MasterCard Reveals Credit Card With Built-In Fingerprint Sensor

[arkitect]

How does this deliver additional convenience above Apple Pay or Google Wallet?

Because there is a significant amount of the population that doesn't use a smart phone capable of using Apple Pay or Google wallet.
And especially elderly people who may have difficulty recalling PIN numbers etc.

So yes, while I personally use Apple Pay daily and acknowledge that it has been a game changer for me, I do think there is potential for MasterCard's new tech.

 

[Fall Under Cerulean Kites]

And how well does it work when you are at a POS terminal that does not support Apple Pay? I believe there are more than a few still left on this planet.

And how well do you think that works for people who own non-Apple handsets?
[doublepost=1492695204][/doublepost]
It works when the POS terminal does not support those two protocols. It also works when the payor does not own a supported device or chooses not to use one. There are more than a handful of people on this planet who fit these categories.

Not everyone is blessed with your same hardware nor do they exclusively patronize shops that support Apple Pay/Google Pay/Samsung Pay, etc.

The world is a larger place than stores with Apple Pay.

Sounds like you don't get out much beyond your little bubble world. Do some international traveling and see how often you can use Apple Pay.

Any why do you have to be so darn snarky? “bubble world” and playing Captain Obvious?

How about I play Captain Obvious for you and ask WTF I should care if someone snags my credit card and cannot use it at a POS terminal? It can be used at a POS terminal that doesn’t support this fingerprint technology or can be used online. Regardless of any of the above, I’m still not liable for any fraudulent transactions.

Try being a decent human being and not just look for every chance you have to be a jerk to people. You might enjoy it. (Note, this is about your response to ‘Kaibelf’, who seemingly asked a simple question, to which you decided to go off on your bubble world rant.)

 

[sinsin07]

So how does this work? I'm guessing some sort of power would be needed? Does it get the power from the terminal when inserted maybe? And is my fingerprint stored on the card or in the cloud?

"No need for batteries in the card either, since the card can harvest power from existing terminals."
From:c|net

 

[John.B]

Just a friendly reminder: Fingerprints can't be changed like PINs or passwords.

Once that data is compromised, it's compromised for life.

 

[timber]

How does this deliver additional convenience above Apple Pay or Google Wallet?

It's very convenient not having to buy an almost one thousand $/€ phone before using.

 

[kdarling]

However, users of the card won't have the convenience or security that comes with registering their print with their smartphone.

Users of the card have less convenience getting the card registered, but more security afterwards since their fingerprint identity is validated by their bank.

With Apple Pay, fingerprint data is encrypted and protected with a key available only to the Secure Enclave on the user's iPhone. The Secure Enclave is walled off from the rest of the hardware and the OS, meaning iOS and other apps never have access to user fingerprint data, it's never stored on Apple servers, and never backed up to iCloud or anywhere else.

TouchID is never validated by a third party as being the fingerprint of the actual phone owner. Anyone with knowledge of the passcode (say, a thief who shoulder-surfed the owner) can change the prints registered with TouchID.

The biometric credit card has no such protections. Instead, the user must register their print with the bank or financial institution that issued the card, and while the fingerprint is encrypted on the card itself, it's still unclear what security and privacy measures are in place to deal with the registration process.

In other words, the fingerprint registered on the card is GUARANTEED to be that of the actual card owner, unlike with TouchID where there is no such guarantee, but simply a "good enough" likelihood of it being so.

That is a good point, and I do understand why someone would be hesitant about registering it. Though, if someone really wanted a fingerprint, I'm sure there are a million easier ways of obtaining it rather than hacking into wherever my bank stores the encrypted information.

That's assuming the bank even stores any fingerprint info. They have no need to, since the necessary info is put in the card's secure element (just like putting TouchID info in the secure enclave), not authenticated over the network.

 

[MrX8503]

I find it a bit funny that people are willing to trust banks with extremely personal information such as home address, social security number, and those very specific "recovery questions". Oh and let's not forget entire life savings. Yet when it comes to a fingerprint, that's where we draw the line.

I mean, I get it. I probably wouldn't use this either. But if you're uncomfortable sharing your fingerprint with your financial institution, maybe you shouldn't be sharing every other detail about your life with them, too.

