Debit Card With Built-In Fingerprint Reader Begins Trial In the UK (theverge.com)

← Back to Stories (view on slashdot.org)

Debit Card With Built-In Fingerprint Reader Begins Trial In the UK (theverge.com)

Posted by BeauHD on Monday March 11, 2019 @11:40AM from the no-pin-required dept.

British bank Natwest is trialing the use of a new NFC payment card with a built-in fingerprint scanner. "The trial, which will include 200 customers when it begins in mid-April, will allow its participants to make NFC payments (called 'contactless' in the UK) without needing to input a PIN or offer a signature," reports The Verge. "The standard [30 British pound] limit for contactless payments will not apply when the fingerprint is used." From the report: Currently, anyone can make a contactless payment in the UK by tapping their card on the terminal to make a payment. As a result of this lack of security, a [30 British pound] limit is applied to such payments, with retailers requiring you to place your card into the card reader and enter a PIN for more expensive purchases (commonly referred to as the "Chip and PIN" method). Although mobile payments require authentication, customers often find they're subject to the same [30 British pound] limit. The fingerprint data is stored locally on the card, meaning there's no security information for a hacker to be able to steal from a bank's central database. It's not foolproof -- there's always the risk a sufficiently determined thief could steal and imitate your fingerprint -- but it's much more secure than a PIN that someone could learn by simply looking over your shoulder as you enter it.

58 comments

Min score:

Reason:

Sort:

I'm just going to blather some things, pay no mind by Anonymous Coward · 2019-03-11 11:45 · Score: 0

Possibly this is some kind of training issue. Given there have been no issues here, I don't think it's unreasonable. Who asked me? Nobody.
Not foolproof if they use hacked POS teminals by Anonymous Coward · 2019-03-11 11:56 · Score: 1

My biggest issue with card payment is the multiple points of attack. They can physically steal your card, steal your number + 3 digit code, install a MITM card reader, install hacked or modified terminal or card reader or simply walk down the high street with a terminal in a bag and wave it at people's pockets collecting hundreds of contactless payments.
I will NEVER use a debit card; i only ever use my credit card and if i'm in ANY doubt i'll use a pre-paid credit card loaded with the required amount instead. And that is only for when it's not possible for me to use cash.
1. Re:Not foolproof if they use hacked POS teminals by quenda · 2019-03-11 12:24 · Score: 1
  
  This is just putting off the inevitable: a chip embedded *in* your hand.
  Its simple for the chip to detect if it has been removed from the person, but I'd really like to see some sensors so it knows when you are asleep (like fitness bands do).
  
  simply walk down the high street with a terminal in a bag and wave it at people's pockets collecting hundreds of contactless payments.
  Not if it needs a fingerprint you fool.
2. Re:Not foolproof if they use hacked POS teminals by quenda · 2019-03-11 12:26 · Score: 2
  
  re the "hacked terminal" MITM,
  they could put an LCD display on the card so you can check the amount before authorising, but lets face it, nobody will bother reading.
3. Re:Not foolproof if they use hacked POS teminals by AHuxley · 2019-03-11 12:33 · Score: 1
  
  +1 for the CC vs debit card AC.
  
  --
  Domestic spying is now "Benign Information Gathering"
4. Re:Not foolproof if they use hacked POS teminals by arglebargle_xiv · 2019-03-11 14:34 · Score: 2
  
  It's not foolproof -- there's always the risk a sufficiently determined thief could steal and imitate your fingerprint
  Why would you do that? The chip, or hacked/cloned/fake chip, is the one that's telling the terminal that all is OK. "Uh yeah, this is the chip in the card, I've, uhh, verified the owner's fingerprint, all good here, nothing to see, move along". They're doing the checking in the wrong place.
5. Re:Not foolproof if they use hacked POS teminals by Anonymous Coward · 2019-03-11 14:40 · Score: 0
  
  ^^^This is what really are missing. Not only to show the amount charged but to whom is being sent.
6. Re:Not foolproof if they use hacked POS teminals by Anonymous Coward · 2019-03-11 15:11 · Score: 0
  
  Not if it needs a fingerprint you fool.
  The card stores the fingerprint. And cards are reprogrammable, you fool.
7. Re: Not foolproof if they use hacked POS teminals by Anonymous Coward · 2019-03-11 16:17 · Score: 0
  
  30$ limit without fp
8. Re:Not foolproof if they use hacked POS teminals by Anonymous Coward · 2019-03-11 16:58 · Score: 0
  
