back to article Mastercard launches card that replaces PIN with fingerprint sensor

Mastercard has unveiled its new biometric card which adds a fingerprint sensor to the chip as a replacement security measure to the four-digit PIN. When the biometric card is placed into a retailer's EMV terminal, the owner will be able to place their finger on the embedded sensor. Their fingerprint will then be verified …

  1. Stevie

    Bah!

    But ... chip and pin is the world-saving Idea of the Century.

    I heard it here, and one can't deny facts like that.

    That many El Reg commentards couldn't just be blowing hot air.

    1. JCitizen
      Devil

      Re: Bah!

      YES!! Cowchip-N'-Pen will be the end all of card security! NO WORRIES from NOW on!

  2. lglethal Silver badge
    WTF?

    Really?

    "In Europe consumer protection isn't anywhere near as good as the US"

    Um really? I always thought consumer protection in Europe was supposed ot be much better than in the States? Guaranteed return periods, chip and pin technology, guaranteed warranties, etc.

    I thought the US was far more company friendly than consumer friendly? Any of our American Cousins care to comment?

    1. Anonymous Coward
      Anonymous Coward

      Re: Really?

      Seems a strange comment to me. I'd like to see a citation for this, but I suspect he is using alternate facts.

      1. patrickstar

        Re: Really?

        In the US, VISA has adopted a policy that basically says the cardholder shouldn't ever lose money because of fraud. You can just do a chargeback without any fuss.

        In Europe, not so good. I don't know the formal differences or what the reason is, but there's a lot more resistance from many card issuers.

        There has even been some news stories here about people being signed up for recurring charges against their will and the issuer's response being along the lines of "You must have clicked OK so that means you agreed to it! No chargeback for you, come back never!".

        Such a scam would never fly in the US, and neither would the merchant account used for long since it'd be nuked once resulting flood of chargebacks arrived.

        1. hammarbtyp

          Re: Really?

          The difference is that most transactions use Chip and pin in the Europe, which means loss and mis-use of the card is far harder. In the US it basically comes down to your word against the retailer with the only proof being a illegible scribble, therefore banks has fewer ways to verify true loss against fraud.

          Saying that if it was a choice between better security(a.k.a chip and pin) and trying to recover lost money from a bank, I would go security every dat

          1. patrickstar

            Re: Really?

            This policy predates chip-and-pin, so, no.

            Apparently another commentard was able to point to the relevant legislation that seems to be the reason for the difference.

        2. Pascal Monett Silver badge

          @ patrickstar

          In all of my bank history, I had one brush with fraud. I had gone on holiday to the US (back when it was still the Home of the Brave) and one small shop had tried to skim me by presenting the same bill twice, but the second date was days after the first.

          As soon as I found that on my statement I went straight to my BNP representative and showed him the issue. The refund was immediate and without fuss.

          As far as I'm concerned, the EU environment of Chip & Pin is very efficient for me and I largely prefer it to the totally insecure magnetic strips still used in the US.

          That said, I'd prefer my VISA to not have any mag strip at all. I guess it's to remain compatible with the US and other countries that have not yet migrated or are still in the process of doing so.

          1. Aladdin Sane

            Re: @ patrickstar

            I assume you mean BNP Paribas, not the right wing scum?

        3. Anonymous Coward
          Anonymous Coward

          Re: Really?

          > There has even been some news stories here

          Ah, yes. News stories.

          Regulatory protection does vary somewhat by State, but in line with general contract law, the principle of balance and protection of the weaker party applies. In practice, the terms and conditions as far as theft / fraud is concerned are much the same in the EU and the US. I've had both US and EU cards.

          Also in practice, during a social chat with my bank manager years ago he said they usually can take a pretty good guess at whether a "stolen" card or "unauthorised" charge is really so, but they absorb it anyway as part of the cost of doing business. Of course, the bank may subsequently decide not to re-issue a card to certain people, but that is indeed their privilege.

      2. m0rt

        Re: Really?

        "but I suspect he is using alternate facts."

        Sooo....lies, then?

      3. Anonymous Coward
        Anonymous Coward

        Re: Really?

        > Ajay Bhalla [...] said: "Whether unlocking a smartphone or shopping online, the fingerprint is helping to deliver additional convenience and security. It's not something that can be taken"

        Methinks the gentleman has not heard of the meat cleaver.

      4. Anonymous Coward
        Anonymous Coward

        Re: Really?

        Also: "...since we leave our fingerprints everywhere they should not be considered secret..."

        But those fingerprints won't be scanned and sent straight to GCHQ/NSA/ETC.

        And fwiw, I think that, apart from my own possessions, I only leave my fingerprints on doors and beer glasses, which is hardly 'everywhere'.

    2. sjmurdoch

      Re: Really?

