There are two parts of the thing. If they have the slightest clue (yet to be determined) the software on the fake-card part is in some odd uP like a PIC (from microchip), which has a feature that lets you scramble the code on read-out - so you can't easily reverse engineer it - that would make the battery last a heck of a lot longer since those are easily programmed to "sleep" and draw no power when not actively in use. It may not even be in flash, it might be in a real rom (but that'd be a surprise, since it costs more) for making rewriting impossible - you'd have to change out the chip.
I did product in PIC's for years for that reason - they were darned hard to copy or read anything but garbage out of (very little is actually impossible - but some things are so hard and expensive they're not worth it), so hard it was easier to look at what the thing did and then engineer your own. My product-dev customers loved that. Quite a few embedded-class uP's have that feature in some form, as well as a checksum that's hidden elsewhere and hard to change without some fairly expensive tools (and signing your name here and there, kinda leaves a paper trail). If they used house-numbered chips, you can't tell which uP they used and then might have to buy a whole bunch of dev kits (~ a few hundred bucks each with compiler and dongle for burning) before hitting on even the right processor.
It's true their hardware (at least the proto) is small and slick - they might not be showing what it's really going to take to make a product - time will tell. The scanner side might mostly use the phone CPU to do the heavy lifting, can't tell yet, but it's a fairly common practice, one my firm used a lot. In any multi cpu system (eg the product plus a PC in our case) we'd use the PC for all the real work we could, and the little guy as kind of a smart peripheral at most - just do the real time stuff as simple as possible, dump the data raw, and let the PC do the heavy lifting numerically and storage wise (which would map to the phone for this case). The reader need not be that small and slick though, at least not to be useful. Just portable enough to fit in a coat pocket (easy). If they can buy a tiny one, so can I. All it really is is a tape head with a few tracks, it's way not rocket science, and the margins for signal to noise are huge so the "real" readers almost always work, even when full of dirt and so on (think the readers in the stores). Anyone remember the old mag-tape days? A CC has a lot fewer bits/inch and is more primitive than even the oldest tape drives were. This is to allow for big mechanical clearances between the card and read-head, and dirt and what not, so the result can work for not-real-skilled customers.
In other words, the card reader part may be nothing more than a multitrack tape head with some comparators to get to TTL level signals, and simply send the raw data to something more capable (the phone) to figure out what this bit pattern means, and to normalize it for the speed of the swipe.
It's what I would do if I had zero worries about security. Which seems fairly close to them - they don't seem to understand the implications here (or don't want to make that public).
The writer (eg the card itself) need be no more than an electromagnet (one per track, but full length) that pulses at a rate (with the bit level/timing format you'd see in a swipe), simulating a swipe over a tape head that is reading what it thinks is one point at a time. It need not be fancy or an array of little electromagnets, since it's not actually writing a magstripe, just pretending to *be* one during reading. In fact, that's probably the basis of their "invention" - figuring out that's all you need there.
And they have that software security feature of bluetooth tethering, which is a total add-on over the basic function. Depending on how they did that, it might be no more than a cut trace or pullup resistor to defeat it - the devil there is in the details. To get to proto stage they probably grabbed a bunch of already working small chipsets "off the shelf" since that's less NRE cost than a custom SOC, and lashed them up, which means wires you can intercept between the chips. But that's a guess.
Or it could be possible to pair the thing with more than one phone. That would be a pain for the hacker, as I'd guess even a brain-dead "security via obscurity" coder would at least make sure the owners names match, but then again, you never know. Imagine a use-case for a whole household, they'd probably want to handle that, and all the cards might not be in the same name, and who knows how they would implement that one? Not me, not yet. I'm sure the gory details will come out in something like pwn2own or some 'con soon enough.
FWIW, the tech-inclined have been able to do this for a few decades if my memory serves, in fact, the junk you need is now more or less obsolete as a developer sales item - all the readers we need are already in place, not many are designing new ones. It's a bit harder if you have to write an actual magstripe so you hand the merchant something that looks like a real card (and is, just with fake data). In fact, there are reports of that happening, just not to any large scale. The real danger here is they are encouraging merchants to take these fake-looking cards, so if they do, then anyone can make something look-alike and expect to get it accepted. That would hugely embiggen the market for all those stolen CC numbers (all of them?) Seems long lists are cheap to buy and with all the leaks, they cover most of the CC numbers out there. They've been going cheap in cracker-land since it's hard to capitalize on those as things sat.
