MasterCard Joining Push For Fingerprint ID Standard

schwit1 writes with this selection from a story at USA Today: "MasterCard is joining the FIDO Alliance, signaling that the payment network is getting interested in using fingerprints and other biometric data to identify people for online payments. MasterCard will be the first major payment network to join FIDO. The Alliance is developing an open industry standard for biometric data such as fingerprints to be used for identification online. The goal is to replace clunky passwords and take friction out of logging on and purchasing using mobile devices. FIDO is trying to standardize lots of different ways of identifying people online, not just through biometric methods."

Fingerprint != user authentication

[AliasMarlowe]

I'll just leave this here.

Re:Fingerprint != user authentication

[phantomfive]

It's worth mentioning that fingerprints CAN be used for authentication IF you can verify that the person is right there, and you can see that it is actually his fingerprint.

But that's not what's happening here. What's happening here is they are just creating a binary pattern. The binary pattern can be stolen and used by anyone. It's a lot harder to use someone else's actual finger.

Re:Fingerprint != user authentication

[Austrian+Anarchy]

I'll just leave this here.

Exactly where I was going too. It is somewhat amazing that as soon as we find out that fingerprints are not truly unique, we have all of these tools to use them as bona fide ID. Granted, the odds of someone with the same fingerprint as you trying to log into your account are slim, there still should be some other secret associated with the print to allow access. It should be an enhancement to the password, not a replacement.

On the other side of the coin, back in the early 1970s the US government had not one, but two fingerprint cards on a bank bomber I am researching right now. They did not make a match until they found his real name and pulled his existing fingerprint card to make a match to the prints he left all over his bombs and his notes to the press. That part took almost a full week. His 1972 and 1982 wanted posters had full fingerprint sets, even though he had never been arrested. They came from his US Army enlistment records from 1956, and an enlistment under an alias in 1971. He stayed on the loose until 1986, when he was identified by his picture.

While there is some science associated with fingerprint identification, it is not quite the science that the authorities want us to believe.

Re:Fingerprint != user authentication

[Austrian+Anarchy]

While what you are saying is true the trick with fingerprint back before the mid 90's was processing power. If you wanted to compare prints you had to pay one or more people to sit there and compare each print to a suspected print.

now you can compare hundreds of prints per second. and only have to use people to verify the half a dozen potential matches. The problem with completely automated systems is that they only compare a dozen points of interest. to be truely useful you would need to vector map the entire print.

In the 1930s, the FBI was claiming that their classification and search system took 3 minutes or less to match an unknown print with a known print: http://youtu.be/6xgPqc5ROHI?t=20s (skipped to 20 sec. in for the relevant content and skip the related promo. Contains video from the FBI on their fingerprint analysis system from the 1930s and after it became "digitized.") My primary objection is with how fingerprint analysis has been mis-characterized for over a century.

Re:Fingerprint != user authentication

[SlippyToad]

Exactly. Fingerprints are the worst password ever. You literally leave your password in plain sight RIGHT ON THE OBJECT you are supposed to be securing. How much less secure could you get?

Re:Fingerprint != user authentication

[Jarik+C-Bol]

This is why I think that POS terminals where you swipe your card, then sign your name should be replaced with a system where you swipe your card, then place your finger, which then attaches a high rez scan of your print to the sale.

Also, while we're at it, can we standardize fsking customer side POS systems finally? every one of them you come to is different, button layout, number of screen prompts for cash back or amount purchase confirmation. Working customer service in a store has taught me, despite their ubiquitousness, people are completely confused by credit card POS terminals, because they ALL work differently.

How about NO

[AmiMoJo]

If Bastardcard think I'm giving them my fingerprints, or even a hash of my fingerprints, they are going to be sorely disappointed. Even if their own systems are secure credit card related data is the number one target for thieves and crackers. Plus, they are Mastercard are bastards, hence my childish name-calling.

Re:How about NO

[phantomfive]

The worst part is once your fingerprint is compromised, you can't change it easily. You can't ever use it again.

At least if you have a bad password, you can change it.

Re:How about NO

[0123456]

What exactly can they do with your fingerprints that's dastardly and evil? I think I'm missing something.

