Your Next Bank Card is a Finger-Scanner

Visa and Mastercard have chips embedded in hundreds of millions of credit and debit cards around the world. They're used in more than 200 countries and process billions of payments each year. And they're both intent on creating bank cards that use your fingerprint instead of a PIN. 

Early trials of cards with fingerprint scanners built-in are underway and success could eventually result in the death of the humble PIN. 

"A four-digit PIN is pretty good security, obviously, six, seven or eight digits are better but it is very hard for people to remember," says Bob Reany, an executive vice president at Mastercard, who is working on the firm's biometric cards. "The security is going to be better than a PIN."

In April 2017, Mastercard started trialling a biometric card in South Africa. The card looks the same as any other bank card but has a small biometric scanner in the top right-hand corner. When a finger is placed on the sensor it is able to recognise if it is a match with stored data and authorise a payment.

Mastercard now has more trials running in Bulgaria and Reany says thousands of fingerprint-detecting cards will be trialled elsewhere in the world later this year. "We've gotten the algorithms in great shape, now we're doing matching on the native device where the template is captured, and we're ready to go to market at some scale," he says. 

Crucially, in the coming months, banks will be issuing them to regular customers for the first time. Reany won't reveal exactly where the cards will be given to people but says more announcements are coming. "I think you're going to see pockets of Europe go pretty quickly," Reany says of potential adoption.

Rival Visa is also testing biometric cards in Cyprus with the country's national bank and security company Gemalto, which has been creating the cards for both of the major payment companies, says it has produced "tens of thousands" of biometric cards for tests. 

"In some countries where they like the added security of a biometric, it could roll out pretty quickly," says Howard Berg, the managing director of Gemalto UK. He expects a "significant rollout in next couple of years".
Scanning a Finger

Biometric cards are a mashup of fingerprint scanners, similar to those that unlock and prove identity on smartphones – and technology used in chip and pin bank cards. The cards all use a standard called EMV (named after its creators: Europay MasterCard Visa). 

EMV technology stores a user’s information on a card's chip and circuits. The system was developed to work on cards that need to be inserted into a reader, before a user enters their PIN, and contactless payment methods.

The payment units where cards are either inserted or held above are crucial to biometric cards working. Biometric cards don't include a battery and use power from the card reader to work. This power is used to activate the fingerprint reader and allow it to work out whether the finger being scanned is the right one. 

"The first thing that happens is the chip is looking for a biometric match," Gemalto's Berg says. "When the finger is put on the sensor that is sent to the chip, the chip takes a look at the fingerprint that is stored and compares it to the one that is given." 
Before this can happen, a fingerprint has to be captured. With Gemalto's card a person must go to a bank and have their fingerprint scanned at an in-store kiosk or tablet. 

Mastercard's Reany believes the company has found a way to make biometric cards more accessible. The firm has created a "sleeve" that's able to help record a person's fingerprint. Essentially, the device is a cardholder, which has a battery built into it.

A biometric card is inserted into the sleeve and power is provided to the card. The first time the sleeve is used, a person places their finger on the fingerprint scanner three times and a recording is made. A fingerprint is stored as an encrypted template of numbers, not a physical image of a fingerprint and the sleeve doesn't connect to the Internet of mobile data connections in any way. 

"If you think about this thing being a global product, not everyone is going to have a smartphone to help enroll with it," Reany says.

Each of Mastercard's biometric cards has the physical capacity to hold four different fingerprints. But, Reany says, as banks decide to use the biometric card in the real-world they will decide how many fingerprints should be stored. During the biometric card's development, Mastercard has had to rework how the sensor scans a finger. Reany says there are some "idiosyncrasies" in how people use their fingers. "Some people put the tip of the finger down like they do with an iPhone," he says. "Some people put their full finger down flat and some people were doing some finger rotation. 

"The early versions did not do well on the tip of the finger or the rotation of the finger. We had to go back and make the algorithms more powerful so they could account for that kind of thing." Each time a payment is authorised using a fingerprint, this information is also included in data sent as part of the transaction to help banks identify how money is being moved. 

Are they Needed?

"Biometrics is a way to make cards more secure to a large part of the planet that may not have access to smartphones today," says Peter Hahn, dean of the London Institute of Banking and Finance. "But you'd really wonder why someone who has a smartphone would need this." 

