Schneier on Security
A blog covering security and security technology.
« NIST Defines New Versions of SHA-512 |
| Friday Squid Blogging: Research into Squid Hearing »
February 18, 2011
Not an electronic wallet, a physical one:
Virtually indestructible, the dunhill Biometric Wallet will open only with touch of your fingerprint.
It can be linked via Bluetooth to the owner’s mobile phone sounding an alarm if the two are separated by more than 5 metres! This provides a brilliant warning if either the phone or wallet is stolen or misplaced. The exterior of the wallet is constructed from highly durable carbon fibre that will resist all but the most concerted effort to open it, while the interior features a luxurious leather credit card holder and a strong stainless steel money clip.
Only $825. News article.
I don't think I understand the threat model. If your wallet is stolen, you're going to replace all your ID cards and credit cards and you're not going to get your cash back -- whether it's a normal wallet or this wallet. I suppose this wallet makes it less likely that someone will use your stolen credit cards quickly, before you cancel them. But you're not going to be liable for that delay in any case.
Posted on February 18, 2011 at 1:45 PM
• 68 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Don't understand the threat model? That's because this is just another form of security theater for rich, shortsighted purchasers.
When people use the phrase 'virtually indestructible', it just makes me want to get out the tools. If I only had $825 I didn't care about...
Sure you won't be liable during that delay, but it's more convenient to have no charges to contest. $825 more convenient? Doubt it.
I wonder if there's a way to turn off the alarm? Otherwise you may have to reconfigure where your phone and your wallet go at night. And make sure they go in the same bin at airport security. (Though I suppose a lot of the people buying this will be using private jets.)
I wonder how you tell if the battery for the alarm needs to be changed, other than trying to set it off?
Maybe helps keep family members / house guests from pilfering.
@ Tangerine Blue
"Maybe helps keep family members/house guests from pilfering."
Anyone who can afford a useless $825 wallet probably has plenty of easily sold knick knacks lying around the house...
I'm thinking carrying this in your back pocket won't work. Unless you never sit down.
> But you're not going to be liable for that delay
Depends on the country you live in. And depends what else you carry - RSA tokens? It's a small amount of money from an executive point of view; might justify the small outcome.
Considering that those swipe-style readers can be easily fooled by a fingerprint and some cellotape, and the smooth surface of the wallet is sure to have a few of your fingerprints on it, I would argue that this quite handily falls under "Security Theater".
@ Petréa Mitchell
"I wonder how you tell if the battery for the alarm needs to be changed, other than trying to set it off?"
I wouldn't worry so much about the power for the alarm; the juice for the biometric is what matters. If the wallet "fails secure" then your ID and all your cards are trapped inside an indestructible pocket safe!
"It can be linked via Bluetooth to the owner’s mobile phone sounding an alarm if the two are separated by more than 5 metres!"
I guess a side benefit would be if you be if you are about to mistakenly leave your wallet on say a resturant table or something you would get a reminder to retrieve it before it was to late but thats not worth $825.
Every time I read something on fingerprint security I think that I'd prefer thieves to break a password or a lock rather than breaking myself in order to get my possessions.
Although overpriced one of the bits you didn't see is that it protects againt RFID leak which is quite good now we've got these stupid contactless cards.
If it's carbon fiber (and even if there is steel inside) you can cut it open in a couple of minutes with a $50 angle grinder.
Dunhill is for people with more money than sense.
Someone else pointed out that whether you're liable or not might depend on jurisdiction. And it's better not to have any charges to contest; it might even make a difference if you pay a bill or something through the card, and that gets declined during the period you're trying to cancel charges (AWS or Netflix or something).
My thinking, though, is that this incurs a risk of really pissing off an attacker. He gets your wallet, goes fifteen steps and your phone starts howling. He runs for you (best case: he wants you to open the wallet; worse: he wants to fuck you up for messing with him) and here you've got this convenient howling phone enabling him to track you down and beat you.
No, fighting it out for small crooks is never the right call, which is why banks just hand small amounts of counter cash to bank robbers to get rid of them, essentially for the asking. It's much better in the long run than pulling a gun on someone when a couple thousand dollars will send them on their way. Same thing with the wallet.
My plan is to make a decoy wallet with quite a bit of cash in it. I'm hoping the immediate effect of landing a good cash haul will prevent the thief from closely examining the fake ID and credit cards. To do that I need good fake cards, though: they don't seem to send those in junk mail anymore; at least, the kind without your name on it.
Oh, another thing: it's actually reasonably frequent--at least, more frequent than theft--that someone else needs legitimate access to your wallet. Even if it's a just a spouse needing to retrieve some cash or getting your hotel key out when your hands are full, that kind of thing.