I asked a friend why she didn't use Apple Pay. She said it scared her. Her reasoning was the fingerprint and using the camera to auto populate the credit card number on sign up.

I was dumbfounded. I never thought that great UX could scare people in the other direction.

 

[BeefCake 15]

Most places I go to in my area still have problems getting the chip technology to work.

They're going to make the process of paying so complicated until it becomes easier to go back to cash...

 

[Kaibelf]

And how well does it work when you are at a POS terminal that does not support Apple Pay? I believe there are more than a few still left on this planet.

And how well do you think that works for people who own non-Apple handsets?
[doublepost=1492695204][/doublepost]
It works when the POS terminal does not support those two protocols. It also works when the payor does not own a supported device or chooses not to use one. There are more than a handful of people on this planet who fit these categories.

Not everyone is blessed with your same hardware nor do they exclusively patronize shops that support Apple Pay/Google Pay/Samsung Pay, etc.

The world is a larger place than stores with Apple Pay.

Sounds like you don't get out much beyond your little bubble world. Do some international traveling and see how often you can use Apple Pay.

You can keep your personal attacks to yourself. I have done plenty of travel, including internationally, and I am also well aware that everything is transitioning to NFC due to the changes mandated by the industry, and this will only delay that unnecessarily.

 

[tmiw]

Some of the POS and ATM machines here in the USA do the same thing (swallow your card whole).

I've only seen that at ATMs here. What store sucks the card in?

You can keep your personal attacks to yourself. I have done plenty of travel, including internationally, and I am also well aware that everything is transitioning to NFC due to the changes mandated by the industry, and this will only delay that unnecessarily.

We're transitioning to EMV. NFC (usually) comes along for the ride, but not always. And there'll likely be a bunch of places where NFC will never be usable considering how much retailers hate the card networks.

 

[dontwalkhand]

Here in Switzerland, the cards are sucked into the machine at the POS point, so this is going to be an issue for this tech.. But good effort none the less.

In the US, the card still sticks partly out of the reader.. it was the same in the U.K., and Australia. What kind of weird card readers does Switzerland use? Now ATMs here do swallow the card whole, and looks like you're still going to be using a PIN there anyway. The old card readers at Target also used to swallow the card, the new ones are just a regular Verifone Chip card reader. Most card readers in the US look like this. Very easy to scan a fingerprint on the new MasterCard card if it ever makes it here to the US.
[doublepost=1492708612][/doublepost]

It won't go away anytime soon. Spend over £30 and you’r still putting card into reader.

No contactless limit in the US. I do realize other countries have low limits. Sad that stupid Walmart and Target are anti contactless and make you insert the card

 

[H2SO4]

In the US, the card still sticks partly out of the reader.. it was the same in the U.K., and Australia. What kind of weird card readers does Switzerland use? Now ATMs here do swallow the card whole, and looks like you're still going to be using a PIN there anyway. The old card readers at Target also used to swallow the card, the new ones are just a regular Verifone Chip card reader. Most card readers in the US look like this. Very easy to scan a fingerprint on the new MasterCard card if it ever makes it here to the US.
[doublepost=1492708612][/doublepost]
No contactless limit in the US. I do realize other countries have low limits. Sad that stupid Walmart and Target are anti contactless and make you insert the card

Well I must say, I never knew that. Having said that I’m sure Target and Walmart have their reasons and I don't begrudge them that anymore than I begrudge Apple locking others out of their hardware.

 

[kdarling]

So how does this work? I'm guessing some sort of power would be needed? Does it get the power from the terminal when inserted maybe?

Same as how insertable chip cards work today. They have power and data lines on the front of the card, which make contact with pins inside the POS terminal:

And is my fingerprint stored on the card or in the cloud?

As the article notes, "the fingerprint is encrypted on the card itself".

This is a more standalone method than the original fingerprint authentication proposal tested years ago in Europe, where the sensor was on the POS terminal and authenticated with a server. (Thus cards didn't need a sensor.)

I asked a friend why she didn't use Apple Pay. She said it scared her. Her reasoning was the fingerprint and using the camera to auto populate the credit card number on sign up.

