MasterCard Reveals Credit Card With Built-In Fingerprint Sensor

[MacRumors]

MasterCard today unveiled a biometric chip-and-pin credit card featuring a built-in fingerprint sensor that takes cues from mobile payment systems such as Apple Pay.

The card can be used to make purchases like any other, except rather than keying in a PIN number, card holders can choose to place their finger over the square sensor to approve the transaction.

Alternatively, users can take a two-tier authentication approach and use both their PIN and fingerprint to approve the purchase. However, users of the card won't have the convenience or security that comes with registering their print with their smartphone.

With Apple Pay, fingerprint data is encrypted and protected with a key available only to the Secure Enclave on the user's iPhone. The Secure Enclave is walled off from the rest of the hardware and the OS, meaning iOS and other apps never have access to user fingerprint data, it's never stored on Apple servers, and never backed up to iCloud or anywhere else.

The biometric credit card has no such protections. Instead, the user must register their print with the bank or financial institution that issued the card, and while the fingerprint is encrypted on the card itself, it's still unclear what security and privacy measures are in place to deal with the registration process.

Despite those concerns, Mastercard's chief of safety and security, Ajay Bhalla, said that the fingerprint technology was "not something that can be taken or replicated", and that the biometric card would help "to deliver additional convenience and security".

MasterCard plans to roll out the cards in Europe and the Asia Pacific region soon, following successful tests in South Africa through Barclays subsidiary Absa and supermarket Pick n Pay.

Article Link: MasterCard Reveals Credit Card With Built-In Fingerprint Sensor

 

[Nimrad]

So how does this work? I'm guessing some sort of power would be needed? Does it get the power from the terminal when inserted maybe? And is my fingerprint stored on the card or in the cloud?

 

[Jyby]

Science Rules!

 

[timmyh]

So how does this work? I'm guessing some sort of power would be needed? Does it get the power from the terminal when inserted maybe? And is my fingerprint stored on the card or in the cloud?

MasterCard only offered this explanation:

"A cardholder enrolls their card by simply registering with their financial institution. Upon registration, their fingerprint is converted into an encrypted digital template that is stored on the card. The card is now ready to be used at any EMV card terminal globally.

When shopping and paying in-store, the biometric card works like any other chip card. The cardholder simply dips the card into a retailer’s terminal while placing their finger on the embedded sensor. The fingerprint is verified against the template and – if the biometrics match – the cardholder is successfully authenticated and the transaction can then be approved with the card never leaving the consumer’s hand."

 

[W2u7Yw4HaD]

Here in Switzerland, the cards are sucked into the machine at the POS point, so this is going to be an issue for this tech.. But good effort none the less.

 

[arkitect]

If this helps me use a contactless card to pay for sums higher than £30 I'd be happy. (UK transaction limit)

 

[maflynn]

On paper it seems like a good idea, but in practice, I'm not so sure.

What about readers that pull a card in and don't give you the option to hold the sensor? My credit cards are scratched and marked up from being in my wallet, I can see the sensor being just as scuffed up. I'd rather not be fumbling at a register trying to buy something and because I have scratches on the my credit card I cannot use that card.

Also I'm not about to give my bank my fingerprint.

 

[JohnApples]

I find it a bit funny that people are willing to trust banks with extremely personal information such as home address, social security number, and those very specific "recovery questions". Oh and let's not forget entire life savings. Yet when it comes to a fingerprint, that's where we draw the line.

I mean, I get it. I probably wouldn't use this either. But if you're uncomfortable sharing your fingerprint with your financial institution, maybe you shouldn't be sharing every other detail about your life with them, too.

EDIT: alright folks I get it! You can change the other stuff but you can't change your fingerprint! Please stop quoting me!

 

[allenvanhellen]

Not that I lose credit cards very often, but unless their chip is as secure as the Secure Enclave in an iPhone chip, I don't want to walk around with a hackable piece of plastic that has my print on it.

