A payment card featuring a fingerprint sensor has been unveiled by credit card provider Mastercard.
The rollout follows two successful trials in South Africa. The technology works in the same way as it does with mobile phone payments: users must have their finger over the sensor when making a purchase. Security experts have said that while using fingerprints is not foolproof, it is a “sensible” use of biometric technology.
Mastercard’s chief of safety and security, Ajay Bhalla, said that the fingerprint technology would help “to deliver additional convenience and security. It is not something that can be taken or replicated.” However, fingerprint sensors can be compromised.
“All it takes is one compromised fingerprint reader, which records the raw fingerprint observed, and your fingerprint is no longer secure. This is exactly how fraudsters compromise the “chip and PIN” EMV credit card security. If you can’t trust the terminal used, you can’t be sure your fingerprint isn’t being stolen. Just the same as how you wouldn’t be wise to type your password on a (possibly keylogged) internet cafe computer”
The best workaround is simply to not use fingerprint based authentication. This might well be difficult – many countries record their citizen’s fingerprints. The existence of such databases mean that if fingerprint-based login was ever to become popular, these databases would become immensely valuable targets for criminals, keen to gain immediate access to hundreds of millions of people’s accounts
Karsten Nohl, chief scientist at Berlin’s Security Research Labs, told the BBC: “All I need is a glass or something you have touched in the past.”
He adds that if that information is stolen, “you only have nine fingerprint changes before you run out of options”.
But Mr Nohl is cautiously optimistic about the technology, saying it is “better than what we have at the moment”.
“With the combination of chip and PIN, the PIN is the weaker element. Using a fingerprint gets rid of that.”
“Fingerprints have helped us avoid using terrible passwords, and even the most gullible person is not going to cut off their finger if [a criminal] asks nicely.”
According to the report, no scanner is needed. The cards are thought to be the first to include both the digital template of the user’s fingerprint and the sensor required to read their fingerprints at the point of sale.
Previous biometric payment cards only worked when used in conjunction with a separate fingerprint scanner.
That limited their usefulness, as only stores with the correct equipment could accept them.
Having both the data and the scanner on the same card means that they should be accepted everywhere a normal chip and PIN payment card can be used.
But the biometric verification can only be used for in-store purchases: online and other so-called “card not present” transactions will still require further security measures.