But ... chip and pin is the world-saving Idea of the Century.
I heard it here, and one can't deny facts like that.
That many El Reg commentards couldn't just be blowing hot air.
Mastercard has unveiled its new biometric card which adds a fingerprint sensor to the chip as a replacement security measure to the four-digit PIN. When the biometric card is placed into a retailer's EMV terminal, the owner will be able to place their finger on the embedded sensor. Their fingerprint will then be verified …
"In Europe consumer protection isn't anywhere near as good as the US"
Um really? I always thought consumer protection in Europe was supposed ot be much better than in the States? Guaranteed return periods, chip and pin technology, guaranteed warranties, etc.
I thought the US was far more company friendly than consumer friendly? Any of our American Cousins care to comment?
In the US, VISA has adopted a policy that basically says the cardholder shouldn't ever lose money because of fraud. You can just do a chargeback without any fuss.
In Europe, not so good. I don't know the formal differences or what the reason is, but there's a lot more resistance from many card issuers.
There has even been some news stories here about people being signed up for recurring charges against their will and the issuer's response being along the lines of "You must have clicked OK so that means you agreed to it! No chargeback for you, come back never!".
Such a scam would never fly in the US, and neither would the merchant account used for long since it'd be nuked once resulting flood of chargebacks arrived.
The difference is that most transactions use Chip and pin in the Europe, which means loss and mis-use of the card is far harder. In the US it basically comes down to your word against the retailer with the only proof being a illegible scribble, therefore banks has fewer ways to verify true loss against fraud.
Saying that if it was a choice between better security(a.k.a chip and pin) and trying to recover lost money from a bank, I would go security every dat
In all of my bank history, I had one brush with fraud. I had gone on holiday to the US (back when it was still the Home of the Brave) and one small shop had tried to skim me by presenting the same bill twice, but the second date was days after the first.
As soon as I found that on my statement I went straight to my BNP representative and showed him the issue. The refund was immediate and without fuss.
As far as I'm concerned, the EU environment of Chip & Pin is very efficient for me and I largely prefer it to the totally insecure magnetic strips still used in the US.
That said, I'd prefer my VISA to not have any mag strip at all. I guess it's to remain compatible with the US and other countries that have not yet migrated or are still in the process of doing so.
> There has even been some news stories here
Ah, yes. News stories.
Regulatory protection does vary somewhat by State, but in line with general contract law, the principle of balance and protection of the weaker party applies. In practice, the terms and conditions as far as theft / fraud is concerned are much the same in the EU and the US. I've had both US and EU cards.
Also in practice, during a social chat with my bank manager years ago he said they usually can take a pretty good guess at whether a "stolen" card or "unauthorised" charge is really so, but they absorb it anyway as part of the cost of doing business. Of course, the bank may subsequently decide not to re-issue a card to certain people, but that is indeed their privilege.
Also: "...since we leave our fingerprints everywhere they should not be considered secret..."
But those fingerprints won't be scanned and sent straight to GCHQ/NSA/ETC.
And fwiw, I think that, apart from my own possessions, I only leave my fingerprints on doors and beer glasses, which is hardly 'everywhere'.
There's more details in our paper summarised here https://www.benthamsgaze.org/2016/06/02/international-comparison-of-bank-fraud-reimbursement-customer-perceptions-and-contractual-terms/
Basically, in the US Federal Regulations E and Z require a bank to promptly refund any disputed transaction. In the EU the Payment Services Directive (PSD), and its replacement (PSD2) allows the bank to refuse to refund in a number of situations, the most important being if they believe the customer to have been negligent. What this means is that if (on the basis of an internal audit report that the customer can't see) it is more likely that a disputed transaction was the result of negligence on behalf of the customer rather than a technical failure of the bank, then the customer is not entitled a refund.
What the banks usually claim is that the customer didn't protect the PIN according to the bank rules, which is not surprising since bank rules are regularly broken for very legitimate reasons https://www.benthamsgaze.org/2016/02/17/are-payment-card-contracts-unfair/
The comment in the article was about "consumer protection" which is a lot broader than just talking about chargebacks. And "anywhere near as good" means there is a massive disparity, which there just isn't in either law or practice.
Secondly, looking at it from a customer and merchant point of view as I am involved with both, the customer in the UK is almost always proved right unless the merchant can prove the customer wrong usually with CCTV - which I guess would be the same as the US.
