Mastercard is Building Fingerprint Scanners Directly Into Its Cards

Mastercard said on Thursday it's beginning trials of its "next-generation biometric card" in South Africa. In addition to the standard chip and pin, the new cards have a built-in fingerprint reader that the user can use to authenticate every purchase. From a report: Impressively, the new card is no thicker or larger than your current credit and debit cards.

Re:This can't POSSIBLY go wrong!

[Dutchmaan]

I think that's where the whole "trials" thing comes in....

About time

[phorm]

I've been wondering for quite a while when we could have something like this. The question is how the processing works for the card, for example
a) Does it process against a chip in the card which allows the card to pass information to the pin-pad or not (good to prevent use of stolen cards)
b) Does it process against the pin-pad allowing a transaction to be verified (good to transactions from cloned cards)

The first choice is good to reduce the more immediate impact of card theft, and better from a privacy perspective. The second is more effective against somebody cloning your card - which around here is more common - but it means that your CC company presumably needs your biometric info. It also allows the use of fingerprints as a password replacement (pin-pad)

Re:About time

[Nidi62]

I've been wondering for quite a while when we could have something like this. The question is how the processing works for the card, for example a) Does it process against a chip in the card which allows the card to pass information to the pin-pad or not (good to prevent use of stolen cards) b) Does it process against the pin-pad allowing a transaction to be verified (good to transactions from cloned cards)

The first choice is good to reduce the more immediate impact of card theft, and better from a privacy perspective. The second is more effective against somebody cloning your card - which around here is more common - but it means that your CC company presumably needs your biometric info. It also allows the use of fingerprints as a password replacement (pin-pad)

It could be built in to the opposite end of the card from the chip. So as the chip is inserted in the reader, your finger is over the built-in scanner authenticating that the person using and holding the card is the person that owns the card. Might help for stolen/cloned cards, but it wouldn't do much for cards that were fraudulently issued due to identity theft, as the thief could just open and register the card using their own fingerprint.

Re:About time

[magarity]

The second is more effective against somebody cloning your card - which around here is more common - but it means that your CC company presumably needs your biometric info

Don't they just need a one-way hash of your biometric info? But the second way is more likely since otherwise the card will need a battery to power that processing internally.

Re:About time

[drdread66]

A hash is not enough. Fingerprint matching is a notoriously fuzzy process because fingers deform under pressure, they get damaged (cuts, burns), etc. The matching process works by doing a "good enough" comparison between the newly-acquired image and a pre-digested "template" computed from the enrolled image.

Re:About time

[Luthair]

I have to imagine with physical access couldn't a thief circumvent the reader to simply OK the transaction.

Re:About time

[drdread66]

A friend of mine works for one of the companies involved in the Mastercard pilot. As I understand it, their card is powered by the chip reader, which already supplies power to the EMV chip.

Your machete, don't leave home without it.

[dasgoober]

In an area where cutting off arms doesn't give some people pause - what could go wrong??

Re:Your machete, don't leave home without it.

[avandesande]

If you arm just got chopped off and you are worried about changing the authentication scheme for your credit card you have bigger problems.

not foolproof

[MickyTheIdiot]

There are other things you can comment on like above, but I there are other ways this can go wrong as well.

I have been diagnosed with bad eczema on my hands recently, and it mostly affects the tips of my fingers. The sensor on my Nexus will now periodically stop accepting my fingerprint scans until I log in with another authentication method and rescan them.

If you don't have any backup ways to provide authentication there are cases where people will get locked out for medical reasons. That won't be extremely common I guess, but fingerprint biometric will, like all systems, not solve all problems.

Re:not foolproof

[AxeTheMax]

And I have essentially lost my fingerprints (after a bout of dengue fever a few years ago, this causes skin shedding). Though now I can see just about see them on careful examination they hardly come out on fingerprint scanners. It caused some problems when visiting a country where they fingerprint you on arrival.

Re: This can't POSSIBLY go wrong!

[ArmoredDragon]

I think the point is that they're making it much harder for a typical wallet thief to go to town on your credit card before you can report it stolen. By the time they create a false print, it may be too late.

