Card arrived + suggestion


(Random Person) #1

This possibly isn’t economically viable, but anyway.
My card arrived today at my work address, and one of the chaps asked if he could try it out for me.
I said he couldn’t because it will only work when used in conjunction with my fingerprints. He believed me until I laughed.
Although it was a joke, is it a potentially viable addition to security, perhaps not this year or next.
:grin:


#2

(Random Person) #3

Bum! Oh well, at least it shows I had a good idea, even if it’s not original. :slight_smile:


(Hugh) #4

I would really like one of these! So much more secure than chip and pin


#5

I don’t know about that. While I think it’s a cool concept with lots of potential, I’d like to see this combined with (rather than instead of) PIN as an additional layer of security (I’m not too convinced of the security of fingerprints).

Even if we assume that fingerprint is more secure than PIN then that’s still of no use because of this:

The spokeswoman said the card is configured to expect the fingerprint for authenticating a purchase but does still have a PIN as a fall-back. “If the finger is too greasy or sweaty and the biometric doesn’t go through, the cardholder would experience a small delay and then asked to put in their PIN to complete the transaction,” she added. “The PIN also allows cardholders to use the card at ATMs globally.”

So, just lick your finger before you use a stolen fingerprint enabled card: The reader won’t read it, and ask you for the PIN as usual.

So, this specific implementation offers no additional security, but only additional convenience. Rather it offers less security, as one more potential attack vector is there. (I can now choose to either get someone’s PIN as before or their [replicated] fingerprint, depending on what is easier.)

I do think it would offer a vast improvement if fingerprint was mandatory for contactless, but this card doesn’t support contactless at all. (And even if it did, them I’m sure it would fallback to not requiring fingerprint for compatibility reasons.)

Additionally it has all sorts of other potential problems (gloves, sharing cards with spouses or even kids), but I think it’s a good idea and I’d love to see this developed.


#6

That would be bad new for those with dermatological problems that prevent them using fingertip readers, it should always be optional


#7

True. There are many reasons why you can’t make the fingerprint mandatory (rain being one of the most trivial ones). Essentially that’s sort of my point: It doesn’t offer better security, unless you make it a required 2nd factor, and you can’t make it a required 2nd factor, so it only opens a 2nd attack vector. From a security perspective I don’t think you’d gain anything.

One could still argue that you could require fingerprint for contactless and then fall back to chip + pin if fingerprint is not available. But even then as you said you’d probably need to give customers an option to choose as there will be people who just can’t use fingerprints, and you can’t just ignore those.


(Hugh) #8

Hmm. Except that if there are 4 failed fingerprint auths at different POSes that would be a pretty good sign of fraud


(Random Person) #9

Perhaps they could use another part of their anatomy.:joy:
Ears are supposed to also be unique.


#10

my partner works in a dental lab where machinery removes his fingerprints in essence, he has enough trouble with his phone :joy:

I would pay money to watch him use this.


#11

A lot would depend on implementation I guess, and I don’t know what their plans are here. But an educated guess is that it would work similarly to current smart phone implementations: after x failed fingerprint authentications you are forced to authenticate by pin. One successful pin authentication resets the counter.

Fingerprint scanners are just too finicky (I constantly need to use my pin because my fingers are wet)

Again, you wouldn’t gain anything : someone who know ur pin can still authenticate. Someone who doesn’t and doesn’t have the technique to duplicate your fingerprint (tip: it’s gonna be all over the card) or the disposition to cut off your finger, still can’t access your money. But the third and fourth group now have an opening.

The reason why fingerprints are great for phones, is because the alternative is often nothing. For the card, though, a pin is already mandated (and will continue to be mandated even after this is may be rolled out).


(Hugh) #12

Yeah, I think that is the most important point here. If we didn’t have fingerprints on phones most people would just default to no pin at all…

So yes, in summary you are right! This won’t add anything really except cost and complexity.


#13

And convenience. That’s the reason why mastercard are experimenting with this: More reasons to perform more purchases through their card. Easily offsets the cost for them.


(Jamie 🏳️‍🌈) #14

If your memorable identifying data is hacked (PIN, password) you just change it.

If your biometrical identifying data is hacked (fingerprint, iris, face) then you’ve been permanently hacked. You can’t change any of that stuff.


(Jedihomer Townend) #15

Yet :wink:

Biometric/Generic manipulation can’t be far off