Only thing I can think of is a rich person (if you're paying $825 for a wallet, you're clearly rich) who wants to keep the contents of his/her wallet secret from his/her friends or, particularly, significant other. E.g., avoid the whole, "Who the hell is Shirley, why do you have her number, and why is there lipstick on the card?!?" scene.
Does that mean that the thief doesn't just steal my wallet, but now he also cuts off my finger to open it?
people who could routinely spend $825 USD for items like wallets probably don't buy wallets or use them for anything, except maybe a designer fashion statements.
this is the same consumer model that allows "sharper image" and "brookstone" stores to exist in blue-collar shopping malls. selling the pipe dream of "wealth" or "high-technology" to people who can't afford it.
i stopped using a "wallet" long ago myself. nothing ever in mine anyway :-)
Attention robbers: if you see one of these fancy wallets, make sure to also rob them of their cell phone.
I think the security model makes sense when you consider both features together - the biometric lock makes sure the contents can not be stolen without stealig the whole wallet and stealing the whole wallet is prevented by the alarm.
The threat model is that you have too much cash and they don't have enough, so they're going to help both problems.
The threat model this wallet defends against is that you might sit at a bar without any really cool gadget to show off with.
I'm embarrassed to say it, but I want one. I don't know why, but I do. Do they have a $20 version? If you throw in the acid pack option I might go $50 even.
Agree with the comments on "indestructible". Planets aren't indestructible, so I find it difficult to believe a wallet is.
Slam a "carbon fiber body" car up against a wall and see how "indestructible" it is.
As for the alarm, this is as stupid as those motion detector car alarms we hear going off every time a bus passes one. What will happen is every day you'll put your wallet in your pants at home, take your phone somewhere else in the house to make a call - and the thing will start howling at you.
Utterly brain dead.
I suppose this wallet makes it less likely that someone will use your stolen credit cards quickly, before you cancel them. But you're not going to be liable for that delay in any case.
Maybe not in the US, but here in central Europe you're pretty much depending on the good-will of your bank for everything that happens with your credit/debit card until you report it missing.
Though with a usual daily limit of EUR 3-600 for ATM transactions that's not making all that much sense with that kind of price-tag.
Presumably, anyone willing to cut off your finger is willing to force you to open the wallet at gun/knifepoint, so things aren't quite that bad. The threat model for this (and alarms without a hard to open wallet) is presumably pickpockets, not muggers. Same applies to the "pissed off attacker"; if you're being mugged, you can just open the wallet, but pickpockets are unlikely to come back and attack. Worst case, it converts a pickpocket into a mugging.
That said, for most things this isn't really improving the situation for the consumer. And for really high value stuff, I'm skeptical that this is going to stop a determined criminal with physical control of the device.
Hmm...how strong a servo locking mechanism do you think a small wallet can have? I'm guessing that this thing pops open very easily with any kind of lever, be it a screw driver, pocket knife or what not. The only thing it is good for is that the damage incurred in crudely forcing it open likely makes it tamper evident, so you might be able to keep your kids or wife from swiping your cash or something. Otherwise it is utterly useless.
It is a Dunhill-branded version of the iWallet: http://www.iwalletusa.com
And the threat model is probably "don't allow the one night stand/prostitute to rifle through your cards and IDs while you're taking a shower". Although the company writes about "Teenagers that want to get hard cash from the father’s wallet while he’s sleeping; people that have a dedicated personal locker at the club and do not want the staff with the keys to it to go through their wallet." on the website :-)
,there was an associate of I think Mitnick. Who specialized in military systems. A part time prostitute she'd pick up guys in the officers club and while they were sleeping it off; go through thier wallets for passwords.
That might be your threat vector. Bruce don't you recommend people keep their passwords in their wallets?
@Fnord: "Worst case, it converts a pickpocket into a mugging."
This rarely happens in reality. Organized pickpockets work in small teams and even with a two-man crew one of them is there to prevent to the mark from getting physical (as well as watch for cops) in case his partner runs into trouble.
And even an ad hoc solo operator knows that if things go bad, you make the mark see you throw his wallet in one direction while you run in the other direction.
So, it has bluetooth and a fingerprint scanner that controls the lock mechanism. Presumably there is a way of breaking the security on said electronics that some clever person has found or will find soon. Even just out of curiosity. They post it on their website and before you know it your fancy wallet is the target and you can pick up a replacement at a flea market for $200.
"If your wallet is stolen, you're going to replace all your ID cards and credit cards and you're not going to get your cash back -- whether it's a normal wallet or this wallet."
