Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security Privacy Technology Apple

Mastercard is Building Fingerprint Scanners Directly Into Its Cards (fastcompany.com) 85

Mastercard said on Thursday it's beginning trials of its "next-generation biometric card" in South Africa. In addition to the standard chip and pin, the new cards have a built-in fingerprint reader that the user can use to authenticate every purchase. From a report: Impressively, the new card is no thicker or larger than your current credit and debit cards.
This discussion has been archived. No new comments can be posted.

Mastercard is Building Fingerprint Scanners Directly Into Its Cards

Comments Filter:
  • I've been wondering for quite a while when we could have something like this. The question is how the processing works for the card, for example
    a) Does it process against a chip in the card which allows the card to pass information to the pin-pad or not (good to prevent use of stolen cards)
    b) Does it process against the pin-pad allowing a transaction to be verified (good to transactions from cloned cards)

    The first choice is good to reduce the more immediate impact of card theft, and better from a privacy p

    • by Nidi62 ( 1525137 )

      I've been wondering for quite a while when we could have something like this. The question is how the processing works for the card, for example a) Does it process against a chip in the card which allows the card to pass information to the pin-pad or not (good to prevent use of stolen cards) b) Does it process against the pin-pad allowing a transaction to be verified (good to transactions from cloned cards)

      The first choice is good to reduce the more immediate impact of card theft, and better from a privacy perspective. The second is more effective against somebody cloning your card - which around here is more common - but it means that your CC company presumably needs your biometric info. It also allows the use of fingerprints as a password replacement (pin-pad)

      It could be built in to the opposite end of the card from the chip. So as the chip is inserted in the reader, your finger is over the built-in scanner authenticating that the person using and holding the card is the person that owns the card. Might help for stolen/cloned cards, but it wouldn't do much for cards that were fraudulently issued due to identity theft, as the thief could just open and register the card using their own fingerprint.

      • by Luthair ( 847766 )
        I have to imagine with physical access couldn't a thief circumvent the reader to simply OK the transaction.
    • The second is more effective against somebody cloning your card - which around here is more common - but it means that your CC company presumably needs your biometric info

      Don't they just need a one-way hash of your biometric info? But the second way is more likely since otherwise the card will need a battery to power that processing internally.

      • Re:About time (Score:4, Informative)

        by drdread66 ( 1063396 ) on Thursday April 20, 2017 @02:12PM (#54271799)

        A hash is not enough. Fingerprint matching is a notoriously fuzzy process because fingers deform under pressure, they get damaged (cuts, burns), etc. The matching process works by doing a "good enough" comparison between the newly-acquired image and a pre-digested "template" computed from the enrolled image.

  • In an area where cutting off arms doesn't give some people pause - what could go wrong??

  • not foolproof (Score:5, Interesting)

    by MickyTheIdiot ( 1032226 ) on Thursday April 20, 2017 @02:00PM (#54271737) Homepage Journal

    There are other things you can comment on like above, but I there are other ways this can go wrong as well.

    I have been diagnosed with bad eczema on my hands recently, and it mostly affects the tips of my fingers. The sensor on my Nexus will now periodically stop accepting my fingerprint scans until I log in with another authentication method and rescan them.

    If you don't have any backup ways to provide authentication there are cases where people will get locked out for medical reasons. That won't be extremely common I guess, but fingerprint biometric will, like all systems, not solve all problems.

    • And I have essentially lost my fingerprints (after a bout of dengue fever a few years ago, this causes skin shedding). Though now I can see just about see them on careful examination they hardly come out on fingerprint scanners. It caused some problems when visiting a country where they fingerprint you on arrival.
  • by sir-gold ( 949031 ) on Thursday April 20, 2017 @02:06PM (#54271767)

    I'm still waiting for the version of the mastercard that includes a holographic AI assistant, that we were promised in the early 90s

  • by Bugler412 ( 2610815 ) on Thursday April 20, 2017 @02:19PM (#54271847)
    One day they'll discover the folly of using biometrics for authentication or authorization, but then it will be too late. Let's all tie everything to a password that we can never change right? Great idea! Sigh
    • 10 fingers, 10 passwords
      (11 for some)
    • by swillden ( 191260 ) <shawn-ds@willden.org> on Thursday April 20, 2017 @06:10PM (#54273083) Journal

      One day they'll discover the folly of using biometrics for authentication or authorization, but then it will be too late. Let's all tie everything to a password that we can never change right? Great idea! Sigh

      Sigh, indeed. You fundamentally misunderstand biometric authentication if you think it is anything like a password, or if you think it matters at all that it can't change. Biometrics do have their share of cons, but not being able to rotate them is definitely not among them.