The difference with chip and pin is that if a pin is used then the initial idea would be that the customer must have used it as they would be the only entity to know their pin and if it is a CNP transaction and the CSV is known then the person at the other end of the phone must have access to the card.
However I have never been refused a chargeback as a customer in the UK (I don't tell my PIN to anyone and cover it when using it), and as a Merchant we have not been successful in stopping a chargeback unless we have CCTV evidence or it was used a a Chip and Pin reader with PIN entered.
First off, I would like to say thank you to Dr Murdoch for joining the conversation. It's not often we get to have an expert quoted in an El Reg article joining in the Forum debates.
From my reading of everything, it appears to comes down to the fact that whilst Americans are more likely to suffer bank fraud (for lack of the additional security of chip and pin style technologies), they are more likely to get their money back than in the same case in Europe.
I would also suggest that the comment that Americans have better consumer protection than Europeans may not hold in all cases as Europe has extremely strong laws on consumer warranties, guarantees, and return periods. Americans might be better protected in banking, but in regular purchasing protection not so much.
Thanks to everyone for joining the discussion...
"Any of our American Cousins care to comment?"
In my experience, it's a bit of a mixed bag. On the one hand Chip and Pin, properly executed in EU but largely NOT in US, makes fraud a tiny bit harder so one point for EU. On the other hand, Visa/MC/Discover policies in the US of "customer is (nearly) always right" pretty heavily favors the consumer so a point for US. If we could ever get PROPER execution of Chip and Pin over here, I think we could have the best of both worlds. Reality, however, would likely mean that the aforementioned consumer-friendly policies would be rolled back by the card issuers as "no longer needed." If I MUST choose between the two, I prefer the existing US "customer is (nearly) always right" policies, which I have used quite effectively the few times I needed them.
On this side of the pond if I see a fraudulent charge on a bill I can contest it and at worst am responsible for $50 US of the charge no matter how much it is. I've had my card used to pay for a family (not mine) outing to Hawaii, I received a call while they were in flight, I was in Rome at the time and the family was detained at Honolulu airport. No cost to me. rental car insurance is included on my cards at no extra cost so that's a nice perk. Those are my top 2 cents worth.
Europe consumer protection > US. In Europe, chip and pin exists for close to a decade before introduction in US. CC industry excuse for US is that merchants do not like the slow transaction, especially during holidays, and consumers can dispute fraud charges, etc. In reality, merchants and CC just want to separate $ from consumers as quickly as allow.
In US, CC and big merchants write off their losses as tax deductible, so there's no need to provide consumers with protection or secure services. Minimal requirements and unless requires by regulation and all that from the big boys.
Time for the resurgence of the cheque (PITA that most UK places hate them now)
A scribble that has varying degrees of difficulty to forge, and also needs a card to be presented with it, but as you inevitably get your fingerprints on cheque when handling it, if you have used it will have your prints in a few places so can prove if fraudulent use as they can lift prints from the cheque.
In worst case scenario, if your cheque book is nicked, only really a chance of stray prints of yours on the "top" cheque (you may have got prints on when removing last cheque) and as likely to do fraud with > 1 of your cheues then pattern of dodgy use (without your prints) will be convincing evidence that "top" cheque was also a fraud transaction
Not used a cheque in a while (so long that my computer doesn't recognize as a word) , but I seem to remember a pretty typical method was 1) try and pull out 2) separate cheque from other cheques (putting prints the one below) and when that doesn't work 3) touch every cheque everywhere as you slowly rip off
'A scribble that has varying degrees of difficulty to forge'
Honestly, I don't remember the minimum wage shop assistants examining the signature on my credit card closely enough that just writing my name wouldn't work. I don't see why a cheque would be any different, there's very little incentive for them to refuse one.
In fact at one stage the signature strip on my card was worn off, it caused me slight difficulty in one petrol station.
Am I missing something? If I've read that correctly, the fingerprint sensor is on the card - so, presumably, to get their fingerprint on the card in the first place, the card holder has to have it scan their fingerprint.
With a PIN, when you get a new card the PIN is sent separately. This is done to hopefully avoid the issue of a batch of post being stolen, and the crooks finding both the card and the PIN in the same pile. If the above is so, it won't matter - they only need the card. They can then scan their fingerprint onto the card.
> This is done to hopefully avoid the issue of a batch of post being stolen, and the crooks finding both the card and the PIN in the same pile.
