Slashdot Mirror

← Back to Stories (view on slashdot.org)

Debit Card With Built-In Fingerprint Reader Begins Trial In the UK (theverge.com)

Posted by BeauHD on from the no-pin-required dept.

British bank Natwest is trialing the use of a new NFC payment card with a built-in fingerprint scanner. "The trial, which will include 200 customers when it begins in mid-April, will allow its participants to make NFC payments (called 'contactless' in the UK) without needing to input a PIN or offer a signature," reports The Verge. "The standard [30 British pound] limit for contactless payments will not apply when the fingerprint is used." From the report: Currently, anyone can make a contactless payment in the UK by tapping their card on the terminal to make a payment. As a result of this lack of security, a [30 British pound] limit is applied to such payments, with retailers requiring you to place your card into the card reader and enter a PIN for more expensive purchases (commonly referred to as the "Chip and PIN" method). Although mobile payments require authentication, customers often find they're subject to the same [30 British pound] limit. The fingerprint data is stored locally on the card, meaning there's no security information for a hacker to be able to steal from a bank's central database. It's not foolproof -- there's always the risk a sufficiently determined thief could steal and imitate your fingerprint -- but it's much more secure than a PIN that someone could learn by simply looking over your shoulder as you enter it.

29 of 58 comments (clear)

  1. Not foolproof if they use hacked POS teminals by Anonymous Coward · · Score: 1

    My biggest issue with card payment is the multiple points of attack. They can physically steal your card, steal your number + 3 digit code, install a MITM card reader, install hacked or modified terminal or card reader or simply walk down the high street with a terminal in a bag and wave it at people's pockets collecting hundreds of contactless payments.

    I will NEVER use a debit card; i only ever use my credit card and if i'm in ANY doubt i'll use a pre-paid credit card loaded with the required amount instead. And that is only for when it's not possible for me to use cash.

    1. Re:Not foolproof if they use hacked POS teminals by quenda · · Score: 1

      This is just putting off the inevitable: a chip embedded *in* your hand.
      Its simple for the chip to detect if it has been removed from the person, but I'd really like to see some sensors so it knows when you are asleep (like fitness bands do).

      simply walk down the high street with a terminal in a bag and wave it at people's pockets collecting hundreds of contactless payments.

      Not if it needs a fingerprint you fool.

    2. Re:Not foolproof if they use hacked POS teminals by quenda · · Score: 2

      re the "hacked terminal" MITM,
      they could put an LCD display on the card so you can check the amount before authorising, but lets face it, nobody will bother reading.

    3. Re:Not foolproof if they use hacked POS teminals by AHuxley · · Score: 1

      +1 for the CC vs debit card AC.

      --
      Domestic spying is now "Benign Information Gathering"
    4. Re:Not foolproof if they use hacked POS teminals by arglebargle_xiv · · Score: 2

      It's not foolproof -- there's always the risk a sufficiently determined thief could steal and imitate your fingerprint

      Why would you do that? The chip, or hacked/cloned/fake chip, is the one that's telling the terminal that all is OK. "Uh yeah, this is the chip in the card, I've, uhh, verified the owner's fingerprint, all good here, nothing to see, move along". They're doing the checking in the wrong place.

    5. Re:Not foolproof if they use hacked POS teminals by AmiMoJo · · Score: 1

      The way it works is that the terminal sends the chip a one-time code, the chip does some kind of transformation on it and sends back the result. The transformation involves a secret number that the banks knows and the card knows but which is never transmitted. So it can't easily be spoofed, because reading that number from the card is damn near impossible (physical defences that wipe the memory when tampered with, and which would require destroying the card anyway) and the numbers that are transmitted can't be used to figure it out by any reasonable means.

      So you can't create a fake chip. If you could it would have been done long ago with a chip that accepts any PIN.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  2. Computer hacker steal my fingerprint.... by Chozabu · · Score: 1

    A worse outcome is a low-tech hacker stealing my fingerprint, with a hatchet.
    I hope these scanners check for a pulse or other signs of life.

    I often like tech advances, but in this case, I'm fairly happy to just lean over the pin-pad so no-one else can see.
    Also, for small purchases (£30) we can use contactless with no verification, if our card is stolen, the bank promises to refund misuse (perhaps requiring timley reporting of loss to them and police)

    1. Re: Computer hacker steal my fingerprint.... by tronicum · · Score: 1

      I am very sure those fingerprint readers are basic as they need to fit on a card. They won't check for pulse or similar. Even worse almost all readers that try that have bin tricked. It's more or less a back port of Apple Pay back to a card. I also don't believe those readers will endure bending and other impacts on cards for a long time.