Still waiting

[sir-gold]

I'm still waiting for the version of the mastercard that includes a holographic AI assistant, that we were promised in the early 90s

Re:Still waiting

[bhamtown]

A Time Trax reference! WUUUUUUUUUUUTTTTT?

Re:This can't POSSIBLY go wrong!

[DickBreath]

Wouldn't the thief still need your PIN? And the physical card? And a fake fingerprint sticker of your finger? (And which finger did you register with the card?)

In order to authenticate each transaction: A retina scan, voice sample, blood sample, semen sample and lock of hair.

Re: This can't POSSIBLY go wrong!

because online shopping doesn't exist?
because card readers with finger print tech will be every where just like chip-card readers are every where

One day they'll discover the folly....

[Bugler412]

One day they'll discover the folly of using biometrics for authentication or authorization, but then it will be too late. Let's all tie everything to a password that we can never change right? Great idea! Sigh

Re:One day they'll discover the folly....

[BatGnat]

10 fingers, 10 passwords
(11 for some)

Re:One day they'll discover the folly....

[swillden]

One day they'll discover the folly of using biometrics for authentication or authorization, but then it will be too late. Let's all tie everything to a password that we can never change right? Great idea! Sigh

Sigh, indeed. You fundamentally misunderstand biometric authentication if you think it is anything like a password, or if you think it matters at all that it can't change. Biometrics do have their share of cons, but not being able to rotate them is definitely not among them.

The security model for password authentication derives its strength (or lack thereof) from the secrecy of the password. Biometrics do not. Your fingerprints are not secrets; you leave them everywhere you go (which is what makes them so useful forensically). From a security perspective the only reasonable way to treat fingerprints or other biometric data is as public information. Assume that the whole world knows your fingerprints, because anyone who really wants to, does.

Because password security is based on secrecy, and because over time those secrets may leak, or be discoverable through time-consuming brute force, password rotation is important. It closes the window of vulnerability if they've leaked, and if you rotate them soon enough that no realistic attacker could have had time to discover them via brute force search (given whatever brute force mitigations are in place), then you maintain the secrecy. Because biometric security is not based on secrecy, rotation helps nothing and is irrelevant.

But if biometric authentication security is not based on secrecy of the biometric, what is it based on? The integrity of the measurement and matching process. Your fingerprint is public information, indeed it's almost certainly conveniently available from the surface of your credit card. So the security of the authentication is precisely equal to the difficulty that an attacker has in presenting your known-fingerprint to the card in a way that it will accept it. If the attacker can splice into the data link between the scanner and matching engine and replay a digital copy, he can authenticate as you. Various techniques, strong ones, can mitigate against that attack.If the attacker can subvert the matching process and get it to report success regardless of input, he can authenticate as you. This is fairly easy to defend against, unless the attacker is very well-equipped. If the attacker can create a fake finger that the scanner will believe is real, and which contains your print image, he can authenticate as you. Various techniques can be used to mitigate against that... but the ones that are deployable in mass-produced consumer devices to be used in essentially unattended operation are pretty weak.

Weak is honestly just fine for this application, though. The fingerprint is just one mitigation on top of many others. It's definitely better than the signature "authentication" currently used in the US. In many ways it's better than PIN authentication, because PINs can be shoulder-surfed. In other ways it's not as good, but overall it's definitely on par.

Re:One day they'll discover the folly....

[swillden]

Don't trust any organization that doesn't understand that the fingerprint is the user name not the password.

Fingerprints are not passwords, but they're even worse usernames. Fingerprints come with no uniqueness guarantees and don't consistently identify the same person. Fingerprints are useful authenticators, but you have to understand the security model of biometric authentication, and it is not the same as password authentication. You can't just slot biometrics in as either usernames or passwords. They're different, with different strengths and weaknesses.

Re:One day they'll discover the folly....

[swillden]

It looks like you don't understand yourself. Otherwise you would not claim that biometric authentication is not comparable to password authentication, and then conclude it is better than PIN authentication.