Also helpfully (for criminals) with the new approach, is that if they get a hold of someone's card... it'll generally have the owners fingerprints all over it.
... and fingerprint duplication is no longer difficult.
I've not seen them explain how the cards are provisioned, but... the local (South African) banks are connected to Home Affair's National Population Register which offers the bank to perform fingerprint validation.When I'm in the bank, I can present a finger to be scanned and the bank can ask the NPR "is this John Doe's fingerprint?". Now the bank knows it's me, they can calculate the fingerprint data to be burnt onto the card. No-one but me can now use the card.
What's more interesting is how they prevent an employee from putting her own fingerprint meta data on the card and then using it though that loop could be closed by keeping the card disabled until positive delivery confirmation is received. I already have to provide positive identification, i.e. ID book/driver's licence, on receipt of the card.
Aside: How do they deal with people who don't have finger prints (adermatoglyphia) or those whose fingerprints might not be usable, e.g. those working with harsh chemicals/cleaners.
You only have eight fingertips & two thumbprints.
I see a Tim Ifield situation developing in the near future.
How did Captain Hook die? He had a ***k with the wrong hand!
1. Preheat oven to 350 F / 180 C
2. Place non-stick cookie sheet in oven, preferably with some nice chocolate chip cookie batter on it
3. Bake for 14 min or until cookies lightly browned
4. Remove cookie sheet from oven without the aid of oven mitts
Will remove your finger prints for about two weeks, but that's okay because you'll need more cookies by then!
Always wear surgical gloves?
Though it might be a bit tricky if you were to get stopped at night by the police; "No officer, I wear these so the thieves don't steal my fingerprints". "Yeah that's a likely story laddie. I am placing you under arrest for posession of burglary tools."
Worse (theoretical) problem: How about cold blooded killers who just chop off someone's hand in order to gain access to their fingerprints so that they can clean out the creditcard?
Assuming they don't know already then they'll need you alive to obtain your PIN, which could give you some leverage.
Not entirely theoretical – https://www.theregister.co.uk/2005/04/04/fingerprint_merc_chop/
In this case however, it looks like they want to do biometric payments at point of sale where there is a staff member present, so showing up with an amputated finger may draw attention.
Unattended biometrics are more challenging for several reasons, so maybe why they are not tackling them right now.
How about cold blooded killers who just chop off someone's hand in order to gain access to their fingerprints so that they can clean out the creditcard?
Properly done biometrics check for bio-electrical activity. That's why, for example, Apple's Touch ID stuff fails when your hands are wet, or greasy, or if there's grease or something on the sensor. There ain't no electrical activity once you're dead or once your hand/finger got chopped off.
This, of course, means that a certain critical plot point in the latest Star Wars movie won't actually work, but that's Hollywood.
The sensor fails because the water or grease on the sensor smoothes out your fingerprint either by filling the troughs making it harder to pick out the ridges or by being electically conductive and therefore confusing the sensors as they would otherwise detect the patterns of conductivity on a finger - depends on the implementation and many sensors are the the electical conductivity type. Nothing much to do with measuring bio-electrical activity or heat.
"or any item you have touched when making a purchase"
Like, say... the shiny, glossy, credit card that they just nicked off you and now need a fingerprint to unlock.
Nick card from wallet.
Bit of sticky tape and a gummi bear.
Hey, presto, card with "full authority" to spend what you like with no cardholder co-operation (or even knowledge) required.
Fingerprints ARE NOT AUTHENTICATION. They are IDENTIFICATION. They say who you are / claim to be. They do not verify that you are actually that person.
Any card company that tries this on me will be informed that I don't have fingers.
This post has been deleted by its author
"... If we're expected to remember 11 digit phone numbers of family members and friends, why so much objection to a longer PIN? It seems ludicrous that payment codes are still but four digits long."
Ah, but you aren't expected to remember them anymore. Smartphone phonebooks remember telephone numbers and all other contact details. Browsers on all devices remember usernames and passwords. We aren't even asked to remember URLs for companies anymore - just 'search for xyz'.
'It seems ludicrous that payment codes are still but four digits long.'
I have a perfectly intelligent friend who is completely unable to remember a 4 digit pin, details of a conversation from two weeks ago yes, 4 digits no. Making them longer would just mean she'd end up owing me more money.