Break into your account on any other service that's retarded enough to think fingerprints are passwords?

Hand them to the NSA so they can link your online activities to your fingerprints?

Just two that come to mind in about ten seconds.

Re:How about NO

[Dark$ide]

Please mod parent up.

It's clearly ok as a username. Although who cares if a user name ends up stored in a cookie? But not for authentication, not even as a two factor option.

Re:How about NO

[Opportunist]

You think I can't do anything evil when I have access to your fingerprints?

Need an email address to mail them to? A set of prints that ain't mine could be handy at times...

Re:How about NO

[Nidi62]

The worst part is once your fingerprint is compromised, you can't change it easily. You can't ever use it again.

You could always selectively burn out small parts of your fingerprint and reburn them every time it grows back.. But then I guess that takes the pain of password management to a whole new level.

Re:How about NO

[SlippyToad]

Play the bass. Don't use a pick. My fingerprints are hamburger from 30+ years of abuse.

Boy do feel safer

[Rosco+P.+Coltrane]

Fingerprint identification is great as long as (1) you trust the organization that uses it with that very, VERY personal data, and (2) you trust that they're not so lame as to lose your fingerprint data.

(1) I wouldn't trust credit card companies with anything more serious than an easily replaceable 4-digit PIN number

(2) Sheesh, even government routinely misplace confidential tax data of their citizens. Need I say more?

In short, I'll keep using good ole anonymous cash to spend at local retailers for my purchases thank you very much.

Re:Boy do feel safer

[savuporo]

You lose your fingerprint data every time you step out of your private quarters, unless you wear latex gloves every all day. Copying and faking your fingerprints costs about $10 Fingerprints are the most easily collected biometric information on you - using them for any sort of authentication is stupid.

Re:Boy do feel safer

[failedlogic]

Mastercard surely employs security experts who should know better. I would think most of them would come up with the same counter-arguments we'll be reading on Slashdot in the next few hours.

So the question is, who came up with this idea and why authorize to release it to the media?

Re:Boy do feel safer

[samjam]

You leave your finger prints on your credit card.
They steal you card they also have your prints.

How dumb is that?

stop jumping the gun.

[nimbius]

1. perfect the payment card identification solutions you currently have.
2. deprecate the solutions that are blatantly flawed. junk marketing flair such as RFID was a terrible idea.
3. take a more proactive approach in identity theft, dont just triage it with a new card. target and eliminate payment card processors with a consistent history of exploit or breech. refuse to reinstate service until an independent third party audit is conducted.
4. use when ready a new standard with a proven track record and a history of functional security. Stop inventing nonsense piecework systems that hackers swarm like flies on sugar.

Fingerprint == user_name

Fingerprints should be treated as user names, not as a substitute for passwords.

Re:Fingerprint == user_name

[Jeremiah+Cornelius]

Pull my username...

Re:Fingerprint == user_name

[sjames]

No. Identification and authentication are related but different things.

There are better ways.

The system of telling someone a secret to identify your self and thus authorize something is inherently stupid. I con't care if its a credit card number, security code, or finger print.

We have public key cryptography, there is no reason to tell every vender you make a purchase from enough information to allow them to make arbitrary purchases. They should provide you with a request, which you can sign/authorize with your private key. This signed transation request goes to the payment processor (mastercard in this case). Then they can, if you dispute the validity of it. provide the signed request as proof that someone with your private key (which they don't have, and you never give out) authorized it. Thus they are more resistant to false fraud claims, you are more resistant to identity theft/fraudulent purchases.

Its clearly a Win/Win, but requires you to have a "smart card" of some kind thats capable of displaying some minimal information, lets you select to authorize or not. The transfer of data to and from the card, and the powering of it would be easy to do over NFC, and it just needs enough of a display to show the amount. It should be possible to make such a device for ~5$ in large quantities, but you could also just use a smart phone.

You obviously would want a system where you could contact the payment processor and update your public key incase your card is stolen (generally, changing your key frequently isn't a bad idea, assuming you have some nice way to authenticate to change it, like using a key you don't carry around with you).

Also, its trivial to allow such a system to transfer money in either direction, and extend it to multiple payment processors and currencies (open the standards for the interface, so you can make a single card that works with mastercard, bitcoin, visa, etc).

