MasterCard adds fingerprint scanner to credit cards for spending sans the PIN MasterCard and Norwegian biometrics firm Zwipe have announced the first fingerprint-activated credit card that the companies hope will replace signatures and PINs. "Our belief is that we should be able to identify ourselves without having to use passwords or PIN numbers," said Ajay Bhalla, president of enterprise security …
Yup the thieves will cut off people's fingers to use with that stolen cards. With no time to check the cards, every robbery will become chop & run. A loss of fingers is a lifelong total loss of livelihood. The Lawsuits against MasterCard and the Banks will be huge and numerous.
I agree, this 'digital revolution' we don't need. The obvious solution is to go with a body part that's not so easy to swipe (so to speak). What about an iris scanner? Or would that be too bulky? Maybe a tongue print? It's really hard to cut out someone's tongue when they don't want you to. So very slippery...
I'd want to see not only that but since temperature can be mimicked (such as put the skin on like a glove) maybe add a pulse sensor? I guess that can be faked too... Maybe a combination such as retina scan and fingerprint might foil the bad guys/girls. Still, the idea of losing some body parts so someone can steal a few measly dollars is not appealing to me. I think I'll pass and just go with cash and maybe a check.
.....the fingerprint is compromised? When my password is leaked then I change it. When my fingerprint data are leaked then do I need plastic surgery.
Biometrics seem like a daft idea to me. If your BM data get stolen, or even just end up fat-fingerdly on a do-not-fly list then you're buggered - it's hard to change them and just as hard to get the erroneous data deleted from a foreign database. If I've just spent the week building a house or climbing millstone grit then my fingerprints will be virtually worn away. A serious onion-slicing incident could leave me cashless for weeks.
This is what I've never understood either.
Are we going to have to have fingers or eyes replaced once the data is compromised?
This is such a bad idea on so many levels.
Its the same with facial recognition too. Wasn't there a slew of bearded men being arrested for looking like bin Laden?
Biometrics just isn't a good idea. I don't have a solution, but I know it isn't this.
And not just the FBI. I go for a meal, I give the restaurant my card details (i.e. when i put it in the reader) and I leave my "PIN" on the cutlery, the wine glass, the card reader, ...etc.
I assume that my contract with Mastercard will replace "You agree never to write down your PIN" with "You agree never to leave your fingerprints on anything".
Of course, Mastercard don't care. They will play the "it was validated with your fingerprint therefore you must have been present" game.
You can see the "security experts" advice in a few years time:
To avoid cracking of your fingerprints you should change your fingers every three months. You should choose strong, long fingers, as randomly as possible. You should never leave your fingers attached to your monitor, best to keep them close at hand all the time.
You can:
a) copy fingerprints from just about any smooth surface... just as the credit card itself.
b) probably just circumvent the fingerprint reader as it's most likely a dedicated chip just sending a logic signal to the actual chip.
Biometry for authentication is a bad idea for so many reasons. It always was and it will ever be. It's a convenience feature at best.
A fundamental issue with biometrics (as with a national ID e.g. S Korea) is that they identify the user as a unique individual, and not simply as an authorised user, which means that many accounts can all be tied together by your friendly local Secret Police.
In many cases all that is needed is a means to authorise access to an account/credit card etc - with a pin or a password I can create an account and access it, but there is no link to other accounts. With a PIN on a credit card people can (in an emergency) lend the card to a friend or relative and let them use it, by telling them the PIN. Perfectly safe if it's someone you trust. I don't think I'd be willing to chop off a finger or pull out an eyeball so that a friend can get £100 out of the hole-in-the-wall for me!
the correct fingerprint is stored on the card and it is likely a canny thief could reprogram the card, or take a copy of the data stored on it.
This particular attack is very unlikely. EMV cards are quite good at preventing the leak of data stored in the chip (otherwise it would be easy to clone, and we don't hear much about that).
Making a gelatine "fake finger" from a fingerprint is relatively easy, and will defeat best mass market readers. It is easier than chopping off fingers. But still more difficult than simply eavesdropping on the pin entry.
A PIN is much easier to steal than a finger. As suggested above the threat to steal a finger is a route to stealing a PIN. El Reg readers are paranoid in the extreme. It is so obvious that a fingerprint, albeit not 100% secure is vastly superior to a PIN. Also you cannot forget your fingerprint. If you forget your PIN you probably have to remember who you thought was your best friend at school. Maybe easy if you are a kid of 23 but less easy if you are 73. Fingerprints every time for me.
Aside from all the dedigitification, there is one meaningful use case for fingerprint readers on cards, and that's as the activation method to make low-value contactless payments, which at the moment are totally unsecured (and as some Oystercard users discovered, liable to paying when you didn't mean to). No-one's going to cut off your finger for a chance at £20...
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