  You're an American, aren't you?
  "They can physically steal your card" - yeah, but if it literally never leaves my hand, that is difficult. And that's why there is a 30 GBP limit. I have insurance.
  "steal your number + 3 digit code" - see above. Unless, of course, they compromise a website where I've used it (most likely vector!).
  "install a MITM card reader" Err, no. The chip is active, and hence you can no more install a MITM card reader than you can have a MITM proxy server on https - a MITM attacker cannot recover enough information to generate new transactions from observing the communications.
  "install hacked or modified terminal" harder than you think. Those things self-erase when opened, and as metnioned, you cannot actually get enough information from that.
  "I will NEVER use a debit card; i only ever use my credit card "
  Yeah, you're an American. In the rest of the world, Debit and Credit cards are the same (only really whether it's connected to a bank account or a line of credit.)
  The simple truth is the fraud and thevery is so very low level compared to the supposed threats you're worried about. It just is not a real significant threat. Using my CC online is far riskier to me than any physical card transaction.
  In actual fact, I usually use Apple Pay these days (it emulates a contatless credit card) -- that's the real threat to this card's business model, my cellphone already does everything this card can do, including fingerprint!
9. Re:Not foolproof if they use hacked POS teminals by Anonymous Coward · 2019-03-11 23:54 · Score: 0
  
  I see this "MITM card reader" claim a lot. It's a simple conspiracy theory, based on a total misunderstanding of how the payment system works. It falls at the first hurdle:
  WHERE DOES THE MONEY GO?
  What happens when a contactless (or other payment) is:
  The merchant device (card reader/terminal) contacts the merchant's bank and says "here, I've got this card and a payment for whatever", the bank, the terminal and the card perform some authentication to make sure the request is genuine.
  The merchants bank then contacts the card users' bank and says, your customer is requesting to make a payment to my customer (the merchant)
  The two banks argue the toss and agree or not.
  Assuming the purchase is approved, the money is then put into the mechant's account from the customer's bank.
  There is no room for some random person walking down a street reading everyone's cards - they need to have the machine linked to a merchant account in a bank. These are not easy to get hold of. In the extremely unlikely event that a bad guy did get hold of a merchant account, this would last about a day before the merchant's bank profiled suspicious activity and closed them down.
  It's almost like the banks thought of this...
10. Re:Not foolproof if they use hacked POS teminals by AmiMoJo · 2019-03-12 00:40 · Score: 1
  
  The way it works is that the terminal sends the chip a one-time code, the chip does some kind of transformation on it and sends back the result. The transformation involves a secret number that the banks knows and the card knows but which is never transmitted. So it can't easily be spoofed, because reading that number from the card is damn near impossible (physical defences that wipe the memory when tampered with, and which would require destroying the card anyway) and the numbers that are transmitted can't be used to figure it out by any reasonable means.
  So you can't create a fake chip. If you could it would have been done long ago with a chip that accepts any PIN.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
Re: I'm just going to blather some things, pay no by Anonymous Coward · 2019-03-11 11:59 · Score: 0

Nobody ever asks you anything you demon of the forest
Re: I'm just going to blather some things, pay no by Anonymous Coward · 2019-03-11 12:04 · Score: 0

But I blather anyway. I can't control myself nor do I even slightly attempt it.
I am... the nigh-stupid overpinionated consumer fecklessness, personified.
But you can call me Kendall.
It's more succinct, to the point.
captcha:ostrich
Re: I'm just going to blather some things, pay no by Anonymous Coward · 2019-03-11 12:12 · Score: 0

Putting on airs, eh? That's why nobody wants your opinion in any situation
Re: I'm just going to blather some things, pay no by Anonymous Coward · 2019-03-11 12:16 · Score: 0

Bigno! This dude gets it. Can't steal lunch out of Putin's ass when Trump Jr's on the job already, yowza.
Computer hacker steal my fingerprint.... by Chozabu · 2019-03-11 12:33 · Score: 1

A worse outcome is a low-tech hacker stealing my fingerprint, with a hatchet.
I hope these scanners check for a pulse or other signs of life.