We now live in a society originally described by Harry Harrison, in the Stainless Steel Rat series (no it's not that great as writing, but fun). His point was, with surveillance, digital money xfer tracking and so forth, that it's a lot harder to get away with being a big-time crook now. To "win" the money has to come to you. Electronic payment means there's a trail unless you are very fast in getting it back to something physical and skipping town (or buying merchandise, then fencing it), which is why the aforementioned capability to make fake cards - long existing - rarely makes the bigtime news - it's just too hard to get away with very much, so all the crimes are relatively petty, and fairly rare - the perps tend to get off the street (and often into the greybar hotel) pretty quick unless they are very smart and very nimble.
Remember, you have to set up an account somewhere to accept the money, and that your picture is definitely taken every time you go into a bank to do that. Since you have to do that a lot to be nimble, that means you leave a trail of your pix everywhere you do it. Sooner or later you get recognized as this guy who starts a lot of accounts, gets money into them, then closes them. A fairly easy to detect pattern for law enforcement, and one the banks report on as is (so my banker told me when filling me in on the secret parts of the patriot act, at her risk - nice to live in a small town).
I've seen reports of ignorant mules hired to do that, so they are the ones who get taken down, then they spill that they were just working for someone who hired them over the 'net to do it for a small cut of the take. So the law enforcement types have to trace back to the boss, which can make things a lot more difficult for them, since they tend not to be real good at digital forensics, outside the intelligence community.
Most all reasonably smart people make more money without (outright) theft - for example, these guys, "selling shovels in a gold rush" might qualify as indirect criminals or alternatively, as enablers of crime without having to do crime themselves.
Of course, in the proto they almost certainly re-used some off the shelf overpowered CPU for which things like a USB and bluetooth software stack are already around, easy to prototype with and so on without having to know how to write a protocol stack. I've been seeing a trend of using microprocessors that are insanely overpowered, run things like linux or android or even win CE, to do really simple jobs - just because they save on NRE costs - you don't need a great set of programmers when the job is 9/10th done for you. Not only does that cost the customer a bit more, the resulting code is crummier, since the manuf never hired the real top of the class, just some code monkey - A little drag here, a little drop there and you have a running thing that takes 100x the cpu to run, but almost no cost for the programming.
I have some examples around here of that design philosophy. I have a mass spectrometer head that runs windows CE to create the other side of a DCOM active-x control, but which does exactly nothing else - the PC it's hooked to does all the math and sends the device every single parameter setting for this or that mass, tells it to read a current off the detector, and send it back to the PC.
So you have this big attack surface (DCOM is bad enough by itself) and an expensive and large board in the device when a tiny uP would have easily done the job and more - but would have required someone to know how to do tiny uP opsys, invent their own comm protocol and so on.
The manufacturer of this $40,000 thing didn't care about the customer's cost or attack surface, just the NRE it cost them on a fairly low volume (as you might imagine for that price) product.
My bet is all the smarts are on the phone itself, the rest is just interface parts for the phone. And we know phones are secure (not). So a hack on the phone side might be the main vector for someone, and those are not that hard to pull the guts out of in readable (for reverse engineering) form.
From 30k feet, that looks like the vector of choice here, for the coder-only sort of cracker, which includes nearly all of 'em.
Edit:
Note, I also have another mass spec that I bought surplus on the cheap. It only really took a z80 at 4 mhz to both drive a CRT display and output the results in ascii over a serial port. And even that Z80 is loafing to do the job, but the days where a low level expert is hired to do this kind of thing seem to be over, perhaps due to a shortage or the high price of such talent. Even a $2 (in ones!) PIC would be several times more CPU than that has - and it's a mass spectrometer, not a tape-stripe emulator which is a whole lot easier - the mass spec has to be real time, control a bunch of analog stuff (filament, voltages both DC and RF on the electrodes and input the current signal for each ion e/m ratio in a sweep).
And yes, ID theft is still pretty easy to do. Usually just a little social engineering after some web searching. But it's still hard to fix once it happens, as you almost certainly know.