Do to the reduced rates of fraud, liability and thus fees can be reduced, and even the potential for privacy is added (unique keys for each transaction + third party payment processors which work as proxies and protect the content of your purchase from the actual payment processor+credit card company, and protect your identity from the store). Even things like bitcoins and cham tokens could be used if you really wanted to go privacy crazy.

So, why arn't stores using such a lower risk, lower fee, more secure and more user friend system? Because the payment processors have a monopoly and like it this way. Don't buy into their stupid schemes like finger print id; they just want to keep their monopoly, and access to all that valuable data you provide, and all those fees the venders provide. Better security (and privacy) is trivial, and this is not how to get it. Privacy is impossible with the finger print system, and the security isn't good either.

Keep the fingerprint on the device...

[John.P.Jones]

The key is to not use the fingerprint as a key for online authentication, we have a technique for that it is called cryptographic keys (either symmetric or asymmetric). Now people are generally bad at remembering these strong keys (and even worse at using them) so instead they use a trusted device (used to be a desktop computer but that day is past, now its a phone) to both store and use those keys. The user can then authenticate locally to their device using a less strong mechanism (traditionally passwords). Apple has this right, the device is the only thing that needs to use the fingerprint to authenticate the user (local authentication is by its nature two factor since you need the device). There is no advantage & clear disadvantages to using fingerprints directly for online authentication (passwords too as we have seen time and time again).

User authentication != being present

That person may be forced to use his finger, and there is the opposite case, using a card on the internet for shopping should not require anyone being anywhere specific.

Industry Not Known For Intelligence

The Chaos Computer Club put it nicely: "It is plain stupid to use something that you cant change and that you leave everywhere every day as a security token."

Very likely fueled by the sensor manufacturer

[khrome]

So, having worked in this industry:

1) There are many much more insecure areas (card cloning comes to mind) which already have solutions ( http://www.magtek.com/V2/products/secure-card-reader-authenticators/bullet.asp ), and nearly 0 adoption. Why is everyone suddenly jumping on the fingerprint bandwagon?

2) There is no point in more physical security: The card issuers guarantee the safety of cardholders funds and merchants tend to be very touchy about missing funds (the traditional 30 day lag of AMEX *seriously* affects their market penetration, and there's a massive effort to do statistical fraud analysis at a high level, so truthfully a very basic security at the register is effective, because card fraud stays at a relatively fixed level (it could be even better but that would lead to more false positives and worsen the customer experience)), the cost of the round of hardware upgrades for the whole network far exceeds the cost of fraud.

3) What makes *sense* is to let consumers swipe their own cards so they can have card-present transactions from their own home, in conjunction to card profiling tech like the link above (it builds a 'fingerprint' of the iron filings suspended in your magswipe to preventing cloning).

4) This sounds like an attempt to me to reduce the number of card present transactions (which are much less expensive for the merchant) and make more money by claiming a larger percentage of the transaction and to fuel a round of upgrades at the register, much like when checks switched from magnetic ink to frontal scans (check21), which also had little to do with fraud and was mostly a internal cost reduction as well as eliminating some friction for depositors, but required widespread merchant upgrades(with those upgrades not helping the merchant at all).

5) I'm not sure how PIN security factors in here, since debit pins use an injectable encryption scheme that is performed *on* the pinpad which is injected onto it in a *tightly* controlled process. It is a completely different protocol (at least in the US).

6) There have been a number of transaction network breakins, and I for one (knowing some of the players in this space), would *never* want any kind of data on their servers that could not be reissued.

I like clunky passwords and spending slowdowns

[gnerdalot]

"The goal is to replace clunky passwords and take friction out of logging on and purchasing using mobile devices." Also slows down my impulsive purchases - I don't see the problem.

I raise a finger to the idea!

[Impy+the+Impiuos+Imp]

1. Hack and get the files.
2. Someone writes a 3D printer conversion utility.
3. Print fake fingers.
4. Illegally profit!

I left out the ??? step because it wasn't needed.

Re:Can't change more than nine times

[Imrik]

Most people don't actually remember phone numbers anymore.