      There's more details in our paper summarised here https://www.benthamsgaze.org/2016/06/02/international-comparison-of-bank-fraud-reimbursement-customer-perceptions-and-contractual-terms/

      Basically, in the US Federal Regulations E and Z require a bank to promptly refund any disputed transaction. In the EU the Payment Services Directive (PSD), and its replacement (PSD2) allows the bank to refuse to refund in a number of situations, the most important being if they believe the customer to have been negligent. What this means is that if (on the basis of an internal audit report that the customer can't see) it is more likely that a disputed transaction was the result of negligence on behalf of the customer rather than a technical failure of the bank, then the customer is not entitled a refund.

      What the banks usually claim is that the customer didn't protect the PIN according to the bank rules, which is not surprising since bank rules are regularly broken for very legitimate reasons https://www.benthamsgaze.org/2016/02/17/are-payment-card-contracts-unfair/

      1. Anonymous Coward
        Anonymous Coward

        Re: Really?

        The comment in the article was about "consumer protection" which is a lot broader than just talking about chargebacks. And "anywhere near as good" means there is a massive disparity, which there just isn't in either law or practice.

        Secondly, looking at it from a customer and merchant point of view as I am involved with both, the customer in the UK is almost always proved right unless the merchant can prove the customer wrong usually with CCTV - which I guess would be the same as the US.

        The difference with chip and pin is that if a pin is used then the initial idea would be that the customer must have used it as they would be the only entity to know their pin and if it is a CNP transaction and the CSV is known then the person at the other end of the phone must have access to the card.

        However I have never been refused a chargeback as a customer in the UK (I don't tell my PIN to anyone and cover it when using it), and as a Merchant we have not been successful in stopping a chargeback unless we have CCTV evidence or it was used a a Chip and Pin reader with PIN entered.

      2. lglethal Silver badge
        Thumb Up

        Re: Really?

        First off, I would like to say thank you to Dr Murdoch for joining the conversation. It's not often we get to have an expert quoted in an El Reg article joining in the Forum debates.

        From my reading of everything, it appears to comes down to the fact that whilst Americans are more likely to suffer bank fraud (for lack of the additional security of chip and pin style technologies), they are more likely to get their money back than in the same case in Europe.

        I would also suggest that the comment that Americans have better consumer protection than Europeans may not hold in all cases as Europe has extremely strong laws on consumer warranties, guarantees, and return periods. Americans might be better protected in banking, but in regular purchasing protection not so much.

        Thanks to everyone for joining the discussion...

    3. Ugotta B. Kiddingme

      Re: Really?

      "Any of our American Cousins care to comment?"

      In my experience, it's a bit of a mixed bag. On the one hand Chip and Pin, properly executed in EU but largely NOT in US, makes fraud a tiny bit harder so one point for EU. On the other hand, Visa/MC/Discover policies in the US of "customer is (nearly) always right" pretty heavily favors the consumer so a point for US. If we could ever get PROPER execution of Chip and Pin over here, I think we could have the best of both worlds. Reality, however, would likely mean that the aforementioned consumer-friendly policies would be rolled back by the card issuers as "no longer needed." If I MUST choose between the two, I prefer the existing US "customer is (nearly) always right" policies, which I have used quite effectively the few times I needed them.

      1. Blank Reg

        Re: Really?

        And in Canada chip and pin has been available for years, as has tap and pay with no pin at all, and yet the card holder is not liable for fraud.

    4. Andromeda451

      Re: Really?

      On this side of the pond if I see a fraudulent charge on a bill I can contest it and at worst am responsible for $50 US of the charge no matter how much it is. I've had my card used to pay for a family (not mine) outing to Hawaii, I received a call while they were in flight, I was in Rome at the time and the family was detained at Honolulu airport. No cost to me. rental car insurance is included on my cards at no extra cost so that's a nice perk. Those are my top 2 cents worth.

      1. Anonymous Coward
        Anonymous Coward

        Re: Really?

        > "On this side of the pond if I see a fraudulent charge on a bill I can contest it and at worst am responsible for $50 US of the charge no matter how much it is"

        Same here. Just change "$" to "£". :)

    5. datafabric

      Re: Really?

      Europe consumer protection > US. In Europe, chip and pin exists for close to a decade before introduction in US. CC industry excuse for US is that merchants do not like the slow transaction, especially during holidays, and consumers can dispute fraud charges, etc. In reality, merchants and CC just want to separate $ from consumers as quickly as allow.

      In US, CC and big merchants write off their losses as tax deductible, so there's no need to provide consumers with protection or secure services. Minimal requirements and unless requires by regulation and all that from the big boys.

  3. tiggity Silver badge

    Cheque Mate

    Time for the resurgence of the cheque (PITA that most UK places hate them now)

    A scribble that has varying degrees of difficulty to forge, and also needs a card to be presented with it, but as you inevitably get your fingerprints on cheque when handling it, if you have used it will have your prints in a few places so can prove if fraudulent use as they can lift prints from the cheque.