You need to re-read the post you responded to. Nowhere did I say that biometric authentication cannot be compared to password authentication. I said a biometric is not a password. The security models are different, but that does not mean they cannot be compared. Also, I did not say that biometric authentication is unambiguously better than PIN authentication. I said it's better in some ways and not as good in others, and overall, for this application, this threat models, it's "on par". That means "about as good".

Re:One day they'll discover the folly....

[Bugler412]

If it is used as a password (IE: no other authenticating properties), it's a password. The logical construction of the token or whatever is rather irrelevant, as is the physical properties. If I can obtain the hash, file, image, whatever the system uses and present it to the authentication service, then how the electronic representation is produced is irrelevant, and you also can't change the source physical properties that generate the digital representation. In short, if someone obtains that representation and is able to utilize it, the user is toast, with little or no opportunity for the user or admin to do anything about it.

Re:One day they'll discover the folly....

[swillden]

If it is used as a password (IE: no other authenticating properties), it's a password.

Only if you conflate all authentication with password authentication.

In short, if someone obtains that representation and is able to utilize it, the user is toast

That statement is correct, but note that it contains two parts: (a) if someone is able to obtain the representation and (b) if someone is able to utilize it. This, in a nutshell is the difference between password and biometric authentication. With passwords, the hard part is (a), and (b) is easy. With biometrics, the hard part is (b), and (a) is easy. Exactly how hard (b) is depends on the details of the system.

DOA

[wirehead_rick]

When will fingerprints die? All fingerprint technology can't check if a human finger is actually what is being read.

Too many designers watching James Bond films . . .

Cyrpto

[Luthair]

I've always wondered why they don't use some form of cryptography to authenticate the card. Skimming seems to be more prevalent than someone physically having a card, though perhaps theft is more common in South Africa.

Re:Cyrpto

[viperidaenz]

They do in countries with modern payment systems.

It's called "EMV" or "Chip+Pin".
There's also "paypass" and "paywave" - aka NFC.

I can't swipe my card in a local terminal even if I wanted to. There is data in the magstrip that says the terminal must use the chip if it can. There are no terminals that can't in NZ anymore.

Re:Cyrpto

[jittles]

They do in countries with modern payment systems.

It's called "EMV" or "Chip+Pin". There's also "paypass" and "paywave" - aka NFC.

I can't swipe my card in a local terminal even if I wanted to. There is data in the magstrip that says the terminal must use the chip if it can. There are no terminals that can't in NZ anymore.

The service code in the track 2 data indicates that the card is EMV capable. You could easily rewrite the service code but the issuing bank would see that if the transaction were to go online. Most transactions are online these days and online processing is technically a requirement in the US, though you can approve offline at your own risk. You can also do some attacks with the chip itself when they're used offline as well, but they're trickier. The Information Security Group of the University College of London have more information about the different types of offline attacks one can run.

Fingers

[nnet]

In unrelated news, Lloyd's Of London sees spike in finger insurance.

Touch-activated sphincter rod sensor

[sinij]

Touch-activated sphincter rod sensor is much more secure and this is what they should go with for biometric authentication.

Re:Touch-activated sphincter rod sensor

[omnichad]

TASeRS?

Data Collection, not security

[evolutionary]

Okay, it's amazing how many "mickey's" the public has been swallowing in the name of "security" be it national or individual. This is basically a way of fingerprinting everyone in a private database. We all know of ways this can be bypassed (you can lift finger prints from anything someone has touched (doorknob, glass, whatever), so the only one who benefits are private corporations who want to sell that data, and governments who want to obtain it by buying it. We are treating the public as criminals by default or worse...cattle with a brand that is pre-applied. That will be one card I will not use. guess cash is king again for those of us who believe we should formally convicted of something before we have biometric data collection by agencies.

So...

[argStyopa]

...note to thieves: now you need to remember to bring a sharp knife to your muggings. A gun alone simply won't do.

How is this any more secure than chip/pin?

[mark-t]

As far as I'm aware, the fundamental idea behind breaking chip/pin is to exploit the fallback system to bypass the need to actually know the pin and make the system believe that it fell back to signature based authentication. it seems me that similar vulnerabilities would exist here.