I often like tech advances, but in this case, I'm fairly happy to just lean over the pin-pad so no-one else can see.
Also, for small purchases (£30) we can use contactless with no verification, if our card is stolen, the bank promises to refund misuse (perhaps requiring timley reporting of loss to them and police)
1. Re:Computer hacker steal my fingerprint.... by Anonymous Coward · 2019-03-11 12:39 · Score: 0
  
  "I may have a flip phone, but I have all my fingers." - wise man on the mountain with perfect reception and days of battery life and no security concerns and a removable battery and audio jack, kicking it kaiju style.
2. Re: Computer hacker steal my fingerprint.... by tronicum · 2019-03-11 12:48 · Score: 1
  
  I am very sure those fingerprint readers are basic as they need to fit on a card. They won't check for pulse or similar. Even worse almost all readers that try that have bin tricked. It's more or less a back port of Apple Pay back to a card. I also don't believe those readers will endure bending and other impacts on cards for a long time.
3. Re:Computer hacker steal my fingerprint.... by andrewbaldwin · 2019-03-11 21:39 · Score: 1
  
  "I often like tech advances, but in this case, I'm fairly happy to just lean over the pin-pad so no-one else can see. "
  Agreed.
  Contactless always seemed to me to be a solution in search of a problem. This initiative even more so.
  Surely we haven't atrophied to the point where 5 key presses (4 digit PIN + confirm) is too heavy a burden !
  Personally, I prefer a little 'friction' or effort when spending - it acts as a brake on impulse purchasing and a few seconds delay isn't going to hurt retailers (more time is wasted in other ways than this saves).
4. Re:Computer hacker steal my fingerprint.... by JaredOfEuropa · 2019-03-11 22:11 · Score: 3, Informative
  
  Contactless is a hell of a lot faster. In some places, this matters a lot: it has seriously shortened the lines in office cafeterias, and in places like the London Underground where you can travel with a contactless debit card, adding a PIN terminal to the turnstiles would have resulted in nightmare congestion.
  
  --
  If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
5. Re:Computer hacker steal my fingerprint.... by Anonymous Coward · 2019-03-11 23:17 · Score: 0
  
  Seconded for London Underground. If you've got a suitable zip pocket, you don't even have to take the card out to use it.
6. Re:Computer hacker steal my fingerprint.... by andrewbaldwin · 2019-03-12 02:06 · Score: 1
  
  London Transport already had a contactless card (Oyster) - adding debit/credit contactless brought no new intrinsic benefit.
  As for other areas - I'm still not convinced. In a typical cafeteria, supermarket check-out, other retail service point the transaction usually comprises three phases:
  (1) pre-payment actions (being greeted, looking at what you've bought, barcode scanning or entering details into a till...)
  (2) payment
  (3) post-payment actions (getting receipt, picking up / packing up purchased items, moving away from the service area, being told to 'have a nice day'...)
  Given the usual amount of faffing around associated with steps 1 and 3 [3 in particular at supermarkets] the 2 or 3 seconds time saved at step 2 by going contactless is negligible.
  Even on a quick day, with attentive staff and no queue I doubt you could buy Â£30 of goods at a supermarket (or even a coffee & cake at a coffee shop) in under 2 minutes, 3 would be more typical. A reduction from 120 to 115 [let's be generous in our assumptions] seconds isn't a huge leap forward.
  If queue times in office cafeterias is an issue - local contactless payment has been available for years - often combined with the security chip used for door access into/within a building
  Now it's in place we may as well use it, but - like so many things nowadays - on hindsight it seems to have been oversold for what it truly delivers.
7. Re:Computer hacker steal my fingerprint.... by mjwx · 2019-03-12 02:26 · Score: 1
  
  Contactless is a hell of a lot faster. In some places, this matters a lot: it has seriously shortened the lines in office cafeterias, and in places like the London Underground where you can travel with a contactless debit card, adding a PIN terminal to the turnstiles would have resulted in nightmare congestion.
  Erm no, the Oyster card did that, not the contactless card. Before the Oyster card, we had paper tickets with a mag stripe... Hell we still have those as I only go into London 3-4 times a year, like many people who live and work in Berks or Hants. All a contractless card has done is introduce a new, gaping security hole into our lives. The specification for both the Mastercard and Visa system sends your name, card number and expiry date in encryption so weak it may as well be clear text. It will send this information to any terminal that asks for it, PIN or otherwise. Basically it's trivial to stand in on a busy street and collect enough card data to make thousands of small transactions online. Hence why I disable the contacless part when I first get a card (via a Stanley knife used to sever the induction loop, no loop, no transceiver). Zero benefits lost, huge security hole closed.
  