    In worst case scenario, if your cheque book is nicked, only really a chance of stray prints of yours on the "top" cheque (you may have got prints on when removing last cheque) and as likely to do fraud with > 1 of your cheues then pattern of dodgy use (without your prints) will be convincing evidence that "top" cheque was also a fraud transaction

    1. johnfbw

      Re: Cheque Mate

      Not used a cheque in a while (so long that my computer doesn't recognize as a word) , but I seem to remember a pretty typical method was 1) try and pull out 2) separate cheque from other cheques (putting prints the one below) and when that doesn't work 3) touch every cheque everywhere as you slowly rip off

    2. SkippyBing

      Re: Cheque Mate

      'A scribble that has varying degrees of difficulty to forge'

      Honestly, I don't remember the minimum wage shop assistants examining the signature on my credit card closely enough that just writing my name wouldn't work. I don't see why a cheque would be any different, there's very little incentive for them to refuse one.

      In fact at one stage the signature strip on my card was worn off, it caused me slight difficulty in one petrol station.

    3. anothercynic Silver badge

      Re: Cheque Mate

      Cards present have not been required for cheques for several years, and ATM cards (well, your debit card) specifically say 'NOT a cheque guarantee card', i.e. 'can't use this to verify the person signing is the card holder too'.

  4. Your alien overlord - fear me

    Tap to pay - that's the future. What more could you need?

    1. ad47uk

      Tap and pay is an insecure system, which is why I told my bank to give me a normal debit card, which they did, just a shame they thought I changed my mind when they renewed it in march and I had to go through the process of getting a non-contactless card again

      1. Chloe Cresswell Silver badge

        A dremel though the antenna works wonders on contactless cards..

  5. VinceH

    Am I missing something? If I've read that correctly, the fingerprint sensor is on the card - so, presumably, to get their fingerprint on the card in the first place, the card holder has to have it scan their fingerprint.

    With a PIN, when you get a new card the PIN is sent separately. This is done to hopefully avoid the issue of a batch of post being stolen, and the crooks finding both the card and the PIN in the same pile. If the above is so, it won't matter - they only need the card. They can then scan their fingerprint onto the card.

    1. patrickstar

      The point is that doing so is supposed to cost more than what you can gain from abusing the card. Just like changing/reading the PIN of the card would.

      1. TRT Silver badge

        They'll post out some new fingerprints.

    2. Anonymous Coward
      Anonymous Coward

      > This is done to hopefully avoid the issue of a batch of post being stolen, and the crooks finding both the card and the PIN in the same pile.

      Also helpfully (for criminals) with the new approach, is that if they get a hold of someone's card... it'll generally have the owners fingerprints all over it.

      ... and fingerprint duplication is no longer difficult.

    3. fuzzie

      I've not seen them explain how the cards are provisioned, but... the local (South African) banks are connected to Home Affair's National Population Register which offers the bank to perform fingerprint validation.When I'm in the bank, I can present a finger to be scanned and the bank can ask the NPR "is this John Doe's fingerprint?". Now the bank knows it's me, they can calculate the fingerprint data to be burnt onto the card. No-one but me can now use the card.

      What's more interesting is how they prevent an employee from putting her own fingerprint meta data on the card and then using it though that loop could be closed by keeping the card disabled until positive delivery confirmation is received. I already have to provide positive identification, i.e. ID book/driver's licence, on receipt of the card.

      Aside: How do they deal with people who don't have finger prints (adermatoglyphia) or those whose fingerprints might not be usable, e.g. those working with harsh chemicals/cleaners.

  6. Christoph

    How do I go about changing my fingerprints after this gets hacked?

    1. TRT Silver badge

      You have 9 changes available.

      1. Mark York 3 Silver badge
        Thumb Up

        Unless Your Name Is Timothy Ifield!

        You only have eight fingertips & two thumbprints.

        I see a Tim Ifield situation developing in the near future.

        http://www.telegraph.co.uk/tv/2017/04/02/line-duty-blindsides-viewers-canny-genius-episode-2-review/

        How did Captain Hook die? He had a ***k with the wrong hand!

    2. Chris 244
      Flame

      My prefered method

      1. Preheat oven to 350 F / 180 C

      2. Place non-stick cookie sheet in oven, preferably with some nice chocolate chip cookie batter on it

      3. Bake for 14 min or until cookies lightly browned

      4. Remove cookie sheet from oven without the aid of oven mitts

      Will remove your finger prints for about two weeks, but that's okay because you'll need more cookies by then!

    3. druck Silver badge
      Thumb Down

      Fingerprints...

      ...the password you leave on everything you touch.

      1. John Brown (no body) Silver badge

        Re: Fingerprints...

        "...the password you leave on everything you touch."

        Exactly! A fingerprint is a username, NOT a password.

  7. tony2heads

    Problem

    How about thieves making fingerprints from photos of your hand or any item you have touched when making a purchase?

    1. Haku
      Facepalm

      Re: Problem

      Always wear surgical gloves?