Really? Most people don't remember their own number, let alone the rest, which are usually stored in their phone's address book. Ask them to restate their own number and they might be able to do that through repetition, but most won't remember numbers of other people unless they dial them on a regular basis. Even when landlines were common, you'd usually not memorise the whole thing - the first few digits would the area code, which you'd normally not need to use for local contacts - while you would probably look in a physical address book or phone directory if you didn't have it to hand.
Besides which, it's a silly comparison anyway. Losing a phone number means you have to ask someone else you know to give it to you again, be that your phone operator or a contact of the friend you need to get through to. They're often visible on peoples' Facebook pages or other public profiles, and lots of other people will usually have them. People won't remember a private PIN number that they can't share in that way.
'It seems ludicrous that payment codes are still but four digits long.'
What security would it bring to make it longer? It's not meant to make bruteforcing it /impossible/, as would a login password, merely to make it easily /detectable/.
It only takes 3 incorrect tries to kill a chip, or have an ATM swallow a magstripe card, or any kind of connected POS to report that something's up to the central servers, and from then on, you're the proud owner of a useless bit of plastic.
For what it's worth, China Union Pay cards do use 6-digit PINs.
Almost all EU banks allow longer PINs.
And, in fact, our cash machines handle their cards just fine and ask for 6-or-more digit PINs.
It's just the UK that's stupid and doesn't ask it's users to set longer ones. The capability is already in all our ATMs and in daily use by thousands of foreigner with 6-8 digit PINs.
In the UK we don't have many houses with numbers > 3 digits, in the US it seems that 5 digit house numbers are common. Most people know their house number.
In the UK we have 6 digit postal codes (ZIP Codes?). Most seem to be able to remember at least 1 of those. I know the post code for my house, my office, it's warehouse, my Mum & Dads even my old bank (tho not my new one).
I don't get the "I can't remember a 4 digit number" brigade. PP
Medical exceptions, accepted.
This article appears to be a little light on the fact-checking. For a start, EMV and PCI are hardly competitors: they cover different things. Visa and MC are members of both.
Furthermore, I don't quite get how the fingerprint is used. It seems to require a permanent connection to check it against MC's servers? The PIN does not require that, as it's handled by the chip, and never leaves it. Maybe it means the fingerprint will not be used for low amount transactions, those for which no connection is made to check if the card is allowed to pay?
Furthermore, I don't quite get how the fingerprint is used. It seems to require a permanent connection to check it against MC's servers?
My guess is that the card stores some sort of hash of your finger print and compares this with a hash of the output of its onboard scanner. It seems reasonable that you might have to visit a branch to enroll your finger and load the hash onto the card (which would allow for some sort of greater validation of identity).
On my Samsung S6 I've had to multiple prints because I found that I couldn't always rely on a single digit not being damaged enough to bork the sensor.
In fact, I found that after a longish hike my fingers could swell up enough to confuse the sensor so I had to record prints for before and after hike. So you might not get your money if the weather's hot, or you cut or scraped your finger tip.
Fingerprints have advantages and disadvantages over PINs but being better than a PIN is not a particularly high bar. Customers don't find PINs easy to use and they are not particularly secure.
So how do you get a fingerprint scan if you insert the card into a cash machine, petrol station, or vending machine slot?
You're not going to be able to forget your PINs because PIN will be a fallback in these places. You will, however, be more likely to forget your PIN if you use it less.
Oh, and fraudsters will use the PIN of course. Or magstripe. Or an online gateway which requires hardly any info before taking payment.
It's not that easy. The card number will identify it as being fingerprint-enabled. That means that when MC's server receives the payment authorization request, if it does not include a fingerprint, its fraud suspicion score will be raised. If that's repeated multiple times (ie, on the same card and/or the same merchant), there's a high probability any further request will be denied, and the total amount of the fraud will be kept low before it's stopped. Same if they go to an online payment system that does not use 3D Secure or some such: those are more likely to have their transactions refused.
So people can legitimately have a routine which includes cash machines, petrol stations, and vending machines so they run the risk of getting locked out paying with PIN (the only way) because they've got a fingerprint card.
That's if a fingerprint card is useful anyway. Presumably if someone's security minded they won't get a fingerprint card and if they're not then contactless will do for them and they will never use it over the Internet because card issuers won't force their customers to buy USB card readers as it'll just drive them off.
"It's not that easy. The card number will identify it as being fingerprint-enabled. That means that when MC's server receives the payment authorization request, if it does not include a fingerprint, its fraud suspicion score will be raised."
Not if the card's simply kept to CNP transactions where the fingerprint reader (and PINs, for that matter) aren't useful.