    2. Re:Computer hacker steal my fingerprint.... by andrewbaldwin · · Score: 1

      "I often like tech advances, but in this case, I'm fairly happy to just lean over the pin-pad so no-one else can see. "

      Agreed.

      Contactless always seemed to me to be a solution in search of a problem. This initiative even more so.

      Surely we haven't atrophied to the point where 5 key presses (4 digit PIN + confirm) is too heavy a burden !

      Personally, I prefer a little 'friction' or effort when spending - it acts as a brake on impulse purchasing and a few seconds delay isn't going to hurt retailers (more time is wasted in other ways than this saves).

    3. Re:Computer hacker steal my fingerprint.... by JaredOfEuropa · · Score: 3, Informative

      Contactless is a hell of a lot faster. In some places, this matters a lot: it has seriously shortened the lines in office cafeterias, and in places like the London Underground where you can travel with a contactless debit card, adding a PIN terminal to the turnstiles would have resulted in nightmare congestion.

      --
      If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
    4. Re:Computer hacker steal my fingerprint.... by andrewbaldwin · · Score: 1

      London Transport already had a contactless card (Oyster) - adding debit/credit contactless brought no new intrinsic benefit.

      As for other areas - I'm still not convinced. In a typical cafeteria, supermarket check-out, other retail service point the transaction usually comprises three phases:

      (1) pre-payment actions (being greeted, looking at what you've bought, barcode scanning or entering details into a till...)

      (2) payment

      (3) post-payment actions (getting receipt, picking up / packing up purchased items, moving away from the service area, being told to 'have a nice day'...)

      Given the usual amount of faffing around associated with steps 1 and 3 [3 in particular at supermarkets] the 2 or 3 seconds time saved at step 2 by going contactless is negligible.

      Even on a quick day, with attentive staff and no queue I doubt you could buy £30 of goods at a supermarket (or even a coffee & cake at a coffee shop) in under 2 minutes, 3 would be more typical. A reduction from 120 to 115 [let's be generous in our assumptions] seconds isn't a huge leap forward.

      If queue times in office cafeterias is an issue - local contactless payment has been available for years - often combined with the security chip used for door access into/within a building

      Now it's in place we may as well use it, but - like so many things nowadays - on hindsight it seems to have been oversold for what it truly delivers.

    5. Re:Computer hacker steal my fingerprint.... by mjwx · · Score: 1

      Contactless is a hell of a lot faster. In some places, this matters a lot: it has seriously shortened the lines in office cafeterias, and in places like the London Underground where you can travel with a contactless debit card, adding a PIN terminal to the turnstiles would have resulted in nightmare congestion.

      Erm no, the Oyster card did that, not the contactless card. Before the Oyster card, we had paper tickets with a mag stripe... Hell we still have those as I only go into London 3-4 times a year, like many people who live and work in Berks or Hants. All a contractless card has done is introduce a new, gaping security hole into our lives. The specification for both the Mastercard and Visa system sends your name, card number and expiry date in encryption so weak it may as well be clear text. It will send this information to any terminal that asks for it, PIN or otherwise. Basically it's trivial to stand in on a busy street and collect enough card data to make thousands of small transactions online. Hence why I disable the contacless part when I first get a card (via a Stanley knife used to sever the induction loop, no loop, no transceiver). Zero benefits lost, huge security hole closed.

      --
      Calling someone a "hater" only means you can not rationally rebut their argument.
  3. Weakens security by Solandri · · Score: 5, Insightful

    without needing to input a PIN

    This type of 2FA relies on the two factors being (1) something you have, and (2) something you know. In the case of Chip and PIN, the chip (embedded in the card) is something you have, and the PIN is something you know. The orthogonality of these two factors means scenarios which result in the loss of one are unlikely to result in the loss of the other, and vice versa. Even if someone steals the card, they cannot use it because you have not revealed our PIN. Even if you tell someone your PIN, they cannot use it without physical possession of the card.

    This new card they're trying changes the two factors to two things that you have. That makes fraud far more likely, because things which result in the loss of one are likely to result in the loss of the other. If you lose the card, a thief may be able to lift your fingerprint off the card itself. If someone dies and a person runs across the body, they have access to both the finger and the card.

    That's really the whole point of 2FA. It's not "throw a couple roadblocks in the way of thieves and hope one of the works." It's designing the two roadblocks so there's minimal intersection of their weaknesses. Switching it to two physical factors results in a system that's not much more secure than having just a single factor.