      Though it might be a bit tricky if you were to get stopped at night by the police; "No officer, I wear these so the thieves don't steal my fingerprints". "Yeah that's a likely story laddie. I am placing you under arrest for posession of burglary tools."

    2. Anonymous Coward
      Anonymous Coward

      @Tony

      Worse (theoretical) problem: How about cold blooded killers who just chop off someone's hand in order to gain access to their fingerprints so that they can clean out the creditcard?

      Assuming they don't know already then they'll need you alive to obtain your PIN, which could give you some leverage.

      1. Steven J Murdoch

        Re: @Tony

        Not entirely theoretical – https://www.theregister.co.uk/2005/04/04/fingerprint_merc_chop/

        In this case however, it looks like they want to do biometric payments at point of sale where there is a staff member present, so showing up with an amputated finger may draw attention.

        Unattended biometrics are more challenging for several reasons, so maybe why they are not tackling them right now.

      2. WolfFan Silver badge

        Re: @Tony

        How about cold blooded killers who just chop off someone's hand in order to gain access to their fingerprints so that they can clean out the creditcard?

        Properly done biometrics check for bio-electrical activity. That's why, for example, Apple's Touch ID stuff fails when your hands are wet, or greasy, or if there's grease or something on the sensor. There ain't no electrical activity once you're dead or once your hand/finger got chopped off.

        This, of course, means that a certain critical plot point in the latest Star Wars movie won't actually work, but that's Hollywood.

        1. Anonymous Coward
          Anonymous Coward

          Re: @Tony

          "This, of course, means that a certain critical plot point in the latest Star Wars movie won't actually work, but that's Hollywood."

          I think Spaceballs got around that plot hole. The goon used for the hand-print sensor was only unconscious.

        2. Nick Ryan Silver badge

          Re: @Tony

          The sensor fails because the water or grease on the sensor smoothes out your fingerprint either by filling the troughs making it harder to pick out the ridges or by being electically conductive and therefore confusing the sensors as they would otherwise detect the patterns of conductivity on a finger - depends on the implementation and many sensors are the the electical conductivity type. Nothing much to do with measuring bio-electrical activity or heat.

        3. Eddy Ito

          @WolfFan

          So if I understand correctly I'd need to skin the finger and wear the epidermis like a finger cot perhaps with an electrically conducting gel to get a good connection.

      3. fuzzie

        Re: @Tony

        Modern,finger print readers are clever enough to be able to spot non-alive fingers. They're more expensive than the cheap'n'cheerful ones, but the additional protection they provide may well make it worth it.

    3. Lee D Silver badge

      Re: Problem

      "or any item you have touched when making a purchase"

      Like, say... the shiny, glossy, credit card that they just nicked off you and now need a fingerprint to unlock.

      Nick card from wallet.

      Bit of sticky tape and a gummi bear.

      Hey, presto, card with "full authority" to spend what you like with no cardholder co-operation (or even knowledge) required.

      Fingerprints ARE NOT AUTHENTICATION. They are IDENTIFICATION. They say who you are / claim to be. They do not verify that you are actually that person.

      Any card company that tries this on me will be informed that I don't have fingers.

    4. This post has been deleted by its author

  8. Haku
    Pirate

    Yarr harr me hearties!

    Time to fire up the stove and put the gummi bears into the melting pot!

    https://www.theregister.co.uk/2002/05/16/gummi_bears_defeat_fingerprint_sensors/

  9. heyrick Silver badge

    Just a little question...

    ... If we're expected to remember 11 digit phone numbers of family members and friends, why so much objection to a longer PIN? It seems ludicrous that payment codes are still but four digits long.

    1. Anonymous Coward
      Anonymous Coward

      Re: Just a little question...

      Are we expected to remember those? Those days, there's a single phone number I know, it's my mobile one. I even sometimes have to check my own landline number.

    2. GingerOne

      Re: Just a little question...

      "... If we're expected to remember 11 digit phone numbers of family members and friends, why so much objection to a longer PIN? It seems ludicrous that payment codes are still but four digits long."

      Ah, but you aren't expected to remember them anymore. Smartphone phonebooks remember telephone numbers and all other contact details. Browsers on all devices remember usernames and passwords. We aren't even asked to remember URLs for companies anymore - just 'search for xyz'.

    3. SkippyBing

      Re: Just a little question...

      'It seems ludicrous that payment codes are still but four digits long.'

      I have a perfectly intelligent friend who is completely unable to remember a 4 digit pin, details of a conversation from two weeks ago yes, 4 digits no. Making them longer would just mean she'd end up owing me more money.

    4. aphexbr

      Re: Just a little question...

      Really? Most people don't remember their own number, let alone the rest, which are usually stored in their phone's address book. Ask them to restate their own number and they might be able to do that through repetition, but most won't remember numbers of other people unless they dial them on a regular basis. Even when landlines were common, you'd usually not memorise the whole thing - the first few digits would the area code, which you'd normally not need to use for local contacts - while you would probably look in a physical address book or phone directory if you didn't have it to hand.