Re:How is this any more secure than chip/pin?

[petermgreen]

Technical issues aside one problem with chip and pin is it's vulnerable to shoulder surfing. A thief can watch the victim enter their pin, then steal the card.

Re:How is this any more secure than chip/pin?

[mark-t]

That's not considered a vulnerability in chip/pin. It can be mitigated by safe practices such as being aware of your surroundings enough to realize that someone is looking over your shoulder. Given that the key pads are often covered and only really visible from about the point of view of the person entering the code, a shoulder peeper would have to in pretty close proximity, close enough to typically be considered invasive of personal space. Barring a disability tthere is little reason to not be able to secure your own surroundings before entering the pin.

Mod parent up

[Razed+By+TV]

Sure, it will help thwart common pickpockets.
On the other hand, violent muggings will be escalated.

What about Chip and PIN in the US?

[Streetlight]

Here we are in the US with chip and signature, much less chip and biometrics. And not all all retailers have chip readers, including Costco, at least the one I shop at. My one man barber shop has a chip reader POS terminal. And what about using stolen cards with on line retailers before the owner knows about the theft? I'm not sure how the interface would work.

Re:What about Chip and PIN in the US?

[ctilsie242]

It was supposed to be late 2015 when everything was going to be chip-and-PIN, so we would have security at least on par with the rest of the world. 2015 rolled around, and we wound up with credit card machines at various stores with the chip slot taped over. Now, same thing. There is a 50/50 chance that I will be swiping my card, and not using the chip on it, depending on merchant.

I really would love to see fingerprint technology here in the US, just as a precaution.

Re:What about Chip and PIN in the US?

[jittles]

Here we are in the US with chip and signature, much less chip and biometrics. And not all all retailers have chip readers, including Costco, at least the one I shop at. My one man barber shop has a chip reader POS terminal. And what about using stolen cards with on line retailers before the owner knows about the theft? I'm not sure how the interface would work.

Blame your bank for the lack of PIN on your card. My debit card has chip + PIN here in the US. I have a bunch of credit card terminals on my desk and can do online PIN, offline PIN with CDA, offline PIN with SDA, and unencrypted offline PIN just fine with my card. There's no technical reason it can't be done here in the US. It is purely a business decision. All ATMs are supposed to be chip capable by about October 2017, so perhaps they'll start adding PINs then.

Re:What about Chip and PIN in the US?

[reboot246]

My bank here in (so-called) backwards Alabama issues debit cards with chip and PIN. Of course, retailers who have chip readers are few and far between. My card has no magnetic stripe and even my doctor's new office (opened last year) can't take the card.

You need to move somewhere closer to civilization!

Re:What about Chip and PIN in the US?

[Streetlight]

Your card is a Debit Card, not a Credit Card. Debit Cards have had swipe and pin for a long time, now Chip and Pin, and if you can also use it as a Credit Card it may be Chip and Signature in that use not Chip and Pin.

Re:This can't POSSIBLY go wrong!

[Marxist+Hacker+42]

Next up, the mugger takes your wallet AND your fingers.

Re: This can't POSSIBLY go wrong!

[ArmoredDragon]

Because increased 'card present' security is important, especially outside the US where there's no such thing as zero fraud liability.

Card not present security will inevitably need another form of protection, whether that's from one time keys or some kind of two factor system, but that's not what this is for.

Re:Problem

[Alumoi]

Are you implying this is just a government effort to fingerprint everybody? Naah, it can't be.

Re: This can't POSSIBLY go wrong!

[ArmoredDragon]

PIN on a credit card? Honestly I've never had a bank offer the option of setting one up. And I think the reason they don't is because they want the transaction to happen quicker. With a fingerprint, it could very well satisfy both needs. I.e. press your finger on the right spot of the card just prior to insertion, and nothing else is required. Merchant can even do away with the pin pad.

This is how PINs should work

[MobyDisk]

Instead of entering the PIN into the merchant's terminal, the terminal should just power the card, and I enter the PIN into the card. That way the merchant doesn't get my PIN. This was proposed in the 1990's and deemed impossible because nobody had chip cards and the technology would have been too expensive. Now that the government finally mandated chip cards, they are suddenly realizing all the features that we could have had long ago. It's probably too late. We will all pay with smart devices in another decade.

Re:This is how PINs should work

[OrangeTide]

Even so, an infrared camera pointed at the keypad can still narrow down the PIN.

How many times?

[OrangeTide]

How many times in the last decade has it been shown that finger print readers are neither secure nor reliable? Most sensors are easier to circumvent than my bicycle's 4 digit combo lock.

In Related News

[rogoshen1]

Armed gangs have been roving the streets of Pretoria with pliers and garden shears; local hospitals are being overwhelmed with victims of these drive by finger amputation muggings.

Re:In Related News

[iggymanz]

joke is mostly on the gangs though, in only 7% of the finger cuttings were they able to get the matching credit card

Dumb

[Rick+Schumann]

Great. So some criminal scum with their skimmers will now steal my fingerprint, as well as my credit card/debit card information.

Re: This can't POSSIBLY go wrong!

[Blymie]

Canadiam.... my Capital One catd has a pin...

Re: This can't POSSIBLY go wrong!

[petermgreen]

Depends where you live, the American banks chose to go for chip and signature while the European banks (and afaict most other countries) went for chip and pin.

Re:This can't POSSIBLY go wrong!

[petermgreen]

Card companies are always trying to strike a balance between security and usability. Chip and pin does pretty well but it's vulnerable to theives who shoulder-surf the pin and then steal the card. It is also relatively slow (though that is partly down to crappy terminals). Contactless is far more convenient but much less secure. Chip and signature is vulnerable to inattentive operators and modified cards.

How will this option fare on conviniance and security? presumably that is what these trials are intended to find out.

Re: This can't POSSIBLY go wrong!

[nehumanuscrede]

"Depends where you live, the American banks chose to go for chip and signature while the European banks (and afaict most other countries) went for chip and pin."

Which explains why my new chip card was compromised within a week of receiving it.
One of the staff at the restaurants we frequent bought themselves a porn subscription apparently.

Text alert let me shut it down, but the card was still compromised.

Security theater is all it is.

Re: This can't POSSIBLY go wrong!

[petermgreen]

You have to understand that these features are mainly intended to protect the bank.

For card present transactions if the merchant does everything in the most secure way the card supports the bank takes the fraud liability. If the merchant takes card not present transactions or refuses to upgrade their equipment to support EMV by the deadline the bank gives then the merchant takes the fraud liability.

What we now have is complicated?

[houghi]

We now have to push 4 buttons for our pin code. This is obviously way to difficult. Especially for people that use Imperial instead of Metric. (Remember: Causation is similar to correlation)

Re: This can't POSSIBLY go wrong!

[DickBreath]

My Target card has a PIN. My major credit cards with big limits have a PIN. Don't confuse PIN with the mag stripe. It's two factor identification.
1. Something you know: the PIN
2. Something you have: the card with the chip in it that is not easily forged or reproduced.

The fingerprint is the third of the three types of "factors" to authenticate you. Try as hard as you like, there are only three ways to authenticate something:
1. Something you know. (password, pin, musical notes, etc)
2. Something you have. (car key, house key, credit card with built in microprocessor and storage, a key fob device with USB connector, etc)
3. Something you are. (fingerprint, retina scan, DNA, etc.)

The fingerprint just allows the possibility of three factor authentication. There are no other ways other than something you know, you have, or you are.

BTW, that chip on the credit card is a tamper proof self contained computer with storage. (also: it runs Java.) It has a private key that was originally generated on the chip and never leaves the chip. The bank has the other key of that key pair. So the bank can be sure you really do have the actual card when the card is inserted into the POS terminal. The card can authenticate itself by signing a random token from the bank, while the card is inserted in the terminal. Only your card could do that because nothing else has that private key to do the signing.

The credit card has always been "something you have". It's just been a question of how easy is it for a crook to replicate that card and have it too. The new chip makes that cost prohibitively high.