Your Next Bank Card is a Finger-Scanner

Uploaded on 2018-05-16 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-Financial

Visa and Mastercard have chips embedded in hundreds of millions of credit and debit cards around the world. They're used in more than 200 countries and process billions of payments each year. And they're both intent on creating bank cards that use your fingerprint instead of a PIN. 

Early trials of cards with fingerprint scanners built-in are underway and success could eventually result in the death of the humble PIN. 

"A four-digit PIN is pretty good security, obviously, six, seven or eight digits are better but it is very hard for people to remember," says Bob Reany, an executive vice president at Mastercard, who is working on the firm's biometric cards. "The security is going to be better than a PIN."

In April 2017, Mastercard started trialling a biometric card in South Africa. The card looks the same as any other bank card but has a small biometric scanner in the top right-hand corner. When a finger is placed on the sensor it is able to recognise if it is a match with stored data and authorise a payment.

Mastercard now has more trials running in Bulgaria and Reany says thousands of fingerprint-detecting cards will be trialled elsewhere in the world later this year. "We've gotten the algorithms in great shape, now we're doing matching on the native device where the template is captured, and we're ready to go to market at some scale," he says. 

Crucially, in the coming months, banks will be issuing them to regular customers for the first time. Reany won't reveal exactly where the cards will be given to people but says more announcements are coming. "I think you're going to see pockets of Europe go pretty quickly," Reany says of potential adoption.

Rival Visa is also testing biometric cards in Cyprus with the country's national bank and security company Gemalto, which has been creating the cards for both of the major payment companies, says it has produced "tens of thousands" of biometric cards for tests. 

"In some countries where they like the added security of a biometric, it could roll out pretty quickly," says Howard Berg, the managing director of Gemalto UK. He expects a "significant rollout in next couple of years".
Scanning a Finger

Biometric cards are a mashup of fingerprint scanners, similar to those that unlock and prove identity on smartphones – and technology used in chip and pin bank cards. The cards all use a standard called EMV (named after its creators: Europay MasterCard Visa). 

EMV technology stores a user’s information on a card's chip and circuits. The system was developed to work on cards that need to be inserted into a reader, before a user enters their PIN, and contactless payment methods.

The payment units where cards are either inserted or held above are crucial to biometric cards working. Biometric cards don't include a battery and use power from the card reader to work. This power is used to activate the fingerprint reader and allow it to work out whether the finger being scanned is the right one. 

"The first thing that happens is the chip is looking for a biometric match," Gemalto's Berg says. "When the finger is put on the sensor that is sent to the chip, the chip takes a look at the fingerprint that is stored and compares it to the one that is given." 
Before this can happen, a fingerprint has to be captured. With Gemalto's card a person must go to a bank and have their fingerprint scanned at an in-store kiosk or tablet. 

Mastercard's Reany believes the company has found a way to make biometric cards more accessible. The firm has created a "sleeve" that's able to help record a person's fingerprint. Essentially, the device is a cardholder, which has a battery built into it.

A biometric card is inserted into the sleeve and power is provided to the card. The first time the sleeve is used, a person places their finger on the fingerprint scanner three times and a recording is made. A fingerprint is stored as an encrypted template of numbers, not a physical image of a fingerprint and the sleeve doesn't connect to the Internet of mobile data connections in any way. 

"If you think about this thing being a global product, not everyone is going to have a smartphone to help enroll with it," Reany says.

Each of Mastercard's biometric cards has the physical capacity to hold four different fingerprints. But, Reany says, as banks decide to use the biometric card in the real-world they will decide how many fingerprints should be stored. During the biometric card's development, Mastercard has had to rework how the sensor scans a finger. Reany says there are some "idiosyncrasies" in how people use their fingers. "Some people put the tip of the finger down like they do with an iPhone," he says. "Some people put their full finger down flat and some people were doing some finger rotation. 

"The early versions did not do well on the tip of the finger or the rotation of the finger. We had to go back and make the algorithms more powerful so they could account for that kind of thing." Each time a payment is authorised using a fingerprint, this information is also included in data sent as part of the transaction to help banks identify how money is being moved. 

Are they Needed?