      Besides which, it's a silly comparison anyway. Losing a phone number means you have to ask someone else you know to give it to you again, be that your phone operator or a contact of the friend you need to get through to. They're often visible on peoples' Facebook pages or other public profiles, and lots of other people will usually have them. People won't remember a private PIN number that they can't share in that way.

    5. Chris 244

      Re: Just a little question...

      I can quite easily rattle off the long-dead phone numbers for my old mates from when I was but a young lass. Can't remember my own cell phone number ... that I've had for at least five years.

    6. Anonymous Coward
      Anonymous Coward

      Re: Just a little question...

      'It seems ludicrous that payment codes are still but four digits long.'

      What security would it bring to make it longer? It's not meant to make bruteforcing it /impossible/, as would a login password, merely to make it easily /detectable/.

      It only takes 3 incorrect tries to kill a chip, or have an ATM swallow a magstripe card, or any kind of connected POS to report that something's up to the central servers, and from then on, you're the proud owner of a useless bit of plastic.

      For what it's worth, China Union Pay cards do use 6-digit PINs.

    7. Lee D Silver badge

      Re: Just a little question...

      Almost all EU banks allow longer PINs.

      And, in fact, our cash machines handle their cards just fine and ask for 6-or-more digit PINs.

      It's just the UK that's stupid and doesn't ask it's users to set longer ones. The capability is already in all our ATMs and in daily use by thousands of foreigner with 6-8 digit PINs.

      1. fuzzie

        Re: Just a little question...

        Now they do, though I remember the first time I visited Europe---granted this nearly fifteen years ago---the bank told me which digits of my PIN I had to drop to have EU/UK ATMs accept the PIN. I believe South Africa's had five digit PINs from the start.

    8. Pedigree-Pete
      FAIL

      Re: Just a little question...

      In the UK we don't have many houses with numbers > 3 digits, in the US it seems that 5 digit house numbers are common. Most people know their house number.

      In the UK we have 6 digit postal codes (ZIP Codes?). Most seem to be able to remember at least 1 of those. I know the post code for my house, my office, it's warehouse, my Mum & Dads even my old bank (tho not my new one).

      I don't get the "I can't remember a 4 digit number" brigade. PP

      Medical exceptions, accepted.

  10. Anonymous Coward
    Anonymous Coward

    This article appears to be a little light on the fact-checking. For a start, EMV and PCI are hardly competitors: they cover different things. Visa and MC are members of both.

    Furthermore, I don't quite get how the fingerprint is used. It seems to require a permanent connection to check it against MC's servers? The PIN does not require that, as it's handled by the chip, and never leaves it. Maybe it means the fingerprint will not be used for low amount transactions, those for which no connection is made to check if the card is allowed to pay?

    1. 's water music

      Furthermore, I don't quite get how the fingerprint is used. It seems to require a permanent connection to check it against MC's servers?

      My guess is that the card stores some sort of hash of your finger print and compares this with a hash of the output of its onboard scanner. It seems reasonable that you might have to visit a branch to enroll your finger and load the hash onto the card (which would allow for some sort of greater validation of identity).

    2. Rimpel
      FAIL

      re It seems to require a permanent connection to check it against MC's servers?

      From the article, sentence 3.

      "Their fingerprint will then be verified against a template stored on the card"

  11. Steve Crook

    Is it good enough?

    On my Samsung S6 I've had to multiple prints because I found that I couldn't always rely on a single digit not being damaged enough to bork the sensor.

    In fact, I found that after a longish hike my fingers could swell up enough to confuse the sensor so I had to record prints for before and after hike. So you might not get your money if the weather's hot, or you cut or scraped your finger tip.

  12. Dan 55 Silver badge

    Useless

    Fingerprints have advantages and disadvantages over PINs but being better than a PIN is not a particularly high bar. Customers don't find PINs easy to use and they are not particularly secure.

    So how do you get a fingerprint scan if you insert the card into a cash machine, petrol station, or vending machine slot?

    You're not going to be able to forget your PINs because PIN will be a fallback in these places. You will, however, be more likely to forget your PIN if you use it less.

    Oh, and fraudsters will use the PIN of course. Or magstripe. Or an online gateway which requires hardly any info before taking payment.

    1. Anonymous Coward
      Anonymous Coward

      Re: Useless

      It's not that easy. The card number will identify it as being fingerprint-enabled. That means that when MC's server receives the payment authorization request, if it does not include a fingerprint, its fraud suspicion score will be raised. If that's repeated multiple times (ie, on the same card and/or the same merchant), there's a high probability any further request will be denied, and the total amount of the fraud will be kept low before it's stopped. Same if they go to an online payment system that does not use 3D Secure or some such: those are more likely to have their transactions refused.