    1. Re:Weakens security by AmiMoJo · · Score: 1

      If you lose the card, a thief may be able to lift your fingerprint off the card itself. If someone dies and a person runs across the body, they have access to both the finger and the card.

      These are both pretty outlandish scenarios with high probabilities of getting caught, assuming that the fingerprint reader isn't good enough to reject the fake.

      Also, consider the alternative. Many people use really bad PIN numbers, the same on every card, and easily observed when typing them in. Some people can't even use PIN numbers due to things like numerical dyslexia, so are still using a signature.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    2. Re:Weakens security by coofercat · · Score: 1

      That's the sort of thing you get when you reply on NatWest for innovation :-(

    3. Re:Weakens security by mjwx · · Score: 1

      without needing to input a PIN

      This type of 2FA relies on the two factors being (1) something you have, and (2) something you know. In the case of Chip and PIN, the chip (embedded in the card) is something you have, and the PIN is something you know. The orthogonality of these two factors means scenarios which result in the loss of one are unlikely to result in the loss of the other, and vice versa. Even if someone steals the card, they cannot use it because you have not revealed our PIN. Even if you tell someone your PIN, they cannot use it without physical possession of the card.

      This new card they're trying changes the two factors to two things that you have. That makes fraud far more likely, because things which result in the loss of one are likely to result in the loss of the other. If you lose the card, a thief may be able to lift your fingerprint off the card itself. If someone dies and a person runs across the body, they have access to both the finger and the card.

      That's really the whole point of 2FA. It's not "throw a couple roadblocks in the way of thieves and hope one of the works." It's designing the two roadblocks so there's minimal intersection of their weaknesses. Switching it to two physical factors results in a system that's not much more secure than having just a single factor.

      Further more, biometrics are terrible for authentication, they're better for identification.

      Plus this will not be liked with couples who share bank cards (happens more than you'd think as joint accounts are a PITA).

      But lets not kid ourselves here, this move by Natwest was not for security, the contactless transceiver still sends everything on the front of your card to whatever asks for it, it's a gimmick to retain customers in a very competitive market that's entering a recession. The "challenger banks" are really scaring the old guard of banking, this is just them trying to stay relevant without addressing the reasons why customers are flocking to banks like Monza or Starling.

      --
      Calling someone a "hater" only means you can not rationally rebut their argument.
  4. Biometrics for Ident ONLY not Auth by rahvin112 · · Score: 1

    BIometrics should never be used in place of a password, they should only replace the identification, userID, Login, etc. It should never ever replace the password.

    And there is one simple reason for that, biometrics can't be changed, and they are for the most part trivial to obtain. For example you leave your fingerprints on everything you touch. These very things make them good for identification and absolutely awful for authentication. Authentication should always be something in your head (password) and verified with something you have (OTP, etc).

    On top of that every single one of these biometric identification technologies has been shown to be trivial to spoof in time. Biometrics are far too easy to obtain and should be relegated to identification, not authentication.

    1. Re:Biometrics for Ident ONLY not Auth by markdavis · · Score: 1

      >"biometrics can't be changed, and they are for the most part trivial to obtain."

      Yes and no. It depends on the biometric. Palm deep vein scan is not trivial to obtain clandestinely; you don't leave it anywhere, it is not visible to the eye or regular cameras, it is live-sensing, and palms are rarely faced in a visible way.

      >"For example you leave your fingerprints on everything you touch."

      And you also leave your face image on all kinds of cameras and photos all over. And your voice on all kinds of devices that record. And your DNA is left absolutely everywhere. Yet, you leave your deep vein scan... nowhere. Plus scanning it is easy, cheap, accurate, and fast (unlike retinal scans which are difficult, expensive, and slow).

      >"These very things make them good for identification and absolutely awful for authentication. Authentication should always be something in your head (password)"

      And yet, I still agree with you. What biometrics do NOT prove is *intent*. When you give a password, you are expressing clear, conscious intent/approval/consent to do something. It can't be accidental or casual. This is not necessarily true with any biometric. If you have to use biometrics, it should be deep vein scan. But if it is anything important, it should be combined with something you "know" (like a password/pin).

    2. Re:Biometrics for Ident ONLY not Auth by uulbri · · Score: 1

      +1
      I agree 100%. Any bio-metric information can only be used in the context of identification not authentication. Full stop.

  5. Biggest problem by Squeeonline · · Score: 1

    is that you can't change your finger prints. It's like being locked in from birth with just 10 passwords. Unless you start scarring your finger tips to change them, but even that is not reliable.