"Biometrics is a way to make cards more secure to a large part of the planet that may not have access to smartphones today," says Peter Hahn, dean of the London Institute of Banking and Finance. "But you'd really wonder why someone who has a smartphone would need this." 

Hahn says biometrics are a positive step forward for banking security – which has moved from written signatures to chip and pin – but is unsure if the technology is needed everywhere in the world. For multiple years, it has been possible to pay with smartphones, wearable devices and contactless cards. Hahn adds: "Part of it is, is this about plastic trying to assure its viability when we really should be questioning why do we need plastic anymore at all? We've already got that step of security in a mobile."

But regardless of how much they're essential, biometric cards offer some benefits. There's the potential for card PINs to be stolen from databases by hackers. As far back as December 2013, there were attempts to steal credit card identification numbers. 

"There's not a honeypot of fingerprint data sitting in Mastercard or a bank somewhere waiting for hackers to get into it and compromise that information," Reany says. Berg adds: "The card avoids the need for a central database". 

Each fingerprint stored is saved on a card and their inability to be connected to the Internet means to be compromised a hacker would need physical access to the card. Biometric security solutions aren't infallible though, as Apple learned with its iPhone X facial recognition. Reany says Mastercard has tried to test against this. "Rubber fingers don't work, because there are, electrical capacitive sensing that is required," he says. 

Ultimately, payment companies are continuing to develop biometric bank cards and trials are getting bigger. At their very least, biometric cards will offer a slightly more convenient way to pay, but they may also evolve with increasing use of fingerprint technology in other areas of people's lives. As Berg says: "People forget their PINs but very rarely do you go out without your fingers."

Wired

You Might Also Read:

The Death of the Password Is Upon Us:

FBI Fingerprint Software Might Contain Russian code:


 

« Getting The Most From Investing In AI
Corporate Lawyers Brace For GDPR »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

NXP Semiconductors

NXP Semiconductors

NXP is a world leader in secure connectivity solutions for embedded applications and the Internet of Things.

Vitrociset

Vitrociset

Vitrociset design complex systems for defence, homeland security, space and transport. Activities include secure communications and cybersecurity.

Cyverse

Cyverse

Cyverse is a cyber-security firm which provides corporations with state-of-the-art cyber-security service-based and technological solutions made in Israel.

CyRise

CyRise

CyRise is a venture accelerator focused squarely on early stage cyber security startups.

SITA

SITA

SITA is a multinational information technology company providing IT and telecommunication services to the air transport industry including vulnerability assessments and managed security services.

BitNinja

BitNinja

BitNinja provides full-stack server security in one easy-to-use protection suite. Enjoy real-time protection, automatic false positive handling and threat analysis for more in-depth insights.

Britive

Britive

The Britive Platform is a cloud-native security solution built for the most demanding cloud-forward enterprises.

New Net Technologies (NNT)

New Net Technologies (NNT)

NNT SecureOps provides ultimate protection against all forms of cyberattack and data breaches by automating the essential security controls.

Elisity

Elisity

Elisity Cognitive Trust is a new security paradigm that combines Zero Trust Network Access and an AI-enabled Software Defined Perimeter.

Stratus Technologies

Stratus Technologies

Edge Computing solves the inherent challenges of bandwidth, latency, and security at edge locations to enable IIoT devices and data acquisition.

Ward Solutions

Ward Solutions

Ward Solutions are an information security consultancy and managed services company. We help organisations protect their brand, people, assets, intellectual property and profits.

Hexens

Hexens

Hexens introduces a whole new approach to cybersecurity solutions. Indisputable skills and a unique super-focused perspective on every single case are the values we create.

Kompleye

Kompleye

Kompleye is a recognized cybersecurity and compliance audit organization that offer a comprehensive solution for different industries.

NPCERT

NPCERT

NPCERT is a team of Information Security experts formed to address the urgent need for the protection of national information and growing cybersecurity threat in Nepal.

Manifest

Manifest

Manifest is a cybersecurity company dedicated to helping enterprises secure their software supply chains.

ModelOp

ModelOp

ModelOp is the leading AI Governance software for enterprises and helps safeguard all AI initiatives.