      1. Dan 55 Silver badge

        Re: Useless

        So people can legitimately have a routine which includes cash machines, petrol stations, and vending machines so they run the risk of getting locked out paying with PIN (the only way) because they've got a fingerprint card.

        That's if a fingerprint card is useful anyway. Presumably if someone's security minded they won't get a fingerprint card and if they're not then contactless will do for them and they will never use it over the Internet because card issuers won't force their customers to buy USB card readers as it'll just drive them off.

      2. Charles 9

        Re: Useless

        "It's not that easy. The card number will identify it as being fingerprint-enabled. That means that when MC's server receives the payment authorization request, if it does not include a fingerprint, its fraud suspicion score will be raised."

        Not if the card's simply kept to CNP transactions where the fingerprint reader (and PINs, for that matter) aren't useful.

    2. Charles 9

      Re: Useless

      "So how do you get a fingerprint scan if you insert the card into a cash machine, petrol station, or vending machine slot?"

      You DON'T. As the article notes, it's not meant for those kinds of transactions, which is why the sensor is located in an area normally covered by those kinds of readers. They're meant for PIN Pad terminals at sales counters where there are people present to watch you. Dead fingerprints would be obvious and even gummy prints would be risky.

  13. Anonymous Coward
    Anonymous Coward

    Muggings...

    ...become a lot more interesting. No need for slapping your victim until he gives up his PIN, now you just use his finger... or take it with you...

    1. D@v3
      Trollface

      Re: Muggings...

      yeah, just like when 'phones started with finger print access. Remember all those news reports of people being mugged and having their fingers chopped off. was horrific.

      1. Anonymous Coward
        Anonymous Coward

        Re: Muggings...

        > "Remember all those news reports of people being mugged and having their fingers chopped off. was horrific."

        Yup, no outbreak, but there was this incident: https://www.theregister.co.uk/2005/04/04/fingerprint_merc_chop/

  14. patrickstar

    So, just by stealing someone's wallet you get everything needed? Card plus fingerprint lifted from anything in there (including the card itself unless it has very good anti-fingerprint coating...).

    Wasn't this exactly what PIN codes were supposed to prevent?

    The gangs that do skimming and card theft en masse aren't stupid or poorly equipped. They would quickly figure out how to emulate fingerprints without the clerk noticing.

    1. Charles 9

      And if it becomes SOP for the clerk to ask to SEE the finger in question before you press it?

      1. patrickstar

        Just like it's standard procedure for the clerk to check the signature for transactions without a PIN?

        And by "standard", I mean "never actually done".

        1. Charles 9

          But it's A LOT easier to just look at a finger than it is to compare signatures. Plus most people don't sign consistently anyway. I know my scrawl varies between iterations. How are you going to conceal a fake fingerprint in plain sight without some kind of tell?

  15. Justicesays

    Maybe I'm not as smart as these card tech guys...

    But I'm pretty sure the card will have copies of your fingerprints on it somewhere! Much like your (touch screen) mobile phone that also features a fingerprint sensor.

    Make sure to only handle the card with one hand, and use a fingerprint from the other...

    Or have a special "wipe-down" wallet with fingerprint removal slots.

    Hey, something to take over from the "tin foil" wallet to (not) block NFC.

    1. Anonymous Coward
      Anonymous Coward

      Re: Maybe I'm not as smart as these card tech guys...

      That's not how the card, or mobile phones work. They don't store your fingerprint, they create a hash from it and an encryption key unique to the device/card, and store that. You can pull the hash off, but it's useless without the key.

      If you're concerned about the security on your card, look no further than the mag stripe, which contains all of your cards details totally unencrypted. If you swipe it through a scanner, it outputs it all as pure text.

      1. Steven J Murdoch

        Re: Maybe I'm not as smart as these card tech guys...

        Well typically it's not a hash, because that won't allow fuzzy matching that takes into account small changes between different presentations of the same finger. MasterCard say that they convert the fingerprint to a template and store it in an encrypted form on the card. Of course the encryption key needs to be stored on the card too, but hopefully it is not easy to extract both it and the encrypted template.

        1. Charles 9

          Re: Maybe I'm not as smart as these card tech guys...

          "Well typically it's not a hash, because that won't allow fuzzy matching that takes into account small changes between different presentations of the same finger. MasterCard say that they convert the fingerprint to a template and store it in an encrypted form on the card. Of course the encryption key needs to be stored on the card too, but hopefully it is not easy to extract both it and the encrypted template."

          In such a situation the crypto module is black-boxed, unique to the card, and highly tamper-resistant with suicide circuits and so on (IOW, try to mess with it and it wipes).

      2. Lee D Silver badge

        Re: Maybe I'm not as smart as these card tech guys...

        "That's not how the card, or mobile phones work"

        I'll think you'll find that he means he can get an image of your fingerprint quite easily.

        And your phone fingerprint sensor can be fooled by an sufficiently good image of a fingerprint, printed onto certain surfaces. You don't even have to get very technical.

