility of offering a stripped down, low-cost Android device for those users who are worried about malware. The user would use this low-cost phone only for talking to their HeliosCard, and not install other software on it.

--The HeliosCard Team

Hi Verse,

The secure chip we use is from NXP's P5CD family.

Skimming is not effective on a chip-based card such as HeliosCard.

Skimming does work on older magnetic stripe based technologies that credit cards like Visa and MasterCard have used in past years.  On those cards, credit card information is exposed right on the magstripe of the card.

On HeliosCard, as with modern day Visa and MasterCard chip cards, data from the chip cannot simply be cloned - the user inputs a PIN or password at which point the card performs the needed operations for signing.  Some NFC Visa/MasterCards will allow you to perform low-value transactions through NFC without the need for entering the PIN.  However, HeliosCard requires your password on every transaction and will NOT perform any action on your private key without having first verified the password.

The United States in particular has been very slow to adopt this technology, but it is the de facto standard in mostly every other part of the world, as a result credit card skimming for chip-only cards is essentially non-existent.

Here's an article describing the differences between magnetic cards versus chip cards:
http://www.npr.org/blogs/alltechconsidered/2013/12/19/255558139/outdated-magnetic-strips-how-u-s-credit-card-security-lags

We're also very happy to provide any more information we can about the benefits of chip technology!

At the moment the number of password attempts is not re-configurable, though that is a great suggestion and something we will consider!

--The HeliosCard Team

Hi ticoti,

The release date is mid October, and the price will be somewhere between $20 and $30 (USD) for one HeliosCard, with discounts for puchasing HeliosCards in greater numbers.  Of course, the Helioscard will also be appropriately priced in BTC at launch time.

--The HeliosCard Team

Hi Verse,

Thanks for the great question.  This is one area where HeliosCards really shines.

It is not possible to copy data from the HeliosCard - there is simply no command that the software running on the card will accept that will result in its giving you its underlying encrypted data.

Instead, the secure chip on the card is a full fledged cryptographic processor.  When you validate the password, the HeliosCard software is actually checking the password, and then performing the needed operations for signing a transaction, while keeping the data on the card.  If you type the password wrong too many times, the card securely wipes itself, so bruteforcing the card software directly is not possible

In order to get access to the raw underlying data storage of the HeliosCard, you would need to physically open the secure chip up and read the flash memory.  By design, the Common Criteria EAL5 certified secure chip used by HeliosCard makes it very difficult to physically attack the card in that manner.  This is why credit cards like Visa and Mastercard tend to use these sorts of chips - it is expensive and time consuming to physically attack these cards.  That's not to say it's not impossible, but HeliosCard aims to give the best (and payment industry standard) physical protection on the market today, allowing you to feel safer using a short password.

In addition, you are mostly certainly welcome to use a long password, and HeliosCard will in turn encrypt your data against that long password, providing you with both physical and logical protection.

Please let us know if you have any additional questions.

Hello,

We wanted to introduce the Bitcoin HeliosCard - http://www.helioscard.com.

HeliosCard is a Bitcoin Wallet in the form factor of a credit card, managed with a smartphone app. Built using the same secure chip as a MasterCard or Visa chip card, HeliosCard signs transactions entirely on the card, without your private key leaving the card.  The full fledged secure cryptographic processor on the HeliosCard is physically resistant to attacks.

HeliosCard communicates with your smartphone through your phone's NFC radio.

The HeliosCard makes a wonderful cold storage solution.  When tapping a HeliosCard to a smartphone, your smartphone instantly synchronizes the public addresses from the HeliosCard, but leaves your private keys on the card.  We believe it's a truly wonderful experience compared to a paper wallet and we invite you to watch the video posted at http://helioscard.com to see it in action.  When you want to send money, you simply enter your HeliosCard's password, tap the HeliosCard to the phone, at which point the HeliosCard will sign the transaction.

Although HeliosCard was written with several anti-malware measures, as the HeliosCard does not have a display or keyboard, trust is still needed in the phone.  HeliosCard is meant as a compromise between ease of use and portability (it retails for approximately $30 USD), physical resistance to attacks, as well as to be an effective and easy to use day-to-day or cold storage wallet solution offering a truly wonderful user experience.

The wallet app itself is a customized version of Andreas Schildbach's Bitcoin Wallet for Android, which itself is built on top of Mike Hearn's bitcoinj project (we have no affiliation with either project but wanted to give credit to these awesome projects).

If you have any questions or comments, we'd love to hear them!  Please feel free to respond in this thread or reach out directly to helioscard@helioscard.com.

--The HeliosCard Team