I was dumbfounded. I never thought that great UX could scare people in the other direction.

Yes, Apple and others have done a poor job of educating the public. For instance, a recent survey in the UK found that:

While 40% of the surveyed UK adults felt that Apple Pay was secure, 42% thought it was not. And this is in a country with years of EMV behind it.

As I've pointed out before, this is not unique to Apple Pay. Many people think the same thing of regular contactless cards. The percentage who distrust contactless payments rises the further you get from large cities where people have a greater use for the convenience and speed.

 

[CarlJ]

The problem I see here is that the parts budget both in terms of cost and physical volume, is way, way, smaller for putting this tech into a credit card than it is for putting TouchID into a phone or tablet, so I expect they'll have a very difficult time making it as secure and reliable as TouchID.
[doublepost=1492711568][/doublepost]

While 40% of the surveyed UK adults felt that Apple Pay was secure, 42% thought it was not. And this is in a country with years of EMV behind it.

Wow, that's crazymaking - I trust Apple Pay a lot more than old-style credit cards, because: a) seemingly very effective and well-thought-out biometrics, and b) it authorizes only that single transaction, without leaving behind my actual card number.

The "new" chip cards seem like a small step forward in security combined with a substantial step back in convenience (having to leave the card in the reader until the very end, leading to a greater chance of leaving the card behind, leading to the car alarm-style "reminder beeps" that a lot of the readers use when you can finally remove your card - why not play a more friendly confirmation tone first, and then resort to the car alarm "YOU'RE GETTING IT WRONG!!1!" tone five seconds later if you haven't removed the card? That'd make the obnoxious tone more attention grabbing, because it would actually indicate a problem, rather than going off continuously, all day, in every store).

The new combined NFC/chip terminals many places are using are at least making the barrier to supporting NFC payments lower, so more places seem to be slowly adding it. I'm guessing this new card design is less about security, directly, and more a play by the credit card companies to maintain a direct connection to the public, without Apple/Google/Samsung/etc. acting as an intermediary.
[doublepost=1492711819][/doublepost]

No contactless limit in the US. I do realize other countries have low limits. Sad that stupid Walmart and Target are anti contactless and make you insert the card

I have heard that Target is on their way to supporting NFC (and/or Apple Pay, don't recall which was stated), now that the timer on their commitment to CurrentC has run out (if I understand correctly). Can't say either way about Walmart - I actively avoid them.
[doublepost=1492712033][/doublepost]

I asked a friend why she didn't use Apple Pay. She said it scared her. Her reasoning was the fingerprint and using the camera to auto populate the credit card number on sign up.

I was dumbfounded. I never thought that great UX could scare people in the other direction.

Jay Leno used to have a joke about buying his parents a fancy TV with one of those then-newfangled remote controls, and then being unable to find the remote when he visited, and his mother saying, "oh, your father put it in a drawer - he was afraid it would start a fire."

 

[JamieLannister]

I have to say this is utterly limited to those who do not have smartphones with some sort of NFC/MST functionality. Of course I don't know if this is limited to the USA demographic only or is this to be released internationally. I can see a small % of people using this who don't have a payment system on their devices.

Now in the USA, samsung pay is #1. Been using it 95% of the places and have not even pulled out my wallet for over a year. Tons of cash back perks from using it as well and it's just so convenient to go to Ikea, mom and pop teriyaki joints, mall food stalls, eye glass salons, sun tan parlors, basically everywhere swipe card is used instead of NFC samsung pay has never disappointed.

So it doesn't even matter to people like myself if they come out with new payment systems because as long as MST is used, samsung pay is there to work. If not, then samsung pay still works with NFC. Best of both worlds!

 

[kdarling]

The problem I see here is that the parts budget both in terms of cost and physical volume, is way, way, smaller for putting this tech into a credit card than it is for putting TouchID into a phone or tablet, so I expect they'll have a very difficult time making it as secure and reliable as TouchID.

On the contrary, the available square area inside something the size of a credit card is way, WAY more than Touch ID gets. Plus it gets external power. Think about it

In fact, there's room for a full finger tip sized sensor, versus the partial finger tip area allotted to Touch Id.

