Mastercard launches card that replaces PIN with fingerprint sensor

Sweet MFA... but there's no documentation available for users


Mastercard has unveiled its new biometric card which adds a fingerprint sensor to the chip as a replacement security measure to the four-digit PIN.

When the biometric card is placed into a retailer's EMV terminal, the owner will be able to place their finger on the embedded sensor. Their fingerprint will then be verified against a template stored on the card, at which point the transaction can be approved.

The card will work with existing EMV card terminal infrastructure, without requiring any new hardware or software upgrades, says Mastercard, which has trialled the technology in South Africa ahead of additional testing in Europe and Asia Pacific and a full rollout later this year.

Ajay Bhalla, president of enterprise risk and security at Mastercard, said: "Whether unlocking a smartphone or shopping online, the fingerprint is helping to deliver additional convenience and security. It's not something that can be taken or replicated and will help our cardholders get on with their lives knowing their payments are protected."

This is not exactly true, of course. Successful and cheap attacks against fingerprint sensors have been demonstrated since at least 2002, and although sensor technology has improved over the last 15 years, even Apple's TouchID lock was bypassed a few years ago by the Chaos Computer Club.

The biometric sensor is the latest in a line of attempted security upgrades for the EMV (Europay, Mastercard, Visa) standard and its competitor, the Payment Card Industry Data Security Standard (PCI DSS), both of which have been criticised.

In 2010, researchers from the University of Cambridge demonstrated a man-in-middle attack against the PIN verification mechanism of EMV cards during retail transactions. The lead researcher on that project, Dr Steven J Murdoch, now at University College London, told The Register today that the addition of a biometric sensor was "an interesting development, and quite an achievement to put an ordinarily bulky biometric sensor in the form factor of a EMV card".

Dr Murdoch continued: "There will be no doubt issues to be ironed out, so questions I expect the trial will set out to answer include: How reliable is the technology, and how physically robust are the new cards?"

A frequent issue of biometrics is customer acceptance. Here South Africa is at an advantage because welfare payments made through the Net1 product have been protected by biometrics for a long time, so the use of biometrics in payments should not be totally surprising.

The example given is for attended use, where there is a person watching the transaction. This provides some resistance against people presenting a fake fingerprint, but someone could still put a fake fingerprint on top of their finger. Having an attendant also resists the "cut-off-finger" technique.

If this card is the one that Zwipe advertise then it doesn't have a battery and so can only do verification of fingerprints when inserted into a terminal. This won't allow it to work in typical ATMs where the card disappears into the card reader.

Both the biometric sensor and template are on the card, which means that the terminal cannot record the fingerprint. There are advantages to this, but since we leave our fingerprints everywhere they should not be considered secret. Having the sensor on the customer's card also avoids some hygiene concerns that come up related to shared fingerprint sensors. Also, because the card is doing all the extra work, it can interoperate with existing terminals and require little or no changes to them.

This is a different approach than the updated EMV specifications. Here the fingerprint reader would be on the terminal, which sends the encrypted image of the fingerprint to the card, and the card compares this against the template it stores. This makes the cards cheaper (they need to be upgraded to store and process fingerprints but don't need a new sensor) but terminals would need to have a fingerprint reader added.

Fingerprints have advantages and disadvantages over PINs but being better than a PIN is not a particularly high bar. Customers don't find PINs easy to use and they are not particularly secure.

"An important question is: how will this affect customer liability for fraud?" said Murdoch, who has written at length about end-user comfort with security for UCL's infosec publication, Bentham's Gaze.

"In Europe consumer protection isn't anywhere near as good as the US, so what will happen if a customer loses their card and a criminal is able to bypass the biometric protection? Will the bank conclude that it is more likely the customer performed the transaction and so must pay the cost? Customers often don't know what the bank Ts&Cs say, and if they do they often don't understand." ®


Other stories you might like

  • Lenovo halves its ThinkPad workstation range
    Two becomes one as ThinkPad P16 stands alone and HX replaces mobile Xeon

    Lenovo has halved its range of portable workstations.

    The Chinese PC giant this week announced the ThinkPad P16. The loved-by-some ThinkPad P15 and P17 are to be retired, The Register has confirmed.

    The P16 machine runs Intel 12th Gen HX CPUs, but only up to the i7 models – so maxes out at 14 cores and 4.8GHz clock speed. The laptop is certified to run Red Hat Enterprise Linux, and can ship with that, Ubuntu, and Windows 11 or 10. The latter is pre-installed as a downgrade right under Windows 11.

    Continue reading
  • US won’t prosecute ‘good faith’ security researchers under CFAA
    Well, that clears things up? Maybe not.

    The US Justice Department has directed prosecutors not to charge "good-faith security researchers" with violating the Computer Fraud and Abuse Act (CFAA) if their reasons for hacking are ethical — things like bug hunting, responsible vulnerability disclosure, or above-board penetration testing.

    Good-faith, according to the policy [PDF], means using a computer "solely for purposes of good-faith testing, investigation, and/or correction of a security flaw or vulnerability."

    Additionally, this activity must be "carried out in a manner designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices, machines, or online services to which the accessed computer belongs, or those who use such devices, machines, or online services."

    Continue reading
  • Intel plans immersion lab to chill its power-hungry chips
    AI chips are sucking down 600W+ and the solution could be to drown them.

    Intel this week unveiled a $700 million sustainability initiative to try innovative liquid and immersion cooling technologies to the datacenter.

    The project will see Intel construct a 200,000-square-foot "mega lab" approximately 20 miles west of Portland at its Hillsboro campus, where the chipmaker will qualify, test, and demo its expansive — and power hungry — datacenter portfolio using a variety of cooling tech.

    Alongside the lab, the x86 giant unveiled an open reference design for immersion cooling systems for its chips that is being developed by Intel Taiwan. The chip giant is hoping to bring other Taiwanese manufacturers into the fold and it'll then be rolled out globally.

    Continue reading

Biting the hand that feeds IT © 1998–2022