Hahn says biometrics are a positive step forward for banking security – which has moved from written signatures to chip and pin – but is unsure if the technology is needed everywhere in the world. For multiple years, it has been possible to pay with smartphones, wearable devices and contactless cards. Hahn adds: "Part of it is, is this about plastic trying to assure its viability when we really should be questioning why do we need plastic anymore at all? We've already got that step of security in a mobile."

But regardless of how much they're essential, biometric cards offer some benefits. There's the potential for card PINs to be stolen from databases by hackers. As far back as December 2013, there were attempts to steal credit card identification numbers. 

"There's not a honeypot of fingerprint data sitting in Mastercard or a bank somewhere waiting for hackers to get into it and compromise that information," Reany says. Berg adds: "The card avoids the need for a central database". 

Each fingerprint stored is saved on a card and their inability to be connected to the Internet means to be compromised a hacker would need physical access to the card. Biometric security solutions aren't infallible though, as Apple learned with its iPhone X facial recognition. Reany says Mastercard has tried to test against this. "Rubber fingers don't work, because there are, electrical capacitive sensing that is required," he says. 

Ultimately, payment companies are continuing to develop biometric bank cards and trials are getting bigger. At their very least, biometric cards will offer a slightly more convenient way to pay, but they may also evolve with increasing use of fingerprint technology in other areas of people's lives. As Berg says: "People forget their PINs but very rarely do you go out without your fingers."

Wired

You Might Also Read:

The Death of the Password Is Upon Us:

FBI Fingerprint Software Might Contain Russian code:


 

« Getting The Most From Investing In AI
Corporate Lawyers Brace For GDPR »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

Egis Technology

Egis Technology

Egis specializes in the IC design, research and development, and the testing and sales of capacitive fingerprint sensor.

Computer Forensic Services

Computer Forensic Services

Computer Forensic Services are digital evidence specialists. Practice areas include Information Security, e-Discovery, Law Enforcement Support and Litigation.

Intelligent Business Solutions Cyprus (IBSCY)

Intelligent Business Solutions Cyprus (IBSCY)

IBSCY Ltd is a leading provider of total IT solutions and services in Cyprus specializing in the areas of cloud services and applications, systems integration, IT infrastructure and security.

Combis

Combis

COMBIS is a regional high-tech ICT company focused on the development of application, communication, security and system solutions and the provision of services.

Novastor

Novastor

NovaStor® is an award-winning, international data backup and recovery software company with solutions supporting physical, virtual and cloud environments.

Korn Ferry

Korn Ferry

Korn Ferry is a global organizational consulting firm, synchronizing strategy and talent to drive superior performance for our clients in key areas including cybersecurity.

Techfusion

Techfusion

Techfusion is a cyber security research and consulting firm focusing on digital forensics and data recovery.

ActZero

ActZero

ActZero’s security platform leverages proprietary AI-based systems and full-stack visibility to detect, analyze, contain, and disrupt threats.

Soteria

Soteria

Soteria is a global leader in the development, integration and implementation of advanced cyber security, intelligence and IT solutions, delivering complete end-to-end solutions.

Talion

Talion

Talion aim to reduce the complexity involved in securing your organisation and to give security teams unrivalled visibility into their security operations, so they can make optimal decisions, fast.

Tetrate.io

Tetrate.io

Tetrate Service Bridge provides enterprises with a consistent, unified way to connect and secure services across an entire mesh-managed environment.

Cyber Defense Technologies (CDT)

Cyber Defense Technologies (CDT)

Cyber Defense Technologies provides services and turn-key solutions to secure and maintain the integrity of your organization’s systems and data against attacks.

Splashtop

Splashtop

Splashtop’s cloud-based, secure, and easily managed remote access solution is increasingly replacing legacy approaches such as virtual private networks.

Cynical Technology

Cynical Technology

Cynical Technology is a Nepalese cybersecurity company with expertise in security consulting, auditing, testing and compliance.

at-yet (@-yet)

at-yet (@-yet)

at-yet are an interdisciplinary team of experts. We are all about achieving results, whatever the situation – an acute incident, risk minimisation, safeguarding or data protection.

Access Talent Today

Access Talent Today

Access Talent Today is an AI/ML and cyber security talent provider.