Instinctively, it doesn't sound as a good idea.
First, I don't want my bank to store my biometric data. Next, I want to keep my fingers if someone steals my payment card.
Thales has announced what it claims is the "world's first" payment card to include an onboard fingerprint sensor, promising improved security and usability – and an end to contactless payment limits. The Thales Gemalto Biometric Sensor Payment card (BSPC), the company explained, replaces the traditional PIN with an on-card …
Yes, I had a biometric Mastercard 2 years ago. The print is only stored on the card, not centrally. And is powered from the card reader, both when inserted and when used for Contactless. The contactless limit when authorised by print was £100 and unlimited when inserted into the Chip & Pin Device. The look on a lot of staff when I didnt need to enter a PIN was fantastic, as was going over the £30 limit back then for contactless without having to insert the card. The only issue was petrol pumps which have to be inserted so far that you couldn't keep your finger on the card. The easiest print to use was the thumb, as it naturally sits over the print reader when holding the card, numbers up. The card was normal thickness. Overall a fantastic item and would have one again if possible. Lastly, when you receive the card, you had it supplied with a local power supply - battery which supplied power to the chip and register your print... in a similar way to adding your print to a phone... touching your print off and on. Then it was good to go!
The touch id module does have several mechanisms, but is primarily optical. It has been spoofed with a warm gummy bear with the impression of a fingerprint transferred onto it, so I wouldn't hold it up as a yard stick for security. Much like model in the article the sensor doesn't store the data as a picture, so it would be very hard to use on another model scanner even if you got it out of the secure enclave.
Using fingerprint's isn't bad, but it is better to use then in addition to something else. A better implementation would let you tap out the pin on THE CARD not the reader, so the POS device never sees the raw pin code. The card really should check both a pin and print to reduce the chance of fraud.
Also those pin pads are a CDC horror show. About as clean as a gas station restroom.
"I haven't heard of a spate of phone+finger thefts"
Since there was a conveniently easy card next to them so far, there wasn't a need. Now if somebody carries only fingerprint-authenticated payment devices, then robbers will ask for another way to get their money.
And being frogmarched to the neared ATM at gunpoint to get cash out already happens when said robbers don't want to take the risk of a card being canceled before they use it.
Whilst I know nothing about this technology, it does occur to me that a stolen card is likely to have the fingerprints of the real owner physically all over it. Unless the owner was the sort of person who always wears latex gloves. This is in contrast to a PIN, which is not usually written on the surface of the card.
Consequently, there a new cottage industry may arise of picking physical fingerprints off of stolen cards and encoding them in a way that fools the card into believing that they are attached to a real person. Fingerprints are certainly portable, although I am sure some more sophisticated technology would be needed to make them fool the card. However, this doesn't have to be done by the thief themselves, but a specialist in "processing" stolen credit cards.
So there should be.
A non-rescindable and unalterable token can only ever legitimately be an identifier - never an authenticator. A fingerprint has both these attributes.
This is such an established principle that it amazes me the banks haven't yet caught on to it.
Apart from which, if, as is suggested, the system can "fall back" to a PIN, the entire supposed improvement in security is nullified, just as fallback to magnetic strip nullifies PIN.
My conclusion is that this is a combination of "security theatre" and revenue stream generation. Indeed security theatre can generate billions in revenue - just look at the support provision for the US TSA.
A non-rescindable and unalterable token can only ever legitimately be an identifier - never an authenticator. A fingerprint has both these attributes.
Totally agree.
I'm still buying shares in Haribo though, their Gummi Bears are very appealing! (I'll give a fair share to Herr Riegel of course!)
Let’s get real, this isn’t to get you into the bowels of the NSA or MI6, we’re really talking convenience and reduced crime & fraud.
Your card has a pin 1 in 10000 of a correct guess, that’s the “gold” standard here. Only that’s not the really what you have to beat, since tap & pay requires nothing more than possession of the card.
I’m already on board, I hardly ever tap, I much prefer fingerprint + tap via my phone.
I don't see security as something that is emphasised in the constant stream of flyers I receive in the post trying to sell me new credit card accounts, so enhanced security is probably not a selling point to the customer.
This is because the card issuer usually covers the losses through fraud, at least in Europe, so the extra cost of the cards and the devices for loading the fingerprints etc would have to result in a saving to the issuer to be successful.
Some customers may even be turned off by the idea if it is more hassle than just bashing in a PIN number. I doubt it would reduce fraud costs to the banks as there are too many other avenues for abuse of a stolen card - the PIN code can be used as a fallback solution whenever the cardholder's fingerprint can't be used - like ATM cash withdrawals, for example, and online purchases usually use an authentication mechanism such as a one time password.
> This is because the card issuer usually covers the losses through fraud, at least in Europe, so the extra cost of the cards and the devices for loading the fingerprints etc would have to result in a saving to the issuer to be successful.
The bottom line is the credit/debit card fraud is covered by the total 2-3% surcharge on purchases made with debit/credit cards. Merchants pay for almost all of that surcharge, and the smaller the merchant, the more likely they are to pay.
"Some customers" don't like that system.
True, but this doesn't really change that. They're going to pay that whether their customers use fingerprint cards or normal ones. The only way to avoid that is to not accept cards for payment. I've only seen a few places do so. With that in mind, there's not really a benefit to the user of the card to use this system, and therefore not much benefit to the company in using these more expensive cards and dealing with technology issues getting them accepted.