        Every smartphone fingerprint sensor (and this card sensor) on the market can be fooled with nothing more than a picture of the fingerprint smudge you left on the card as you last took it out of your wallet. It just depends how many times you want to try it to refine your technique.

        Last year, someone pulled the fingerprint of a German politician from a photograph of them raising a wine glass. All the "temperature/heat/light/pulse/etc." sensors in the world can't do much that isn't easily fooled, and the actual "fingerprint ID" process is still - to this day - finding the edges on a high-contrast B&W image of the fingerprint in question as it lays flat on a surface. Whether the sensor is swipe, scan, optical, or whatever.

        I have a bunch of Gemalto etc. fingerprint readers in my junk box if you'd like to play. They almost all have open-source software that presents the image as a B&W TIFF from the sensors to something that edge-detects and then hashes / stores the result. How they store it is irrelevant if you can present the same image to the sensor and the sensor then hashes that to the same hash as a real fingerprint would hash. The hardware doesn't do anything fancy, but a bit of image processing and maybe a particular wavelength of light / check for colour variation for pulse (and that's an "advanced" model).

        There's a reason they're all in my junk box despite being "state-of-the-art" for banking security at one point or another.

  16. Anonymous Coward
    Anonymous Coward

    I'll just use one of my toes, sure it'll be a pain paying for things but at least it'll be secure.

    1. TRT Silver badge

      Careful. It might cost you an arm and a leg.

  17. hammarbtyp

    To be honest, most fraud occurs due to card skimming and the cards being used in areas where two factor authentication is not standardized (That technological tour-de-force, the US is the biggest culprit ).

    If you wanted to fix security you close the weakpoints 1st, so they would be better off just disabling all non chip and pin cards worldwide

  18. Baldrickk

    Hygiene concerns

    "Having the sensor on the customer's card also avoids some hygiene concerns that come up related to shared fingerprint sensors."

    Because the difference between a fingerprint sensor that has had fingerprints on it, and pin-pad butttons that have had fingers on them is?

    1. Rich 11

      Re: Hygiene concerns

      The fingerprint sensor is on the card, so it should only ever be touched by the owner.

      That said, it's a daft point for Dr Murdoch to make. Anyone so paranoid about other people's bugs will spend their life wearing gloves or trying to open shop doors with their elbows or toes. I don't think that describes a high proportion of the population.

      1. sjmurdoch

        Re: Hygiene concerns

        Studies of customer perception of biometrics show that hygiene concerns are a significant reason for rejecting fingerprint recognition systems, particularly in Japan. That's one of the reasons that finger-vein is more widely adopted there. See http://www.hitachi.eu/veinid/documents/veinidwhitepaper.pdf

      2. Anonymous Coward
        Anonymous Coward

        Re: Hygiene concerns

        it doesnt have to describe a high proportion of the population.

        It only has to describe me.

        You would be surprised how much you can accomplish with your elbows and the backs of your hands.

        The gloves are actually a work requirement, Im not that fond of them.

    2. sjmurdoch

      Re: Hygiene concerns

      Some people care, it seems. Perceived hygiene was one of the reasons that non-contact finger-vein biometrics was adopted in Japanese ATMs, rather than fingerprints (which require contact).

  19. Cuddles

    Not quite thought through

    "When the biometric card is placed into a retailer's EMV terminal, the owner will be able to place their finger on the embedded sensor."

    Except in the many terminals which don't leave that part of the card exposed.

    @patrickstar

    "Wasn't this exactly what PIN codes were supposed to prevent?"

    Yes. PINs are actual two factor authentication - something you have and something you know are required for a transaction. Unfortunately many people seem to get stuck at the "two" part and think that just having any two things involved means it's 2FA. In this case, it's simply something you have and something else you have, which can therefore be compromised by taking them both at the same time.

    1. Anonymous Coward
      Anonymous Coward

      Re: Not quite thought through

      "2FA" - cant we have 3FA the card (for account details confirmation), a finger print (to prove the owner is present, something we have) AND the PIn (something we know).

      I would prefer a card that scanned your Iris rather than fingerprints for increased security. You leave your finger prints everywhere but not your eyes.

      I will NOT use NFC as not secure enough. no 2nd factor. and the quicker Banks realise that its SH*T and stop trying to force it o us the better.

      1. Bela Lubkin

        Re: Not quite thought through

        Indeed, I would be happy to use chip-and-pin-and-fingerprint. But the banks would never go for it (maybe some day in the midst of a fraud epidemic?)

  20. John Smith 19 Gold badge
    Unhappy

    Won't matter because it seems the Americans don't use C&P now

    Why would they use fingerprints either?

    Fingerprints sound like a good techno fix until you look closer.

    But the real issue is US merchants who can't, or won't use C&P and only accept on 30YO mag strip technology.