  --
  Calling someone a "hater" only means you can not rationally rebut their argument.
8. Re:Computer hacker steal my fingerprint.... by Anonymous Coward · 2019-03-12 05:47 · Score: 0
  
  Buddy, I think you're safe.
  At this date people are still squeamish about slicing off body parts for cash, and since that part will likely come off a dead body that card had better hold a LOT of cash.
  Maximum withdrawl from my banks ATMs was $500 per day. I don't think anyone will risk life in prison from that, and if you do manage to take just the fingers you would still be risking a hell-long batch of jail time.
Weakens security by Solandri · 2019-03-11 12:44 · Score: 5, Insightful

without needing to input a PIN
This type of 2FA relies on the two factors being (1) something you have, and (2) something you know. In the case of Chip and PIN, the chip (embedded in the card) is something you have, and the PIN is something you know. The orthogonality of these two factors means scenarios which result in the loss of one are unlikely to result in the loss of the other, and vice versa. Even if someone steals the card, they cannot use it because you have not revealed our PIN. Even if you tell someone your PIN, they cannot use it without physical possession of the card.

This new card they're trying changes the two factors to two things that you have. That makes fraud far more likely, because things which result in the loss of one are likely to result in the loss of the other. If you lose the card, a thief may be able to lift your fingerprint off the card itself. If someone dies and a person runs across the body, they have access to both the finger and the card.

That's really the whole point of 2FA. It's not "throw a couple roadblocks in the way of thieves and hope one of the works." It's designing the two roadblocks so there's minimal intersection of their weaknesses. Switching it to two physical factors results in a system that's not much more secure than having just a single factor.
1. Re:Weakens security by Anonymous Coward · 2019-03-11 14:36 · Score: 0
  
  And yet much of the world (outside the US) has already embraced it... in NZ limit is generally NZ$80 in Australia AU$100.
  Any fraudulent charges are guaranteed payed back to the consumer by the card issuer, (who may recover some/all from the merchant who enabled the transaction and thus took on some of the risk... presumably a small price to pay to keep the virtual tills ringing). Provided you inform the card issuer in a timely* fashion.
  * I have no idea on the time limit.
  I believe the card issuers and bigger merchants often just cut the losses without any investigation, because in most cases the damages are only a few sub $100 transactions and not worth investigating.
2. Re:Weakens security by Anonymous Coward · 2019-03-11 23:47 · Score: 0
  
  No, those countries are using contactless. That's one-factor. The mitigation is the spending limit. Here we are talking about removing the spending limit by using a second factor. OP's comment refers to that. Much of the world has not embraced fingerprint readers embedded in contactless cards.
3. Re:Weakens security by AmiMoJo · 2019-03-12 00:35 · Score: 1
  
  If you lose the card, a thief may be able to lift your fingerprint off the card itself. If someone dies and a person runs across the body, they have access to both the finger and the card.
  
  These are both pretty outlandish scenarios with high probabilities of getting caught, assuming that the fingerprint reader isn't good enough to reject the fake.
  Also, consider the alternative. Many people use really bad PIN numbers, the same on every card, and easily observed when typing them in. Some people can't even use PIN numbers due to things like numerical dyslexia, so are still using a signature.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
4. Re:Weakens security by coofercat · 2019-03-12 01:33 · Score: 1
  
  That's the sort of thing you get when you reply on NatWest for innovation :-(
5. Re:Weakens security by Anonymous Coward · 2019-03-12 02:26 · Score: 0
  
  These are both pretty outlandish scenarios with high probabilities of getting caught, assuming that the fingerprint reader isn't good enough to reject the fake.
  The readers can't even reject fakes made with gummi bears, and the prints were pulled off of glass so I assume that they can just as easily be pulled off a credit card.
  https://www.darkreading.com/operations/passwords-4-biometric-tokens-and-how-they-can-be-beaten/a/d-id/1330939
  https://it.slashdot.org/story/10/10/28/0124242/aussie-kids-foil-finger-scanner-with-gummi-bears
  
  Many people use really bad PIN numbers, the same on every card, and easily observed when typing them in. Some people can't even use PIN numbers due to things like numerical dyslexia, so are still using a signature.
  So instead of most people having the opportunity to have decent security you want everyone to have worse security?
6. Re:Weakens security by mjwx · 2019-03-12 02:30 · Score: 1
  
  without needing to input a PIN
  This type of 2FA relies on the two factors being (1) something you have, and (2) something you know. In the case of Chip and PIN, the chip (embedded in the card) is something you have, and the PIN is something you know. The orthogonality of these two factors means scenarios which result in the loss of one are unlikely to result in the loss of the other, and vice versa. Even if someone steals the card, they cannot use it because you have not revealed our PIN. Even if you tell someone your PIN, they cannot use it without physical possession of the card.
  
  This new card they're trying changes the two factors to two things that you have. That makes fraud far more likely, because things which result in the loss of one are likely to result in the loss of the other. If you lose the card, a thief may be able to lift your fingerprint off the card itself. If someone dies and a person runs across the body, they have access to both the finger and the card.
  
  That's really the whole point of 2FA. It's not "throw a couple roadblocks in the way of thieves and hope one of the works." It's designing the two roadblocks so there's minimal intersection of their weaknesses. Switching it to two physical factors results in a system that's not much more secure than having just a single factor.
  Further more, biometrics are terrible for authentication, they're better for identification.
  
  Plus this will not be liked with couples who share bank cards (happens more than you'd think as joint accounts are a PITA).
  
  But lets not kid ourselves here, this move by Natwest was not for security, the contactless transceiver still sends everything on the front of your card to whatever asks for it, it's a gimmick to retain customers in a very competitive market that's entering a recession. The "challenger banks" are really scaring the old guard of banking, this is just them trying to stay relevant without addressing the reasons why customers are flocking to banks like Monza or Starling.
  
  --
  Calling someone a "hater" only means you can not rationally rebut their argument.
7. Re:Weakens security by Anonymous Coward · 2019-03-12 03:15 · Score: 0
  
  And yet much of the world (outside the US) has already embraced it... in NZ limit is generally NZ$80 in Australia AU$100.
  Sheila: Bruce, if all of your friends jumped off a cliff, would you jump with them?
  Bruce: Crikey! Me blokes jumped off a cliff without me? Hold my beer.
Biometrics for Ident ONLY not Auth by rahvin112 · 2019-03-11 12:57 · Score: 1

BIometrics should never be used in place of a password, they should only replace the identification, userID, Login, etc. It should never ever replace the password.
And there is one simple reason for that, biometrics can't be changed, and they are for the most part trivial to obtain. For example you leave your fingerprints on everything you touch. These very things make them good for identification and absolutely awful for authentication. Authentication should always be something in your head (password) and verified with something you have (OTP, etc).
On top of that every single one of these biometric identification technologies has been shown to be trivial to spoof in time. Biometrics are far too easy to obtain and should be relegated to identification, not authentication.
1. Re:Biometrics for Ident ONLY not Auth by markdavis · 2019-03-11 15:02 · Score: 1
  
  >"biometrics can't be changed, and they are for the most part trivial to obtain."
  Yes and no. It depends on the biometric. Palm deep vein scan is not trivial to obtain clandestinely; you don't leave it anywhere, it is not visible to the eye or regular cameras, it is live-sensing, and palms are rarely faced in a visible way.
  >"For example you leave your fingerprints on everything you touch."
  And you also leave your face image on all kinds of cameras and photos all over. And your voice on all kinds of devices that record. And your DNA is left absolutely everywhere. Yet, you leave your deep vein scan... nowhere. Plus scanning it is easy, cheap, accurate, and fast (unlike retinal scans which are difficult, expensive, and slow).
  >"These very things make them good for identification and absolutely awful for authentication. Authentication should always be something in your head (password)"
  And yet, I still agree with you. What biometrics do NOT prove is *intent*. When you give a password, you are expressing clear, conscious intent/approval/consent to do something. It can't be accidental or casual. This is not necessarily true with any biometric. If you have to use biometrics, it should be deep vein scan. But if it is anything important, it should be combined with something you "know" (like a password/pin).
2. Re:Biometrics for Ident ONLY not Auth by uulbri · 2019-03-11 19:57 · Score: 1
  
  +1
  I agree 100%. Any bio-metric information can only be used in the context of identification not authentication. Full stop.
3. Re:Biometrics for Ident ONLY not Auth by Anonymous Coward · 2019-03-11 23:53 · Score: 0
  
  Authentication is identification. A userId doesn't identify you. A userId plus the correct password identifies you. For exactly the reasons you state. Most banking systems use secure userIds as well as secure passwords and secure 2nd factors. So if biometrics are not to be used in place of the password, probably they also should not be used in place of the userId.
4. Re:Biometrics for Ident ONLY not Auth by Anonymous Coward · 2019-03-12 03:32 · Score: 0
  
  Authentication is identification.
  No, it isn't. Imagine you're working in a secure facility, where not all staff are allowed in every area of the building. You have an ID badge to show you're an employee of the building and allowed to be there, but if you go to enter a secure area, the guard will tell you that you're not authorized to enter that particular sector, and that you need to obtain permission if you want to proceed.
  Identification is simply a matter of confirming that you are who you say you are. Authentication is confirmation of permission to access.
Contactless and PIN in the one action by Anonymous Coward · 2019-03-11 13:08 · Score: 0

>with retailers requiring you to place your card into the card reader and enter a PIN for more expensive purchases (commonly referred to as the "Chip and PIN" method)
In my country, the contactless procedure either has the transaction go through (under the limit) OR prompts for the PIN (over the limit). No need to do contactless, get denied and try again with swiping+PIN.
1. Re:Contactless and PIN in the one action by Anonymous Coward · 2019-03-11 16:48 · Score: 0
  
  Same here (Australia), tap the card to the reader. If it's a small amount it goes beep and is processed, if it's a large amount you need to put in your pin, hit ok, it goes beep and is processed.
Fingerprints change... by Anonymous Coward · 2019-03-11 14:47 · Score: 0

... from season to season for those of us who work outdoors. In the winter my fingers are swollen, broken, cracked, and cut. I have been unable to use the fingerprint feature of my pixel 2 since it was new. I have no reason to believe this card would work any better.
Diabetics cannot use it by Anonymous Coward · 2019-03-11 15:11 · Score: 0

Let alone anyone with water retention issue.
Yup, I know... I have the key now for access to secure rooms... Fingerprint readers do not work for me, 98 out of 100 times.
With body moisture constantly changing from hour-to-hour, from dehydrated to enlarged legs, the readers frozen "picture" of my fingerprints just do not match. Most fun is showing to the security people, record in the morning, an hour later, I cannot open the door. They have tossed the hands in the air, going "this cannot be happening!".
Tech is fun.
STUPID by Anonymous Coward · 2019-03-11 17:17 · Score: 0

This is completely stuid.
If you use a password, you can always change it if somebody gets it, but you can't change your fngeprint once that's out in the wild. Or your voice, or Retena or DNA.
NEVER let a bank have that kind of control over you.
Biggest problem by Squeeonline · 2019-03-11 18:58 · Score: 1

is that you can't change your finger prints. It's like being locked in from birth with just 10 passwords. Unless you start scarring your finger tips to change them, but even that is not reliable.
Why only 30 Pounds ? by nukenerd · 2019-03-11 22:33 · Score: 1

FTFA :

Currently, anyone can make a contactless payment in the UK by tapping their card on the terminal to make a payment.

Nope, that should read :-

Currently, anyone can make a contactless payment in the UK by tapping anybody's card on the terminal to make a payment.

That the trouble : with existing cards, if I accidentally dropped one without noticing, someone might use it for weeks (keeping under £30 per purchase) before I noticed at the next statement, because I have many different cards for different purposes. UK police say that the typical use of a stolen contactless is about £100-£600 (in one bizare case it was about £30,000). Thieves act fast, and you are unlikely to get money back from the bank if you take more then a few days to report it lost.
Anyway, why not apply this fingerprinting for any purchase, not just >£30 ?
1. Re:Why only 30 Pounds ? by leathered · 2019-03-12 00:08 · Score: 1
  
  You were originally required to enter a PIN after a number of consecutive contactless transactions but I'm not sure if this is the case anymore. Losing 30k from a single card is nothing but negligence on the bank's part, they should have recognised the unusual pattern of spending and put a stop to it straight away.
  