  6. Why only 30 Pounds ? by nukenerd · · Score: 1

    FTFA :

    Currently, anyone can make a contactless payment in the UK by tapping their card on the terminal to make a payment.

    Nope, that should read :-

    Currently, anyone can make a contactless payment in the UK by tapping anybody's card on the terminal to make a payment.

    That the trouble : with existing cards, if I accidentally dropped one without noticing, someone might use it for weeks (keeping under £30 per purchase) before I noticed at the next statement, because I have many different cards for different purposes. UK police say that the typical use of a stolen contactless is about £100-£600 (in one bizare case it was about £30,000). Thieves act fast, and you are unlikely to get money back from the bank if you take more then a few days to report it lost.

    Anyway, why not apply this fingerprinting for any purchase, not just >£30 ?

    1. Re:Why only 30 Pounds ? by leathered · · Score: 1

      You were originally required to enter a PIN after a number of consecutive contactless transactions but I'm not sure if this is the case anymore. Losing 30k from a single card is nothing but negligence on the bank's part, they should have recognised the unusual pattern of spending and put a stop to it straight away.

      --
      For all intensive porpoises your a bunch of rediculous loosers
    2. Re:Why only 30 Pounds ? by nukenerd · · Score: 1

      You were originally required to enter a PIN after a number of consecutive contactless transactions but I'm not sure if this is the case anymore.

      On another (UK) forum where this was discussed, people's experiences varied greatly. Some found they had to enter a PIN every few purchases; others had never been asked to enter a PIN. It did vary with the bank, but there seemed to be other factors at work too.

  7. Hmmm by FredVasco · · Score: 1

    I didn't even think about it.

  8. So what happens when... by Ashe+Tyrael · · Score: 1

    Someone who doesn't have the right print tries it? Does it just not work at all, or does it only allow the £30 limited option?

    I know an inordinately large number of people who effectively share their contactless card with their spouse/partner (just nip into the shop and pick something up for me will you please?) and it's going to cause some major behavioural changes if they suddenly can't do this any more.

    --
    "How fine you look when dressed in rage."
    1. Re:So what happens when... by AHuxley · · Score: 1

      The idea would be like not having the correct pin.
      No cash and a message to contact the bank?
      The bank then asks for a list of approved ID and photo ID to link the account to the card and the finger print secured by the bank when the account was created.
      The next step will be to have the reader as a add on to computers/internet.
      Want to shop online? Use the fingerprint and card together as the final step to approve the secure online payment.
      Interesting for police too. Buy the wrong service/product online and its not a matter of the loss of a set of numbers as it was in the past :)

      --
      Domestic spying is now "Benign Information Gathering"
  9. Ouch by Myrdrahl · · Score: 1

    So instead of just stealing your card, a thief will now chop your fingers off?

  10. Debit or Credit? by Nkwe · · Score: 1

    I don't know about in Britain, but here in the US there is significant more risk in using a debit card that there is a using credit card. If a debit card is misused, your money is gone or tied up until the situation is resolved, whereas with a credit card, the credit card company's money is tied up. In the case of a misuse or compromise of a card, you have a lot more consumer protection with a credit card. You have a better chance of conveniently getting a dispute resolved with a credit card. I would worry that in the case of a dispute on a card with a fingerprint sensor, you would have fewer options to contest a charge because the biometrics would be perceived as strong (even if they aren't actually.) I would hate to lose the consumer credit card protections I have due to biometrics.

  11. Use your fingerprint to use the card by Daralantan · · Score: 1
    This just reminds me of when I used to work for a bank's call center. I had someone get mad that they had to call and verify a transaction (they didn't want to respond to the text for some reason?) belonged to them. They said something along the lines of: "WHY CAN'T YOU JUST MAKE IT SO MY CARD WORKS ONLY FOR ME AND NO ONE ELSE?" ..........How so.... with magic?

    but it's much more secure than a PIN that someone could learn by simply looking over your shoulder as you enter it.

    Also reminds me of working retail. We got new card readers that had little covers that hid the buttons. We'd have ladies come in to use their debit card go: "WHY WOULD YOU PUT THIS ON HERE IN THE WAY ITS LIKE YOU DON'T WANT ME TO SEE THE NUMBERS WHEN I TYPE THEM IN." Never mind the fact that they were also standing almost on top of the keypad when they did this.... move back 1 foot and GASP, numbers! I told some lady it was so other people couldn't look around her and steal the PIN and her response was: "Why would I care about that?"