A lot of people don't realize how powerful their chip cards are. Chips and phone SIMs share a common heritage.

They're often based on ARM processors with up to a few megabytes of RAM and Flash. They include custom encyrption math coprocessors (for authenticating phone calls in SIMs and payments in cards). They have a secure area for storing all the data and all the programs (which are often written in Java).

Heck, chip cards are the ultimately thinnest personal wallet computers. Jon Ive must be jealous

Granted, it probably requires a more head on finger touch, but as articles point out, that's easy since it's natural to hold your thumb over that area while inserting the card into a reader. (see above)

Wow, that's crazymaking -

Yep, amazing that so many people distrust contactless cards. I think it's because of all the articles years ago about the old RFID non-encrypted cards which could be read from far away. Remember shielded wallets?

I trust Apple Pay a lot more than old-style credit cards, because: a) seemingly very effective and well-thought-out biometrics, and b) it authorizes only that single transaction, without leaving behind my actual card number.

Apple Pay, being standard EMV NFC, is simply an emulation of a contactless chip card... which has always done a single transaction authentication. It's the whole point of a chip card, contactless or not.

Which is exactly why people should love this new card as well. And if people start to trust it, then that should help mobile phone payments as well.

 

[iReality85]

As some have said, it looks great on paper, but what about in widespread practice? I know it was field tested, but for how long?

I speak as guy. I keep my wallet in my back pocket. My cards get scuffed, bent, and even cracked/torn (yeah ladies, the struggle is real for us men with wallets ), and I don't even really keep a 'thick' wallet full of cards. How damageable is the sensor?

Also, to work best it'd require all vendors transition over to the new chip readers. I imagine it doesn't really work well in practice with swipers, or for that matter feeders (ATMS).

That all said, I do like the idea of a fingerprint sensor on the card as it seems well-placed. And touching public keypads and touchscreens is about the grossest thing ever. Every time I'm asked to sign a touchscreen for signature and they don't have a pen (for whatever reason, or "use your finger"), I want to hurl.

 

[RobQuads]

If this helps me use a contactless card to pay for sums higher than £30 I'd be happy. (UK transaction limit)

Apple Pay can already do that if the merchant supports it - https://9to5mac.com/2016/06/03/apple-pay-uk-unlimited-value-purchases/

Just depends on how long it takes all retailers to fully support Apple Pay

 

[CarlJ]

On the contrary, the available square area inside something the size of a credit card is way, WAY more than Touch ID gets. Plus it gets external power. Think about it

1) Apple had the opportunity to make TouchID take as much space as they deemed necessary, while credit card companies were much more boxed in by a specific hard form factor. 2) Credit cards are really severely lacking in that third dimension, volume, not just area. Given that the circuitry can't use the whole thickness of the card (because there still has to be card there), and that credit cards are much more subject to flex than rigid phones, it's a difficult problem. Not saying it can't be done, just that I'm concerned the restraints may have led to cutting corners.

Yep, amazing that so many people distrust contactless cards. I think it's because of all the articles years ago about the old RFID non-encrypted cards which could be read from far away. Remember shielded wallets?

Remember? Yes. I still have a sleeve on my circa-mid-last-decade passport because it is said to contain an RFID chip.

Apple Pay, being standard EMV NFC, is simply an emulation of a contactless chip card... which has always done a single transaction authentication. It's the whole point of a chip card, contactless or not.

All fair points, but I was comparing to the old-school mag stripe cards, which is what the majority of Americans have long-term experience with at this point, and what was state-of-the-art / current best practice when Apple Pay first shipped.

 

[solipsism]

On the contrary, the available square area inside something the size of a credit card is way, WAY more than Touch ID gets. Plus it gets external power. Think about it

Are you relaying saying that a credit card has more area than an iPhone Home Button so a credit card with a finger printer reader is inherently more secure? That's a ridiculous assumption. First of all, area is a single metric, and you're not considering the complexity and thickness of the chips in Touch ID and NFC. You're also not considering that they won't use the entire area of a credit card, or that the external power is a concern for security since you need the card to power on and be able to validate the user quickly. Apple and other smartphone vendors on the other hand, have considerably more volume and power in which to make their systems more secure without worrying about available power or speed because they're limited to a credit card size thickness, a low power ceiling, and small timeframe in which to boot the system.

