Your Next Bank Card is a Finger-Scanner

Uploaded on 2018-05-16 in NEWS-News Analysis, FREE TO VIEW, BUSINESS-Services-Financial

Visa and Mastercard have chips embedded in hundreds of millions of credit and debit cards around the world. They're used in more than 200 countries and process billions of payments each year. And they're both intent on creating bank cards that use your fingerprint instead of a PIN. 

Early trials of cards with fingerprint scanners built-in are underway and success could eventually result in the death of the humble PIN. 

"A four-digit PIN is pretty good security, obviously, six, seven or eight digits are better but it is very hard for people to remember," says Bob Reany, an executive vice president at Mastercard, who is working on the firm's biometric cards. "The security is going to be better than a PIN."

In April 2017, Mastercard started trialling a biometric card in South Africa. The card looks the same as any other bank card but has a small biometric scanner in the top right-hand corner. When a finger is placed on the sensor it is able to recognise if it is a match with stored data and authorise a payment.

Mastercard now has more trials running in Bulgaria and Reany says thousands of fingerprint-detecting cards will be trialled elsewhere in the world later this year. "We've gotten the algorithms in great shape, now we're doing matching on the native device where the template is captured, and we're ready to go to market at some scale," he says. 

Crucially, in the coming months, banks will be issuing them to regular customers for the first time. Reany won't reveal exactly where the cards will be given to people but says more announcements are coming. "I think you're going to see pockets of Europe go pretty quickly," Reany says of potential adoption.

Rival Visa is also testing biometric cards in Cyprus with the country's national bank and security company Gemalto, which has been creating the cards for both of the major payment companies, says it has produced "tens of thousands" of biometric cards for tests. 

"In some countries where they like the added security of a biometric, it could roll out pretty quickly," says Howard Berg, the managing director of Gemalto UK. He expects a "significant rollout in next couple of years".
Scanning a Finger

Biometric cards are a mashup of fingerprint scanners, similar to those that unlock and prove identity on smartphones – and technology used in chip and pin bank cards. The cards all use a standard called EMV (named after its creators: Europay MasterCard Visa). 

EMV technology stores a user’s information on a card's chip and circuits. The system was developed to work on cards that need to be inserted into a reader, before a user enters their PIN, and contactless payment methods.

The payment units where cards are either inserted or held above are crucial to biometric cards working. Biometric cards don't include a battery and use power from the card reader to work. This power is used to activate the fingerprint reader and allow it to work out whether the finger being scanned is the right one. 

"The first thing that happens is the chip is looking for a biometric match," Gemalto's Berg says. "When the finger is put on the sensor that is sent to the chip, the chip takes a look at the fingerprint that is stored and compares it to the one that is given." 
Before this can happen, a fingerprint has to be captured. With Gemalto's card a person must go to a bank and have their fingerprint scanned at an in-store kiosk or tablet. 

Mastercard's Reany believes the company has found a way to make biometric cards more accessible. The firm has created a "sleeve" that's able to help record a person's fingerprint. Essentially, the device is a cardholder, which has a battery built into it.

A biometric card is inserted into the sleeve and power is provided to the card. The first time the sleeve is used, a person places their finger on the fingerprint scanner three times and a recording is made. A fingerprint is stored as an encrypted template of numbers, not a physical image of a fingerprint and the sleeve doesn't connect to the Internet of mobile data connections in any way. 

"If you think about this thing being a global product, not everyone is going to have a smartphone to help enroll with it," Reany says.

Each of Mastercard's biometric cards has the physical capacity to hold four different fingerprints. But, Reany says, as banks decide to use the biometric card in the real-world they will decide how many fingerprints should be stored. During the biometric card's development, Mastercard has had to rework how the sensor scans a finger. Reany says there are some "idiosyncrasies" in how people use their fingers. "Some people put the tip of the finger down like they do with an iPhone," he says. "Some people put their full finger down flat and some people were doing some finger rotation. 

"The early versions did not do well on the tip of the finger or the rotation of the finger. We had to go back and make the algorithms more powerful so they could account for that kind of thing." Each time a payment is authorised using a fingerprint, this information is also included in data sent as part of the transaction to help banks identify how money is being moved. 

Are they Needed?