 

[H2SO4]

I find it a bit funny that people are willing to trust banks with extremely personal information such as home address, social security number, and those very specific "recovery questions". Oh and let's not forget entire life savings. Yet when it comes to a fingerprint, that's where we draw the line.

I mean, I get it. I probably wouldn't use this either. But if you're uncomfortable sharing your fingerprint with your financial institution, maybe you shouldn't be sharing every other detail about your life with them, too.

Yep, and an increasing number of workplaces are requiring biometrics also but this is very rarely questioned. A difficult balance to strike though.

 

[69650]

My dad had dementia and could never remember his PIN number so this would have been ideal.

 

[BrettArchibald]

Oh, so you still have to put the card INTO the card reader...?
Meh. Pass.
It's just more convenient to wave my phone in the general vicinity of the card reader instead.
It's also a lot more convenient to pull my phone out of my pocket and then stick it back afterwards (2 steps) than take my wallet out my pocket, take my card out of my wallet, put the card in the reader, take the card out the reader, put my card back into my wallet and then put my wallet back in my pocket (6 steps).

 

[NT1440]

Yea...not going to trust MasterCard with my fingerprint. I understand the security built into TouchID.

I don't even trust MasterCard to begin with.

 

[H2SO4]

Oh, so you still have to put the card INTO the card reader...?
Meh. Pass.
It's just more convenient to stick my phone in the general vicinity of the card reader instead.
It's also more convenient to pull my phone out of my pocket and then stick it back afterwards (2 steps) than take my wallet out my pocket, take my card out of my wallet, put my card back into my wallet and then put my wallet back in my pocket (4 steps).

It won't go away anytime soon. Spend over £30 and you’r still putting card into reader.

 

[doelcm82]

If this helps me use a contactless card to pay for sums higher than £30 I'd be happy. (UK transaction limit)

I don't see how it would. These don't appear to be contactless cards.

 

[ratbastard]

I find it a bit funny that people are willing to trust banks with extremely personal information such as home address, social security number, and those very specific "recovery questions". Oh and let's not forget entire life savings. Yet when it comes to a fingerprint, that's where we draw the line.

I mean, I get it. I probably wouldn't use this either. But if you're uncomfortable sharing your fingerprint with your financial institution, maybe you shouldn't be sharing every other detail about your life with them, too.

The difference, in my opinion, is that you can change your password, you can generally recover lost funds & you can even legally change your name, but your fingerprint is forever. A powerful acid wash may be able to remove it but it remains unchanged - it is always your fingerprint.

ratbastard

 

[JohnApples]

The difference, in my opinion, is that you can change your password, you can generally recover lost funds & you can even legally change your name, but your fingerprint is forever. A powerful acid wash may be able to remove it but it remains unchanged - it is always your fingerprint.

ratbastard

That is a good point, and I do understand why someone would be hesitant about registering it. Though, if someone really wanted a fingerprint, I'm sure there are a million easier ways of obtaining it rather than hacking into wherever my bank stores the encrypted information.

 

[Robert.Walter]

Here in Switzerland, the cards are sucked into the machine at the POS point, so this is going to be an issue for this tech.. But good effort none the less.

What major retailer are you thinking of? I haven't seen this since Coop Pronto upgraded to new POS terminals a year ago. ATMs still do it but merchants not so much. (I'm mostly using Apple Pay and would never change to MC's new scheme.)
[doublepost=1492691077][/doublepost]

I find it a bit funny that people are willing to trust banks with extremely personal information such as home address, social security number, and those very specific "recovery questions". Oh and let's not forget entire life savings. Yet when it comes to a fingerprint, that's where we draw the line.

I mean, I get it. I probably wouldn't use this either. But if you're uncomfortable sharing your fingerprint with your financial institution, maybe you shouldn't be sharing every other detail about your life with them, too.

Rubbish.