"So how do you get a fingerprint scan if you insert the card into a cash machine, petrol station, or vending machine slot?"
You DON'T. As the article notes, it's not meant for those kinds of transactions, which is why the sensor is located in an area normally covered by those kinds of readers. They're meant for PIN Pad terminals at sales counters where there are people present to watch you. Dead fingerprints would be obvious and even gummy prints would be risky.
So, just by stealing someone's wallet you get everything needed? Card plus fingerprint lifted from anything in there (including the card itself unless it has very good anti-fingerprint coating...).
Wasn't this exactly what PIN codes were supposed to prevent?
The gangs that do skimming and card theft en masse aren't stupid or poorly equipped. They would quickly figure out how to emulate fingerprints without the clerk noticing.
But I'm pretty sure the card will have copies of your fingerprints on it somewhere! Much like your (touch screen) mobile phone that also features a fingerprint sensor.
Make sure to only handle the card with one hand, and use a fingerprint from the other...
Or have a special "wipe-down" wallet with fingerprint removal slots.
Hey, something to take over from the "tin foil" wallet to (not) block NFC.
That's not how the card, or mobile phones work. They don't store your fingerprint, they create a hash from it and an encryption key unique to the device/card, and store that. You can pull the hash off, but it's useless without the key.
If you're concerned about the security on your card, look no further than the mag stripe, which contains all of your cards details totally unencrypted. If you swipe it through a scanner, it outputs it all as pure text.
Well typically it's not a hash, because that won't allow fuzzy matching that takes into account small changes between different presentations of the same finger. MasterCard say that they convert the fingerprint to a template and store it in an encrypted form on the card. Of course the encryption key needs to be stored on the card too, but hopefully it is not easy to extract both it and the encrypted template.
"Well typically it's not a hash, because that won't allow fuzzy matching that takes into account small changes between different presentations of the same finger. MasterCard say that they convert the fingerprint to a template and store it in an encrypted form on the card. Of course the encryption key needs to be stored on the card too, but hopefully it is not easy to extract both it and the encrypted template."
In such a situation the crypto module is black-boxed, unique to the card, and highly tamper-resistant with suicide circuits and so on (IOW, try to mess with it and it wipes).
"That's not how the card, or mobile phones work"
I'll think you'll find that he means he can get an image of your fingerprint quite easily.
And your phone fingerprint sensor can be fooled by an sufficiently good image of a fingerprint, printed onto certain surfaces. You don't even have to get very technical.
Every smartphone fingerprint sensor (and this card sensor) on the market can be fooled with nothing more than a picture of the fingerprint smudge you left on the card as you last took it out of your wallet. It just depends how many times you want to try it to refine your technique.
Last year, someone pulled the fingerprint of a German politician from a photograph of them raising a wine glass. All the "temperature/heat/light/pulse/etc." sensors in the world can't do much that isn't easily fooled, and the actual "fingerprint ID" process is still - to this day - finding the edges on a high-contrast B&W image of the fingerprint in question as it lays flat on a surface. Whether the sensor is swipe, scan, optical, or whatever.
I have a bunch of Gemalto etc. fingerprint readers in my junk box if you'd like to play. They almost all have open-source software that presents the image as a B&W TIFF from the sensors to something that edge-detects and then hashes / stores the result. How they store it is irrelevant if you can present the same image to the sensor and the sensor then hashes that to the same hash as a real fingerprint would hash. The hardware doesn't do anything fancy, but a bit of image processing and maybe a particular wavelength of light / check for colour variation for pulse (and that's an "advanced" model).
There's a reason they're all in my junk box despite being "state-of-the-art" for banking security at one point or another.
To be honest, most fraud occurs due to card skimming and the cards being used in areas where two factor authentication is not standardized (That technological tour-de-force, the US is the biggest culprit ).
If you wanted to fix security you close the weakpoints 1st, so they would be better off just disabling all non chip and pin cards worldwide
The fingerprint sensor is on the card, so it should only ever be touched by the owner.
That said, it's a daft point for Dr Murdoch to make. Anyone so paranoid about other people's bugs will spend their life wearing gloves or trying to open shop doors with their elbows or toes. I don't think that describes a high proportion of the population.