      The security model for password authentication derives its strength (or lack thereof) from the secrecy of the password. Biometrics do not. Your fingerprints are not secrets; you leave them everywhere you go (which is what makes them so useful forensically). From a security perspective the only reasonable way to treat fingerprints or other biometric data is as public information. Assume that the whole world knows your fingerprints, because anyone who really wants to, does.

      Because password security is based on secrecy, and because over time those secrets may leak, or be discoverable through time-consuming brute force, password rotation is important. It closes the window of vulnerability if they've leaked, and if you rotate them soon enough that no realistic attacker could have had time to discover them via brute force search (given whatever brute force mitigations are in place), then you maintain the secrecy. Because biometric security is not based on secrecy, rotation helps nothing and is irrelevant.

      But if biometric authentication security is not based on secrecy of the biometric, what is it based on? The integrity of the measurement and matching process. Your fingerprint is public information, indeed it's almost certainly conveniently available from the surface of your credit card. So the security of the authentication is precisely equal to the difficulty that an attacker has in presenting your known-fingerprint to the card in a way that it will accept it. If the attacker can splice into the data link between the scanner and matching engine and replay a digital copy, he can authenticate as you. Various techniques, strong ones, can mitigate against that attack.If the attacker can subvert the matching process and get it to report success regardless of input, he can authenticate as you. This is fairly easy to defend against, unless the attacker is very well-equipped. If the attacker can create a fake finger that the scanner will believe is real, and which contains your print image, he can authenticate as you. Various techniques can be used to mitigate against that... but the ones that are deployable in mass-produced consumer devices to be used in essentially unattended operation are pretty weak.

      Weak is honestly just fine for this application, though. The fingerprint is just one mitigation on top of many others. It's definitely better than the signature "authentication" currently used in the US. In many ways it's better than PIN authentication, because PINs can be shoulder-surfed. In other ways it's not as good, but overall it's definitely on par.

  • When will fingerprints die? All fingerprint technology can't check if a human finger is actually what is being read.

    Too many designers watching James Bond films . . .

  • I've always wondered why they don't use some form of cryptography to authenticate the card. Skimming seems to be more prevalent than someone physically having a card, though perhaps theft is more common in South Africa.
    • They do in countries with modern payment systems.

      It's called "EMV" or "Chip+Pin".
      There's also "paypass" and "paywave" - aka NFC.

      I can't swipe my card in a local terminal even if I wanted to. There is data in the magstrip that says the terminal must use the chip if it can. There are no terminals that can't in NZ anymore.

      • They do in countries with modern payment systems.

        It's called "EMV" or "Chip+Pin". There's also "paypass" and "paywave" - aka NFC.

        I can't swipe my card in a local terminal even if I wanted to. There is data in the magstrip that says the terminal must use the chip if it can. There are no terminals that can't in NZ anymore.

        The service code in the track 2 data indicates that the card is EMV capable. You could easily rewrite the service code but the issuing bank would see that if the transaction were to go online. Most transactions are online these days and online processing is technically a requirement in the US, though you can approve offline at your own risk. You can also do some attacks with the chip itself when they're used offline as well, but they're trickier. The Information Security Group [emvlab.org] of the University College