Credit cards may not be the biggest problem, in comparison to cards that carry sensitive information. (In particular, one might question as to why Medicare cards advise the holder to "Carry your card with you when you are away from home," in spite of the fact that Medicare cards may include the holder's full Social Security number. The article "U.S. contradicts own ID theft advice" [http://www.msnbc.msn.com/id/25504302/] mentions this issue.)
(For that matter, some persons may consider certain information on their driver's license to be sensitive, even though they may be required to provide the information to other drivers (possibly total strangers) in the case of a vehicle accident.)
What's the backup if the fingerprint reader does not work for some reason? Don't try to convince me that it will work 100% of the time.
The threat model seems to involve the risk of having $825 burning a hole in your pocket.
This is the same piece of crap as the tungstenw wallet that got a bad review on Miami Herald by Bridget Carey.
How indestructible is it when broke open if you accidentally drop it?
Bluetooth alarm goes off for no reason
Looks like an ideal relation gift for when your company has been hbgaried and you want to influence key decision makers at customers and partners to stick around for a bit longer. And a nice gizmo at the Rotary Club for those members too stupid to operate the latest smartphones.
For those interested in the alarm function only, check out the BluAlert bracelet at ThinkGeek ( http://www.thinkgeek.com/electronics/cell-phone/... ) . 49.99$ only.
If you really wanted a cut resistant wallet, it should be madE of Kevlar. That stuff is near impossible to cut. And a small part of your arse will be bullet resistant too.
I think of also having the same problem than one would have when traveling with Samsonite, or something even more expensive: no one travels with a $ 300 luggage with $ 5 worth of stuff inside it. So what would you expect to find in a wallet worth $ 825? I'd expect quite a bit worth of cash, and not just plastic.
If you have a cheap looking wallet, or cheap looking backpack, or handbag, it would be less likely to be stolen to start with. (saying that with years of public transport behind me in Brazil, nothing stolen while there)
But, but, but, if your wallet IS stolen, you're still screwed. Especially if your cash was in there too.
After having had my wallet stolen decades ago, I stopped carrying money in my wallets.
So now, if my wallet is gone, I still have money in my pockets. Or if my cash is gone, I'll still have my ID and my bank cards.
Besides, for all the money that wallet costs, you could get a quite a few bottles of some really, really fine whiskey.
I still prefer the taser model. Not only does it give off an alarm when it is stolen, but it disables the thief as well! :-)
Of course, your wife may not appreciate it when she goes to "borrow" a few $$ to do some shopping...
"I guess a side benefit would be if you be if you are about to mistakenly leave your wallet on say a resturant table or something you would get a reminder to retrieve it before it was to late but thats not worth $825."
It is if your wallet cost $825.
Yeah, my thoughts too. If I had one of these, someone would be better off stealing the *wallet* and leaving all the cards and cash behind!
I think some moments alone with an angle grinder would render the phrase 'virtually indestructible' somewhat mute.
Looks like it would be bloody uncomfortable in your back pocket too.
Interesting how every one of you goes into the most extreme scenario, with the most brutal thief you can think of. Most pick pockets are cowardly and want to get out of the situation quickly, anything surprising would throw them off and give the owner of the wallet an edge. I find the security model working though the price is too high.,
I deal with the threat models this wallet is designed for in a much cheaper way: my sub-$10 wallet has a chain. (",)
We often complain about "security theatre", but many of the objections being raised here are "crime theatre".
* Pickpockets are not going to cut your thumb off, they are stealthy thieves who avoid confrontations. (And in parts of southern Europe where they are especially common, it would be a death sentence for the thief even if he has a gun; there is a very real likelihood the crowd will lynch him.)
* Sure the thief can lift the print from your wallet. But the objective is just to slow him down until your cards are cancelled. (Or in the case of a one night stand, until you get out of the shower--so don't waste her hot water!)
* Pickpockets do not carry around angle grinders. (And neither do muggers.) They might have one at home, but see above.
* Of course you can disable the Bluetooth alarm, just unpair it from your phone. (Or on a smartphone, there is a one-click on/off switch.) You can usually check the battery is still live in the same way.
* Yes, there is a backup if the thumbprint reader fails. It can also be controlled from a Bluetooth paired computer.
No, the real WTF is that apart from branding, this $825 wallet is identical to one available for $299 . So you are paying $526 for a tobacco company logo.
Well, these guys have customers who already pay thousands of dollars a year to be slowly poisoned to death, so it isn't too surprising that they also buy $800 wallets and $8,000 pens.