The real potential use here is to provide two factor identification to cards.
Yes, sell it as making it more convenient to the customer, you don't need to enter your PIN.
But the real win is reduced fraud by not only requiring the person having the card to known the PIN, but also to identify themselves as the owner of the card. There was a time RBS were putting photos on cards so shops could verify the correct "name" was presenting the card.
Card and fingerprint says I have the right to use this card, PIN entered means I authorise this transaction.
Well - depends what they're doing.
If they're increasing the limit when you pay by poke rather than PIN, and again if you pay by PIN over wafting the card near a reader... then it is requiring a higher degree of security at each stage (nothing, 1/10k, 1/100k maybe)
That's not an entirely unreasonable approach.
I would be amazed if the banks catch on before I die.
Is there a bank that does not store passwords?
The finger print scanner does actually provide one useful function - an off switch. Amateurs can get the range of contactless cards up to 30cm. RF engineers have achieved 60cm. I doubt that it is legal but I suspect an RFID logger with an over sized antenna by my back door would make an excellent burglar identifier.
For me, the obvious security improvements would be to put the keypad on the card to prevent key logging and to put a display on the card so I know who is getting paid, how much I am being charged and preferably what I am paying for.
1. "In such trustworthy payment environments, there is no need to set any payment limit."
2. "...if the biometric data is leaked you can't change your fingerprints as easily as a PIN or password."
3. "Even if the card is lost or stolen, the data cannot be recovered by a third party."
1. Madness. Will the card issuers guarantee 100% refunds on fraudulent transactions? With the onus on them to prove the transaction wasn't fraudulent. (Not just "It can't be...".)
2. I love the understatement. +1 Mr Halfacree!
3. Possibly just semantics, but does that imply the data can be recovered by the second party (ie. card issuer)?
Obviously (?) they're confident the data can't be re-engineered. Hmmmm, not sure I am.
However, as Mike 137 says above, it's just not the right way of going and must agree with the "security theatre" conclusion.
But fingerprint is what you have. To authenticate you also need what you know.
This means (at least in the EU), you still will have to enter pin every 5 transactions or 100 EUR accumulated since last check (or whatever amount they set), whichever comes first.
In other words, interesting novelty, but largely useless.
This post has been deleted by its author
What about having different MFA depending on transaction value, as we do now to a limited degree
Buying Items under 10% = PIN
buying items over 10% but under 50% of available balance PIN + Fingerprint
buying items over 50% of available balance Pin + Fingerprint + other (Passport, passphrase, etc...)
So give user some ideas of potential losses if using a card
just a thought
Nice idea, not sure about the percentages though. My credit card has a £20k limit, I'd rather not have that 10% limit!
Better option is just to have 2FA on your phone - notification or whatever. Works well enough for Starling. Plus it's possible to disable your card until you want to use it.
of phones in use without security updates, is it really such a good idea to use them to authenticate transactions like this?
Mobile malware may not have been a serious problem so far but that doesn't mean it never will be.
Also, is it reasonable to demand that everyone has to own a mobile phone to be able to pay for stuff? Sure banks could make having the 2fa on a mobile an option but that isn't the way they tend to operate.
Let's face it: a PIN that's only used once in a while is a PIN that gets forgetten quickly, and then written on a piece of paper conveniently stored in the wallet.
ETA: also, how many failed tries with a finger will disable the card, like a wrong PIN does? I've used fingerprint sensors for restricted access at work before, on some mornings, they just didn't want to accept my finger, no matter how many different ways I tried.
I've not actually used any of my (physical) credit cards so far this year; can't recall more than a couple uses last year, either. Almost all payments in the last 18 months have been via the wallet on my iPhone. The £45 (was £30) limit is rarely an issue as most shops I've used have linked into ApplePay.
This may be an attempt by banks to take back initiative being lost to Apple and Google.
If the cards are supplied blank to customers who then programme them with a fingerprint, this will likely increase the theft of cards sent through the post because the first person to receive the blank card will have access to unlimited transactions until the card is cancelled.
I've been the victim of "new card postal theft" and can only see this ending badly unless there are additional checks to prevent the wrong people programming stolen cards but I don't see any mention of that in the article.
I'd also be very concerned if banks (or credit card companies) then refused to cancel the fraudulent transactions because of their belief that it's not possible to fake my fingerprint etc. (even though I didn't receive the new card which is now down to me to prove etc.)
Perhaps cards should only be programmed by placing them into an ATM which would mean they can't be programmed without the PIN. But this would mean fitting fingerprint readers to ATMs although that isn't necessarily a bad idea. Or the cards can read and store a fingerprint but it's only "activated" by an ATM.
Cards being issued "preprogrammed" from a stored and verified fingerprint would be an obvious (and almost total) solution to postal card theft, but then the privacy issues are huge.
Ah, I see where they are going with this, they have shares in companies that produce rose pruners!
Is the user expected to give up the payment opportunity altogether or is expected to feed the default password as a fallback measure?
Alleging ‘improved usability’ would be misleading in the former case, whereas alleging ‘improved security’ would be misleading in the latter case.
As such, what they claim is false.
Incidentally, a nice figure is quoted as False Acceptance Rate, but such a figure makes no sense unless it comes with the empirical False Rejection Rate that corresponds to the said False Acceptance Rate; these two rates are in the trade-off.