  • Fingers (Score:4, Funny)

    by nnet ( 20306 ) on Thursday April 20, 2017 @02:40PM (#54271971) Journal
    In unrelated news, Lloyd's Of London sees spike in finger insurance.
  • Touch-activated sphincter rod sensor is much more secure and this is what they should go with for biometric authentication.
  • by evolutionary ( 933064 ) on Thursday April 20, 2017 @02:52PM (#54272049)
    Okay, it's amazing how many "mickey's" the public has been swallowing in the name of "security" be it national or individual. This is basically a way of fingerprinting everyone in a private database. We all know of ways this can be bypassed (you can lift finger prints from anything someone has touched (doorknob, glass, whatever), so the only one who benefits are private corporations who want to sell that data, and governments who want to obtain it by buying it. We are treating the public as criminals by default or worse...cattle with a brand that is pre-applied. That will be one card I will not use. guess cash is king again for those of us who believe we should formally convicted of something before we have biometric data collection by agencies.
  • ...note to thieves: now you need to remember to bring a sharp knife to your muggings. A gun alone simply won't do.

  • As far as I'm aware, the fundamental idea behind breaking chip/pin is to exploit the fallback system to bypass the need to actually know the pin and make the system believe that it fell back to signature based authentication. it seems me that similar vulnerabilities would exist here.
    • Technical issues aside one problem with chip and pin is it's vulnerable to shoulder surfing. A thief can watch the victim enter their pin, then steal the card.

      • by mark-t ( 151149 )
        That's not considered a vulnerability in chip/pin. It can be mitigated by safe practices such as being aware of your surroundings enough to realize that someone is looking over your shoulder. Given that the key pads are often covered and only really visible from about the point of view of the person entering the code, a shoulder peeper would have to in pretty close proximity, close enough to typically be considered invasive of personal space. Barring a disability tthere is little reason to not be able to
  • Here we are in the US with chip and signature, much less chip and biometrics. And not all all retailers have chip readers, including Costco, at least the one I shop at. My one man barber shop has a chip reader POS terminal. And what about using stolen cards with on line retailers before the owner knows about the theft? I'm not sure how the interface would work.
    • It was supposed to be late 2015 when everything was going to be chip-and-PIN, so we would have security at least on par with the rest of the world. 2015 rolled around, and we wound up with credit card machines at various stores with the chip slot taped over. Now, same thing. There is a 50/50 chance that I will be swiping my card, and not using the chip on it, depending on merchant.

      I really would love to see fingerprint technology here in the US, just as a precaution.

    • Here we are in the US with chip and signature, much less chip and biometrics. And not all all retailers have chip readers, including Costco, at least the one I shop at. My one man barber shop has a chip reader POS terminal. And what about using stolen cards with on line retailers before the owner knows about the theft? I'm not sure how the interface would work.

      Blame your bank for the lack of PIN on your card. My debit card has chip + PIN here in the US. I have a bunch of credit card terminals on my desk and can do online PIN, offline PIN with CDA, offline PIN with SDA, and unencrypted offline PIN just fine with my card. There's no technical reason it can't be done here in the US. It is purely a business decision. All ATMs are supposed to be chip capable by about October 2017, so perhaps they'll start adding PINs then.

    • Comment removed based on user account deletion
      • Your card is a Debit Card, not a Credit Card. Debit Cards have had swipe and pin for a long time, now Chip and Pin, and if you can also use it as a Credit Card it may be Chip and Signature in that use not Chip and Pin.
  • Instead of entering the PIN into the merchant's terminal, the terminal should just power the card, and I enter the PIN into the card. That way the merchant doesn't get my PIN. This was proposed in the 1990's and deemed impossible because nobody had chip cards and the technology would have been too expensive. Now that the government finally mandated chip cards, they are suddenly realizing all the features that we could have had long ago. It's probably too late. We will all pay with smart devices in anot

  • How many times in the last decade has it been shown that finger print readers are neither secure nor reliable? Most sensors are easier to circumvent than my bicycle's 4 digit combo lock.

  • Armed gangs have been roving the streets of Pretoria with pliers and garden shears; local hospitals are being overwhelmed with victims of these drive by finger amputation muggings.

    • joke is mostly on the gangs though, in only 7% of the finger cuttings were they able to get the matching credit card

  • Great. So some criminal scum with their skimmers will now steal my fingerprint, as well as my credit card/debit card information.
  • Comment removed based on user account deletion

"Virtual" means never knowing where your next byte is coming from.

Working...