And since a passcode always has to be a 100% match while biometrics have to do statistical probability, you get a biometric that will shutdown after too many failed responses. 5 in the case of the iPhone. How exactly does MasterCard solve that issue? How long before someone lifts a print from one of these cards to authentic that card? What happens when the card is compromised (compare this to when an iPhone is lost and you still have access to physical cards, as well it not affecting Apple Pay on your Watch, iPad, or Mac because they are unique representational numbers, not your physical card number)?

Apple Pay, being standard EMV NFC, is simply an emulation of a contactless chip card... which has always done a single transaction authentication. It's the whole point of a chip card, contactless or not.

Which is exactly why people should love this new card as well. And if people start to trust it, then that should help mobile phone payments as well.

It's not standard and *Pay is considerably more secure than this card because you're not sending your fingerprint data to any company, and *Pay is more secure than any chip card because you're never using your physical card number when making a transaction via *Pay

 

[ignatius345]

Seems like a big waste of resources, cramming all that hardware into millions and millions of cards.

 

[solipsism]

Because there is a significant amount of the population that doesn't use a smart phone capable of using Apple Pay or Google wallet.
And especially elderly people who may have difficulty recalling PIN numbers etc.

So yes, while I personally use Apple Pay daily and acknowledge that it has been a game changer for me, I do think there is potential for MasterCard's new tech.

The elderly are the least likely to universally accept this tech. One, because it's new and requires some addtional effort to set up; and two, because they don't have finger prints that are great for the current state of the art, and I didn't read anything about MC making that a focal point of that tech.

The tech will get more intelligent, more features, and be able to process more as time moves on, but something like TouchID will likely take advantage of that before this disposable card will. Remember, Apple can fold their Touch ID Tech into a much large device so the cost is effectively nil.

 

[kdarling]

Are you relaying saying that a credit card has more area than an iPhone Home Button so a credit card with a finger printer reader is inherently more secure?

No, you said that.

I said that there's plenty of room for electronics in a credit card factor. Apparently a lot more room than Apple has left over in their phones, judging from their removal of the headphone jack.

You seem to think that chips are always thick. They're not. What you see are cases which are big to allow lots of I/O and control line connections, something a chip card does not need.

That's a ridiculous assumption. First of all, area is a single metric, and you're not considering the complexity and thickness of the chips in Touch ID and NFC.

What's ridiculous is that you've apparently forgotten (or never knew) that Apple Pay, like every other such NFC solution, electronically emulates a physical contactless chip card, of which there are millions in use. In other words, chip cards by definition already have everything they need to do the payment processing, using much smaller parts than in the iPhone.

Chip cards already contain an embedded microcontroller that does secure payments. If they needed more power for processing fingerprints, it would not be difficult to upgrade, as has been done before.

Common credit cards are 0.76mm thick. Their CPUs are about 0.4mm thick. According to Wikipedia, the Touch Id sensor is just 0.17mm thick. You could pile four of them on top of each other inside the thickness of a card.

And since a passcode always has to be a 100% match while biometrics have to do statistical probability, you get a biometric that will shutdown after too many failed responses. 5 in the case of the iPhone. How exactly does MasterCard solve that issue?

Easy. EMV already has authentication fallbacks in place. The card would simply tell the terminal to request a PIN, instead. Somewhat similar to the way that Apple Pay requests a passcode in that case.

How long before someone lifts a print from one of these cards to authentic that card?

Ha. Probably the same amount of time it took before someone used a fake print to fool Touch Id. Days.

It's not standard

On the contrary, the reason why Apple Pay works anywhere regular cards do is precisely because it follows EMV standards. Including the optional tokenization. Apple did not invent any of the payment transaction method.

*Pay is considerably more secure than this card because you're not sending your fingerprint data to any company,

Neither does this card.

*Pay is more secure than any chip card because you're never using your physical card number when making a transaction via *Pay

There's nothing preventing a card from using a token account number as well. In fact, there have been credit cards that did.