Wait, did I type that right? Yep, $8,000 pens:
1. It could be argued that $299 is already pretty steep. Since it's about $100 for the Bluetooth alarm, and about $90 for a swipe-style thumbprint reader, it looks like you're paying $109 for the case. Hmm, steepish, but not totally outrageous, I guess. I was thinking that if you wanted a cheaper locking wallet, you could ditch the thumbprint scanner and just get a teensy little padlock, but on second thoughts, that would be a PITA. This is one application where a print scanner really is the right solution, but with current tech it is too expensive.
Buy now. Just 33 EASY payments of $25 each.
'Virtually indestructible' means that if you try to attack it with virtual tools. Like a picture of a hammer, then it is indestructible. If you use real tools, then it's a little more destructible.
It sounds like the alarm might be a good feature, but for $825?
Yeah, I'm not interested in owning a wallet that's worth more that the cash I would ever want to carry in it.
Waiter: I'll take that when you're ready.
Wallet Owner: Oops! I can't open my wallet.
WO: I forgot to charge my wallet last night, and now the battery's died.
Waiter (signals to owner): Are you saying you can't pay your tab?
WO: Oh I have the money; it's just locked up in here.
Restaurateur: Is there a problem?
Waiter: He can't pay the bill.
WO: Yes I can. I just need to go out to my car first.
WO: So I can plug my wallet into the 12v charger.
R: Are you kidding?
WO: No! It's a really cool hi-tech wallet. It's even got a blue-tooth link to my phone to sound the alarm if they get separated too far.
R: It doesn't work very well then, does it?
WO: How do you mean?
R: If the battery's dead, then the phone should think the wallet is gone and sound the alarm, right?
WO: So that's what that noise was last night! (Pulls out cell phone.) My phone is dead too.
Where do most women keep their cell phones and wallets?
In their purse.
When a purse-snatcher strikes, both cell phone and wallet ride away happily together, never sounding the alarm.
I wonder how it copes with those areas where there's so much EM interference (mostly from other bluetooth users, but also all the zillion other devices in that unregulated part of the spectrum, in places like station concourses) that the two devices lose contact with each other.
I bet it copes BADLY.
Forget the wallet. If you just put your money in your *front* pants pocket, it can neither fall out (unless you're completely upside-down) nor be stolen without your knowledge. (I'm assuming you wear pants with reasonably deep front pockets -- I owned one pair once that had shallow ones, which wouldn't have worked so well. I've never owned, or even seen, a pair of pants with back pockets deep enough to create the same level of security. Ever. Why do people put valuable things in the back pocket? Stupid.
The alarm if it's separated too far from the phone is an interesting idea, but it seems absurdly impractical for a wallet. Perhaps that idea could be salvaged and applied to some other kind of device.
I don't want a bluetooth alarm in my wallet. For $825 I want GPS tracking in the wallet so I can track you and bring the police right to your door.
I can see this "countermeasure" making theft more damaging. The false sense of security will cause owners to depend on it for sensitive information they normally would not put in a wallet. Social Security Numbers, PINs, passwords to accounts, etc., just to name three obvious ones.
Does anyone think an $825 wallet is an item worth stealing in its own right?
"Does anyone think an $825 wallet is an item worth stealing in its own right?"
Exactly. It's an object of status, meant to invoke desire.
This just proves that security is now embedded into fashion.
The fashionistas do not care whether it functions or makes sense any more than they care that any of their other horseback-riding, basketball-playing, truck-driving, camel-milking gear works.
I guess I wrote about the opposite a long time ago (2005)
A girl convinced a judge that a security tag was not compatible with her sense of fashion.
Now she would pay extra for it.
Look how far we have come...
That's one way to make sure you lose your wallet AND your finger next time you get mugged.
The threat model, Bruce, is "people around me might not realize I'm a rich douchebag."
I'm not sure whether I'm puzzled or relieved that you didn't already know that. :-)
It is a good idea, but what you do if you want to go somewhere without the mobile phone, ir if you are at home and want to go outside for a little phone chat.
I have problems with my phone and bluetooth headset. The headset shutdowns many times a day because I go out for few minutes.
Two words: Grenade Wallet.
I think that there is a much simpler threat model to justify this. It is clearly designed to stop my kids from taking the odd £20 note out of my wallet to put in to thier beer / petrol fund!
what? the alarm goes off on your cell phone? Thats doesnt make sense, why wouldnt the alarm go off on the wallet? If someone picks my pick I want the alarm to show me where my WALLET is, not where my phone is...
If it had all that PLUS a GPS device, so I could find it USING my smartphone, I'd be all over it!
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.