Mastercard has unveiled its new biometric card which adds a fingerprint sensor to the chip as a replacement security measure to the four-digit PIN.
When the biometric card is placed into a retailer's EMV terminal, the owner will be able to place their finger on the embedded sensor. Their fingerprint will then be verified against a template stored on the card, at which point the transaction can be approved.
The card will work with existing EMV card terminal infrastructure, without requiring any new hardware or software upgrades, says Mastercard, which has trialled the technology in South Africa ahead of additional testing in Europe and Asia Pacific and a full rollout later this year.
Ajay Bhalla, president of enterprise risk and security at Mastercard, said: "Whether unlocking a smartphone or shopping online, the fingerprint is helping to deliver additional convenience and security. It's not something that can be taken or replicated and will help our cardholders get on with their lives knowing their payments are protected."
This is not exactly true, of course. Successful and cheap attacks against fingerprint sensors have been demonstrated since at least 2002, and although sensor technology has improved over the last 15 years, even Apple's TouchID lock was bypassed a few years ago by the Chaos Computer Club.
The biometric sensor is the latest in a line of attempted security upgrades for the EMV (Europay, Mastercard, Visa) standard and its competitor, the Payment Card Industry Data Security Standard (PCI DSS), both of which have been criticised.
In 2010, researchers from the University of Cambridge demonstrated a man-in-middle attack against the PIN verification mechanism of EMV cards during retail transactions. The lead researcher on that project, Dr Steven J Murdoch, now at University College London, told The Register today that the addition of a biometric sensor was "an interesting development, and quite an achievement to put an ordinarily bulky biometric sensor in the form factor of a EMV card".
Dr Murdoch continued: "There will be no doubt issues to be ironed out, so questions I expect the trial will set out to answer include: How reliable is the technology, and how physically robust are the new cards?"
A frequent issue of biometrics is customer acceptance. Here South Africa is at an advantage because welfare payments made through the Net1 product have been protected by biometrics for a long time, so the use of biometrics in payments should not be totally surprising.
The example given is for attended use, where there is a person watching the transaction. This provides some resistance against people presenting a fake fingerprint, but someone could still put a fake fingerprint on top of their finger. Having an attendant also resists the "cut-off-finger" technique.
If this card is the one that Zwipe advertise then it doesn't have a battery and so can only do verification of fingerprints when inserted into a terminal. This won't allow it to work in typical ATMs where the card disappears into the card reader.
Both the biometric sensor and template are on the card, which means that the terminal cannot record the fingerprint. There are advantages to this, but since we leave our fingerprints everywhere they should not be considered secret. Having the sensor on the customer's card also avoids some hygiene concerns that come up related to shared fingerprint sensors. Also, because the card is doing all the extra work, it can interoperate with existing terminals and require little or no changes to them.
This is a different approach than the updated EMV specifications. Here the fingerprint reader would be on the terminal, which sends the encrypted image of the fingerprint to the card, and the card compares this against the template it stores. This makes the cards cheaper (they need to be upgraded to store and process fingerprints but don't need a new sensor) but terminals would need to have a fingerprint reader added.
Fingerprints have advantages and disadvantages over PINs but being better than a PIN is not a particularly high bar. Customers don't find PINs easy to use and they are not particularly secure.
"An important question is: how will this affect customer liability for fraud?" said Murdoch, who has written at length about end-user comfort with security for UCL's infosec publication, Bentham's Gaze.
"In Europe consumer protection isn't anywhere near as good as the US, so what will happen if a customer loses their card and a criminal is able to bypass the biometric protection? Will the bank conclude that it is more likely the customer performed the transaction and so must pay the cost? Customers often don't know what the bank Ts&Cs say, and if they do they often don't understand." ®