"Biometrics is a way to make cards more secure to a large part of the planet that may not have access to smartphones today," says Peter Hahn, dean of the London Institute of Banking and Finance. "But you'd really wonder why someone who has a smartphone would need this." 

Hahn says biometrics are a positive step forward for banking security – which has moved from written signatures to chip and pin – but is unsure if the technology is needed everywhere in the world. For multiple years, it has been possible to pay with smartphones, wearable devices and contactless cards. Hahn adds: "Part of it is, is this about plastic trying to assure its viability when we really should be questioning why do we need plastic anymore at all? We've already got that step of security in a mobile."

But regardless of how much they're essential, biometric cards offer some benefits. There's the potential for card PINs to be stolen from databases by hackers. As far back as December 2013, there were attempts to steal credit card identification numbers. 

"There's not a honeypot of fingerprint data sitting in Mastercard or a bank somewhere waiting for hackers to get into it and compromise that information," Reany says. Berg adds: "The card avoids the need for a central database". 

Each fingerprint stored is saved on a card and their inability to be connected to the Internet means to be compromised a hacker would need physical access to the card. Biometric security solutions aren't infallible though, as Apple learned with its iPhone X facial recognition. Reany says Mastercard has tried to test against this. "Rubber fingers don't work, because there are, electrical capacitive sensing that is required," he says. 

Ultimately, payment companies are continuing to develop biometric bank cards and trials are getting bigger. At their very least, biometric cards will offer a slightly more convenient way to pay, but they may also evolve with increasing use of fingerprint technology in other areas of people's lives. As Berg says: "People forget their PINs but very rarely do you go out without your fingers."

Wired

You Might Also Read:

The Death of the Password Is Upon Us:

FBI Fingerprint Software Might Contain Russian code:


 

« Getting The Most From Investing In AI
Corporate Lawyers Brace For GDPR »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

International Organization for Standardization (ISO)

International Organization for Standardization (ISO)

ISO is an independent, non-governmental international standards organization. The ISO/IEC 27001 is the standard for information security management systems.

tunCERT

tunCERT

TunCERT is the National Computer Emergency Response Team of Tunisia.

CionSystems

CionSystems

CionSystems provides identity, access and authentication solutions to improve security and streamline IT infrastructure management.

Internet Storm Center (ISC)

Internet Storm Center (ISC)

ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with ISPs to fight back against the most malicious attackers.

SecLytics

SecLytics

SecLytics is the leader in Predictive Threat Intelligence. Our SaaS-based Augur platform leverages behavioral profiling and machine learning to hunt down cyber criminals.

PSW Group

PSW Group

PSW Group is a full-service Internet solutions provider with a special focus on Internet security.

National Forensic Sciences University (NFSU)

National Forensic Sciences University (NFSU)

National Forensic Sciences University is the world’s first and only University dedicated to Digital Forensic and allied Sciences.

Marcus Donald People

Marcus Donald People

Marcus Donald People is a UK IT recruitment specialist covering the following sectors: Infrastructure & Cloud, Information Security, Development, Business transformation.

Elron Ventures

Elron Ventures

Elron partner with early stage ventures to build companies that transform lives and industries. Our main areas of focus are enterprise software, cybersecurity, and healthcare.

ARCON

ARCON

ARCON offers a proprietary unified governance framework, which addresses risk across various technology platforms.

CloudSEK

CloudSEK

CloudSEK has set its sights on building the world’s fastest and most reliable AI technology, that identifies and resolves digital threats.

ContraForce

ContraForce

ContraForce is a threat detection and response software providing complete visibility across cloud, network, endpoints, user, and email with the ability to target and block threats in real-time.

Digital Identification & Authentication Council of Canada (DIACC)

Digital Identification & Authentication Council of Canada (DIACC)

DIACC is a non-profit coalition of public and private sector leaders committed to developing a Canadian framework for digital identification and authentication.

CyberSafe

CyberSafe

CyberSafe is a Portuguese company with a focus on cybersecurity solutions and services including network security, managed security, incident response and forensic analysis.

Global Cybersecurity Association (GCA)

Global Cybersecurity Association (GCA)

GCA’s Symposium and conferences featuring global thought leaders and CISOs provide a global best practice perspective on cybersecurity.

Asimily

Asimily

Asimily’s IoMT risk remediation platform holistically secures the mission-critical healthcare devices that deliver safe and reliable care.