  --
  For all intensive porpoises your a bunch of rediculous loosers
2. Re:Why only 30 Pounds ? by nukenerd · 2019-03-12 02:23 · Score: 1
  
  You were originally required to enter a PIN after a number of consecutive contactless transactions but I'm not sure if this is the case anymore.
  On another (UK) forum where this was discussed, people's experiences varied greatly. Some found they had to enter a PIN every few purchases; others had never been asked to enter a PIN. It did vary with the bank, but there seemed to be other factors at work too.
3. Re:Why only 30 Pounds ? by Anonymous Coward · 2019-03-13 10:05 · Score: 0
  
  It's okay because the card companies GUARANTEE and are legally bound to cover any fraud on the contactless payments on your say so - It is up to them to prove it isn't fraudulent - whereas if you use chip and PIN the onus is on you to prove the transaction was fraudulent.
  Just make sure you use a credit card and not a debit card as it takes a lot longer to get your money back on a debit card as it's your money and they don't give a shit, whereas on a credit card it's their money so they're a lot keener to defend against the fraud!
Hmmm by FredVasco · 2019-03-12 00:24 · Score: 1

I didn't even think about it.
So what happens when... by Ashe+Tyrael · 2019-03-12 00:33 · Score: 1

Someone who doesn't have the right print tries it? Does it just not work at all, or does it only allow the £30 limited option?
I know an inordinately large number of people who effectively share their contactless card with their spouse/partner (just nip into the shop and pick something up for me will you please?) and it's going to cause some major behavioural changes if they suddenly can't do this any more.

--
"How fine you look when dressed in rage."
1. Re:So what happens when... by AHuxley · 2019-03-12 02:22 · Score: 1
  
  The idea would be like not having the correct pin.
  No cash and a message to contact the bank?
  The bank then asks for a list of approved ID and photo ID to link the account to the card and the finger print secured by the bank when the account was created.
  The next step will be to have the reader as a add on to computers/internet.
  Want to shop online? Use the fingerprint and card together as the final step to approve the secure online payment.
  Interesting for police too. Buy the wrong service/product online and its not a matter of the loss of a set of numbers as it was in the past :)
  
  --
  Domestic spying is now "Benign Information Gathering"
Ouch by Myrdrahl · 2019-03-12 02:13 · Score: 1

So instead of just stealing your card, a thief will now chop your fingers off?
1. Re:Ouch by Anonymous Coward · 2019-03-12 03:39 · Score: 0
  
  This is what really worries me about our increased use of biometrics. Robberies will evolve from traumatic to downright torturous. Reminds me of the film adaptation of Minority Report where homeless people have no eyeballs because they were stolen by people who needed to fool the Eye-Dent system.
Debit or Credit? by Nkwe · 2019-03-12 03:06 · Score: 1

I don't know about in Britain, but here in the US there is significant more risk in using a debit card that there is a using credit card. If a debit card is misused, your money is gone or tied up until the situation is resolved, whereas with a credit card, the credit card company's money is tied up. In the case of a misuse or compromise of a card, you have a lot more consumer protection with a credit card. You have a better chance of conveniently getting a dispute resolved with a credit card. I would worry that in the case of a dispute on a card with a fingerprint sensor, you would have fewer options to contest a charge because the biometrics would be perceived as strong (even if they aren't actually.) I would hate to lose the consumer credit card protections I have due to biometrics.
1. Re:Debit or Credit? by Anonymous Coward · 2019-03-13 05:01 · Score: 0
  
  Don't worry, it'll be 30 years before it comes to the US, and every terminal will be broken and just not require the fingerprint.
Use your fingerprint to use the card by Daralantan · 2019-03-12 05:45 · Score: 1

This just reminds me of when I used to work for a bank's call center. I had someone get mad that they had to call and verify a transaction (they didn't want to respond to the text for some reason?) belonged to them. They said something along the lines of: "WHY CAN'T YOU JUST MAKE IT SO MY CARD WORKS ONLY FOR ME AND NO ONE ELSE?" ..........How so.... with magic?

but it's much more secure than a PIN that someone could learn by simply looking over your shoulder as you enter it.

Also reminds me of working retail. We got new card readers that had little covers that hid the buttons. We'd have ladies come in to use their debit card go: "WHY WOULD YOU PUT THIS ON HERE IN THE WAY ITS LIKE YOU DON'T WANT ME TO SEE THE NUMBERS WHEN I TYPE THEM IN." Never mind the fact that they were also standing almost on top of the keypad when they did this.... move back 1 foot and GASP, numbers! I told some lady it was so other people couldn't look around her and steal the PIN and her response was: "Why would I care about that?"
Incorrect by Anonymous Coward · 2019-03-12 06:14 · Score: 0

"...they're trying changes the two factors to two things that you have."
Nope. The card is something you have, and the fingerprint is something you are. That makes a reasonably secure 2FA system. Classic 2FA chooses from any 2 of:
1). Something you have;
2). Something you know;
3). Something you are.
You missed #3.