CoinCorner just announced The Bolt Card, great looking NFC cards that you can use to tap to pay using lightning.
I really like this concept because it means that you can pay exactly in the same way that you would pay with a credit card, but only using Bitcoin. There's no legacy financial institution in between you and the goods and services you're paying for. And if you get paid in Bitcoin then you would be living completely in a Bitcoin standard!
Now, in theory they made this card to be used with their CoinCorner exchange (and they provide free lightning deposits and withdrawals so the service is basically free), but you don't have to because it's simply a NFC card that stores a LNURL.
Here's what you'll need to pay with this card without using a CoinCorner account:
  • One of these awesome Bolt Cards (a blank NFC card works as well but it's not as cool)
  • A phone with NFC (Tried this in Android but iPhone should work as well)
  • Either your own lightning node or an external service like ln.cash
  • An app to write NFC like NFC Tools. This one is free and works great. There should be similar ones for iPhone as well.
Now, the idea is that basically you setup access to your Bitcoin through LNURL, in particular you create a LNURL-Widthdraw link. You can do this with your own lightning node, or simply using a third party service like ln.cash. Once you have that link, you simply write that as a lightning url in the NFC card. Here's a video that shows how to set up a card with ln.cash.
And that's pretty much it!, you can now use the card to pay with lightning with a simple tap.
This card works great with BTCPayServer so any store that has that should accept it. You just need to click on "Pay by NFC & LNURL-Widthdraw" in the checkout and then it's ready to receive the tap of the card. Here's a video of that in action
With this card and BTCPayServer you basically can connect two people exchanging goods and services directly through lightning with just a tap of a card, no need for credit card companies and their fees!
I don't know enough about LNURL to understand how this is secure.
  • Are there limits as to how much is paid, and if so is that configurable? e.g., can I set a limit of N sats per tap, and N taps per hour?
  • Another scenario: The terminal shows 5,000 sats. I tap. Later, I find 100,000 sats deducted. The merchant was dishonest. My "tap" authorized it though.
  • There is protection against a replay attack (single use token), but not against someone stealing my card (or finding it after I dropped it) and draining funds either at other merchants, or the thief manually sucking everything out.
reply
I read a bit more about LNURL-Widthraw and it is indeed possible to configure it to have limits.
With LNURL withdraw, you have the ability to give someone the right to spend a range, once or multiple times
In the case of dishonest merchants, you'll have to trust them, because by tapping with the card you can't see how much you're approving(they could create an app with a fake amount displayed while sending a larger invoice). That's basically the same as tapping with a credit card though(you could have a chargeback eventually though).
And yes, card stealing will mean you lost your money. Also similar to having a fiat card stolen and having the person tap away your money.
reply
You have full control of it really because you can make it connect to your own node.
Most probably there's going to be a few issues, so I wouldn't put too many sats in that node, but this is just the first iteration of the technology. I'm sure it will get only better over time. Here are the lightning specifications that this is built upon: https://github.com/fiatjaf/lnurl-rfc
Under services you can see that ln.cash for example uses LUD-01: Base LNURL encoding and decoding and LUD-03: withdrawRequest base spec. You can read those to see how the transaction is actually performed under the hood.
Under self hosted there's some projects that use the same LUDs, like these ones for example:
reply
Here is how you can make your own self-sovereign payment card with replay protection using NXP SUN authentication.
reply
an update - there are now..
  • numerous documents
  • open source bolt card server code
  • an open source android app to program the cards
  • a support group
reply
This is proper man, I love it, glad that it can be interoperable with different services like btcpay server, I ordered a few for myself, can't wait to get them and test them out
reply
Very, very cool!
How would someone get a Bolt card without an a CoinCorner account? And is this possible anywhere or just in the UK?
reply
You can probably just get any other NFC card, e.g. https://nfctagify.com .
reply
You don't need a coincorner account to purchase them. I believe they ship worldwide.
reply
Oh. Awesome
reply
It's better than that.
It's specifically using the "NXP NTAG 424 DNA"
This gives you the ability to use it's cryptographic features to add a deterministic but unique hash on every LNURL which your server will be able to verify with a secret key.
With this, you can prevent replay attacks, so it's safer to use our in the public.
You can buy these cards elsewhere, but you'd have to buy them in bulk to get a good price.
reply
That's actually great to hear, I had no idea about that. It makes these cards much better than any random NFC card, and not just by the design but because of the features it has in the NFC chip. Thanks for pointing it out!
reply
If you want to see an example of what could be done with it, check out the following apps:
The first app can read and write tags and show if and how any of the advanced features were written and modify them. But it won't let you write to the secure area afaik.
The second app write to the secure storage (where you keep a secret key) but is very limited in configuration.
Sorry if this is a dumb question: what is the advantage if everyone has a phone in their pockets anyway?
reply
  • Cards don't require battery (or signal)
  • Many privacy conscious consumers prefer dumb phones
  • Can be faster to use a card than to unlock a phone (and find the relevant app)
  • Harder to steal a card from your hand (and less impact) than a phone
  • I would lend someone my card to make a payment but not so convenient to lend a phone
  • Cards are cheaper than phones
reply
I am glad to read this because I was shocked by the amount of personal information you have to give away to CoinCorner before using the cards. It's like setting up a new bank account, and I bet it also introduces counterparty risk, i.e., you lose custody of your sats.
It doesn't feel right that people try to build legacy systems on top of Bitcoin. It's like trying to fit a square peg in a round hole.
reply
Great guide! Have my sats. Also works really nice with LNbits.
reply