Unlike the rest, you can't sue the bank to return it and can't change your fingerprint once lost.
[doublepost=1492691221][/doublepost]

Not that I lose credit cards very often, but unless their chip is as secure as the Secure Enclave in an iPhone chip, I don't want to walk around with a hackable piece of plastic that has my print on it.

That's probably not the case. But the risk is that the more institutions that have your print on file, the greater your exposure footprint and chance for loss of a non replaceable item.

Local storage in secure enclave eliminates that greater risk.
[doublepost=1492691396][/doublepost]

It won't go away anytime soon. Spend over £30 and you’r still putting card into reader.

This also leads me to believe that the limit on Apple Pay transactions is artificially low not for safety but for cartel competition reasons (make cards like this viable.)
[doublepost=1492691623][/doublepost]

That is a good point, and I do understand why someone would be hesitant about registering it. Though, if someone really wanted a fingerprint, I'm sure there are a million easier ways of obtaining it rather than hacking into wherever my bank stores the encrypted information.

Wrong way of looking at it. You are thinking in terms of somebody directly targeting you as opposed to bulk gathering of fingerprint data.

Direct is unlikely for most, but bulk is a risk for all and either way, you are equally hosed.

 

[maflynn]

I find it a bit funny that people are willing to trust banks with extremely personal information such as home address, social security number, and those very specific "recovery questions". Oh and let's not forget entire life savings. Yet when it comes to a fingerprint, that's where we draw the line.

Because those items can be removed, or changed. Yet a fingerprint is a physical attribute that you cannot change, and if compromised offers a world of hurt for the victims of identity theft.

Banks have our money, but its protected and guaranteed by the federal government. The banks can be compelled to remove our personal information but if leaked our finger prints cannot be changed.

Just because I trust the bank to hold my money, doesn't mean that trust extends to them having and protecting my fingerprints.

 

[Sasparilla]

Interesting technology. However your fingerprint (which is for life) is now with the bank - where it can be stolen (or shared with the government if you care about that - law passed in the U.S. last year authorizes that).

You just do not want to be giving companies biometric data if you can help it, cause it will get stolen and then you'll get to deal with those consequences for the rest of your life cause you can't change them.

 

[Fall Under Cerulean Kites]

I already have a fingerprint sensor for my credit card. It’s called Apple Pay.

 

[chr1s60]

So it sounds like the card turns your fingerprint into a unique PIN and that is essentially what is transmitted when the correct print is read. Seems like a decent idea, the big issue comes when the regular wear and tear starts hitting the card from being pulled in and out of a wallet/purse throughout daily life. The other issue is the protection of the actual fingerprint. If they made it work where somehow only the card itself memorized the print and sent out the unique PIN to the card reader and no other data was transferred it could work. Think of it kind of similar to how the iPhone or any cell phone recognizes a print. No clue if that could be done through a credit card, but it would seem safe if executed that way.

 

[Bart Kela]

Here in Switzerland, the cards are sucked into the machine at the POS point, so this is going to be an issue for this tech.. But good effort none the less.

Some of the POS and ATM machines here in the USA do the same thing (swallow your card whole).

 

[Kaibelf]

How does this deliver additional convenience above Apple Pay or Google Wallet?

 

[Bart Kela]

I already have a fingerprint sensor for my credit card. It’s called Apple Pay.

And how well does it work when you are at a POS terminal that does not support Apple Pay? I believe there are more than a few still left on this planet.

And how well do you think that works for people who own non-Apple handsets?
[doublepost=1492695204][/doublepost]

How does this deliver additional convenience above Apple Pay or Google Wallet?

It works when the POS terminal does not support those two protocols. It also works when the payor does not own a supported device or chooses not to use one. There are more than a handful of people on this planet who fit these categories.

Not everyone is blessed with your same hardware nor do they exclusively patronize shops that support Apple Pay/Google Pay/Samsung Pay, etc.

The world is a larger place than stores with Apple Pay.

Sounds like you don't get out much beyond your little bubble world. Do some international traveling and see how often you can use Apple Pay.