Studies of customer perception of biometrics show that hygiene concerns are a significant reason for rejecting fingerprint recognition systems, particularly in Japan. That's one of the reasons that finger-vein is more widely adopted there. See http://www.hitachi.eu/veinid/documents/veinidwhitepaper.pdf
"When the biometric card is placed into a retailer's EMV terminal, the owner will be able to place their finger on the embedded sensor."
Except in the many terminals which don't leave that part of the card exposed.
"Wasn't this exactly what PIN codes were supposed to prevent?"
Yes. PINs are actual two factor authentication - something you have and something you know are required for a transaction. Unfortunately many people seem to get stuck at the "two" part and think that just having any two things involved means it's 2FA. In this case, it's simply something you have and something else you have, which can therefore be compromised by taking them both at the same time.
"2FA" - cant we have 3FA the card (for account details confirmation), a finger print (to prove the owner is present, something we have) AND the PIn (something we know).
I would prefer a card that scanned your Iris rather than fingerprints for increased security. You leave your finger prints everywhere but not your eyes.
I will NOT use NFC as not secure enough. no 2nd factor. and the quicker Banks realise that its SH*T and stop trying to force it o us the better.
"But the real issue is US merchants who can't, or won't use C&P and only accept on 30YO mag strip technology."
Because they don't care. Most of the time, they don't foot the bill, and the little that does stick they eat to keep customers from defecting. Customers don't care as they just wanna get out the door (one of the most embarrassing things you can see is a customer swiping and leaving only for the clerk to call back, "But your card was declined!"). And as noted earlier, VISA don't want to lose customers so they tend to resolve fraud issues quickly in their favor. In such an environment, why shoulder additional PITAs when they don't have to?
I have a bank issued card that is tied to a business account that can never be used physically in a slot or chip reader.
I have a signed confirmation of 3 things from my bank manager
1. that he personally changed the pin number to a number that I have no knowledge of.
2. that he witnessed the destruction of the chip (hole punch)
3. that the details presented on the magstripe are invalid (re-written in his presence and then checked)
The fingerprint is stored on the card ....
Really - NO WAY Mastercard. You can stick that one sideways where the sun don't shine for a start. and then insert your finger to operate the reader.
How easy will it be to clone a few dozen of these cards, with modified fingerprints?
As an additional relatively low security ADDITION to chip and pin, with some kind of stored hash, possibly.
But before you go any further, let me have a card WITHOUT WIRELESS you morons.
So we went from the old magnetic strip and signature to chip and pin to make it more secure, then we go to contactless that is insecure and now they are sticking finger print scanners on cards to make them more secure.
why not just stick to chip and pin?
thankfully this is a Mastercard thing and hopefully Visa will not follow suit, it is bad enough trying to tell my bank I do not want contactless.
All of them do the checks locally, then simply tell the bank "OK all good here."
To get real checks would require all the data concerning the transaction being sent to the bank where a proper examination could be done.
It's not going to happen though. It would require decent bandwidth comms, and would make the bank responsible for errors.
There are different values of "secure".
In the case of smartcards in general it means "takes too much time and/or money to attack them". With debit/credit cards you can even make a nice budget for how much it has to cost the attacker to compromise a single card.
You should rather think about it in terms of physical security (where literally anything is possible to compromise given enough of those two things), not computer or cryptographic security (where 'secure' tends to mean that it's either actually literally impossible to compromise given certain assumptions, or that it would take more time than the universe has left).
I'm allergic to some stuff and when it kicks in my android, my laptop and previous laptops can't recognise my fingerprint. I always have to revert to "old fashioned" methods. let's hope that no one forgets about me.
Oh and today I seem to get more and more people who just swipe my card and don't give a damn about identification - pin, signature or otherwise. Clearly, it's too expensive for them to worry about my small transactions so they are only interested in the large ones. the large ones are mainly going to be on-line going forwards so it has to link up to my home somehow - in which case what's the point ?
recently acquired a cell handset with a fingerprint sensor,
As he willingly demonstrates, not one of his fingers performs the 'Open Sesame' trick. He has never been observed unlocking his electronic pride and joy.
Turns out he uses his OTHER 'pride and joy', in the privacy of a toilet cubicle, to unlock his cell handset!
I wonder if this would work on a bankcard?
When the sensors are set as to effectively reject a third person, cases of false rejection of legitimate users happen frequently. What would you do when you are falsely rejected?
If you are requested to resort to PIN, we are not talking about security but just convenience. Convenience for you as well as criminals as shown in this 30second video.
Biting the hand that feeds IT © 1998–2022