    1. Charles 9

      Re: Won't matter because it seems the Americans don't use C&P now

      "But the real issue is US merchants who can't, or won't use C&P and only accept on 30YO mag strip technology."

      Because they don't care. Most of the time, they don't foot the bill, and the little that does stick they eat to keep customers from defecting. Customers don't care as they just wanna get out the door (one of the most embarrassing things you can see is a customer swiping and leaving only for the clerk to call back, "But your card was declined!"). And as noted earlier, VISA don't want to lose customers so they tend to resolve fraud issues quickly in their favor. In such an environment, why shoulder additional PITAs when they don't have to?

  21. Anonymous Coward
    Anonymous Coward

    I have a bank issued card that is tied to a business account that can never be used physically in a slot or chip reader.

    I have a signed confirmation of 3 things from my bank manager

    1. that he personally changed the pin number to a number that I have no knowledge of.

    2. that he witnessed the destruction of the chip (hole punch)

    3. that the details presented on the magstripe are invalid (re-written in his presence and then checked)

  22. PNGuinn
    Mushroom

    Right, first off ...

    The fingerprint is stored on the card ....

    Really - NO WAY Mastercard. You can stick that one sideways where the sun don't shine for a start. and then insert your finger to operate the reader.

    How easy will it be to clone a few dozen of these cards, with modified fingerprints?

    As an additional relatively low security ADDITION to chip and pin, with some kind of stored hash, possibly.

    But before you go any further, let me have a card WITHOUT WIRELESS you morons.

  23. Nick Ryan Silver badge

    Targetting the wrong method?

    And there I was thinking that "cardholder not present" fraud was the most costly and most serious - sticking (undoubtedly low quality) fingerprint readers on cards won't help with this at all.

    1. Charles 9

      Re: Targetting the wrong method?

      The untrusted medium basically means there's no real way to deal with CNP fraud before the fact, as most thieves simply get enough information to properly impersonate the original holder. There's no real way to stop a Perfect Impostor at that point.

  24. ad47uk

    confused?

    So we went from the old magnetic strip and signature to chip and pin to make it more secure, then we go to contactless that is insecure and now they are sticking finger print scanners on cards to make them more secure.

    why not just stick to chip and pin?

    thankfully this is a Mastercard thing and hopefully Visa will not follow suit, it is bad enough trying to tell my bank I do not want contactless.

  25. Will Godfrey Silver badge
    Unhappy

    No card is secure

    All of them do the checks locally, then simply tell the bank "OK all good here."

    To get real checks would require all the data concerning the transaction being sent to the bank where a proper examination could be done.

    It's not going to happen though. It would require decent bandwidth comms, and would make the bank responsible for errors.

    1. patrickstar

      Re: No card is secure

      There are different values of "secure".

      In the case of smartcards in general it means "takes too much time and/or money to attack them". With debit/credit cards you can even make a nice budget for how much it has to cost the attacker to compromise a single card.

      You should rather think about it in terms of physical security (where literally anything is possible to compromise given enough of those two things), not computer or cryptographic security (where 'secure' tends to mean that it's either actually literally impossible to compromise given certain assumptions, or that it would take more time than the universe has left).

  26. cloth

    I've got a skin condition- that screws up my print

    I'm allergic to some stuff and when it kicks in my android, my laptop and previous laptops can't recognise my fingerprint. I always have to revert to "old fashioned" methods. let's hope that no one forgets about me.

    Oh and today I seem to get more and more people who just swipe my card and don't give a damn about identification - pin, signature or otherwise. Clearly, it's too expensive for them to worry about my small transactions so they are only interested in the large ones. the large ones are mainly going to be on-line going forwards so it has to link up to my home somehow - in which case what's the point ?

  27. Hans 1
    Facepalm

    What a fucked-up title for the article?

    "Mastercard launches credit card with PIN written on card"

    All you need is flour, some wax and anyone can use the card!

    No, it is not April 1st, what is wrong with people ?

  28. JaitcH
    Happy

    A British Friend with a Quirky Sense of Humour . . .

    recently acquired a cell handset with a fingerprint sensor,

    As he willingly demonstrates, not one of his fingers performs the 'Open Sesame' trick. He has never been observed unlocking his electronic pride and joy.

    Turns out he uses his OTHER 'pride and joy', in the privacy of a toilet cubicle, to unlock his cell handset!

    I wonder if this would work on a bankcard?

  29. Lucky2BHere

    See zoomlogin.com to understand where biometrics need to go. MFA is a use killer, proven over and over. We need methods that are good enough to stand alone and don't require any special hardware or devices, and that is average-Joe-simple to use.

  30. Jin

    What when falsely rejected?

    When the sensors are set as to effectively reject a third person, cases of false rejection of legitimate users happen frequently. What would you do when you are falsely rejected?

    If you are requested to resort to PIN, we are not talking about security but just convenience. Convenience for you as well as criminals as shown in this 30second video.

    https://youtu.be/7UAgtPtmUbk

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon