Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Vietnamese Bank Issues Fingerprint-Enabled Debit Cards

timothy posted about 2 years ago | from the can't-come-soon-enough dept.

Security 36

sweetpea86 writes "Mekong Development has become the first bank in Vietnam to launch fingerprint authentication enabled debit cards. Fingerprints are captured by Mekong Development at the point of opening an account, and then can be used, instead of a pin, to access funds. Not only has Mekong's account base tripled through the use of fingerprint technology since its launch in June, but the deposit balance per debit card account is two times higher than a regular account."

cancel ×

36 comments

Great (5, Funny)

Antipater (2053064) | about 2 years ago | (#40906371)

Now I can't even eat cheetos anymore without giving away my bank pin!

Great (4, Insightful)

NettiWelho (1147351) | about 2 years ago | (#40906401)

So now, instead of just having to worry about your card getting lifted they will also want to chop off your fingers?

Re:Great (4, Interesting)

ColdWetDog (752185) | about 2 years ago | (#40906441)

So now, instead of just having to worry about your card getting lifted they will also want to chop off your fingers?

No need for the violence. You don't even need [blogspot.com] to have the victim in the room.

(Do not attempt. Professional Driver on a Closed Course. Do Not Try This at Home. Your Mileage May Vary. Do Not Taunt Happy Fun Ball.)

Re:Great (2)

TheCarp (96830) | about 2 years ago | (#40906963)

A few assumptions there, not the least of which is intelligent criminals.

That said, I think both this and the original post miss the point. I doubg jacking people's fingers for card robberies is going to happen. It requires the criminal to not only be willing to steal a card and info, but, to actually harm someone who is complying with them.... less people will be willing, especially isnce it will be a more heinous crime if they are caught.

What this really does, and I think will do well, is put a stop to wholesale theft. This doesn't foil the guy who robs you at gun point, he will ALWAYS get what he wants (even if it means you personally withdrawing the cash, and keeping your finger).

who it foils is the guy who disguises a card reader and camera to steal your stripe info and pin. Now get can get the mag stripe but the pin is your fingerprint. Can he recreate it from video? Maybe, sometimes. It wont be as fast, or easy.,..and will require him to retool to do it... it probably kills his business.

I doubt it totally kills the fraud and theft...but raises the bar on bulk theft.

Re:Great (0)

Anonymous Coward | about 2 years ago | (#40907021)

If he can hide a card reader then he can have a duplicate fingerprint reader.

Re:Great (1)

dark12222000 (1076451) | about 2 years ago | (#40907657)

Fingerprint readers are a lot more expensive then a card reader. It's also trivial to install a second magstripe in an existing card reader, but it's a lot harder to mess with a fingerprint reader. Fingerprints aren't perfect (and fingerprint readers can certainly be broken), but they are a big step up from 4 or 6 numbers.

Re:Great (1)

TheCarp (96830) | about 2 years ago | (#40907667)

Thats a really good point, I hadn't thought of that. Perhaps the card needs the card reader? Smart card, with built in finger print reader, and using a challenge/response authentication, so that a sniffer in the middle can't just grab static data and reuse it?

Huge increase in complexity and cost, but, I don't know if there is a way around it for this problem set.

Well... at least in terms of shutting it down. In terms of keeping them away from your bank, it probably works very well. Why would you produce such a device if only one or two banks even use it?

Of course, that means its like the old platform/virus debate. "I use X platform because there are no viruses, or very few". "There are very few viruses for X platform because so few people use it, if more people thought like you, then the virus writters would change targets, because it would become worth it to do".

Re:Great (1)

mcgrew (92797) | about 2 years ago | (#40907943)

A few assumptions there, not the least of which is intelligent criminals.

Since nine out of ten crimes go unsolved, I'd say 90% of the criminals are smarter than the cops.

What this really does, and I think will do well, is put a stop to wholesale theft.

Unless the technology has improved greatly in the last few years, it can be defeated with a gummy bear. IMO the best tech, from a consumer point of view (not from a bank, obviously) is the old fashioned paper and carbon with a signature. They have the added advantage of working when there's no electricity; a few stores were open after the tornados here and you can still use that tech (my then-girlfriend needed cat food, the pet store took her card after digging out an old reader).

Of course, again, this will slow down the process and the banks won't earn as much money, so don't count on going back to that old tech.

Re:Great (1)

TheCarp (96830) | about 2 years ago | (#40908547)

I think the other poster who pointed out that finger print readers wouldn't be hard to add, if they are already doing hidden cameras and card readers, really hit the nail on the head.

Gummy bears are fine, but realise, the "gummy bear" trick is still a lot more effort than watching a video and seeing what numbers someone hit. I would bet you could review 10s of videos in the time it would take to produce 1 good fingerprint from any of these methods.

I don't mean it will never happen. Everything will happen. Somebody WILL use a gummy bear to copy a finger print.

The thing is.... the few people doing that, whether they get caught or not, probably are not an issue. They are putting effort into single robberies. They suck, and stopping/catching them would be great but... they don't effect nearly as many people or as much money overall as a systematic skimmer.

Who cares about the one off, who maybe hits one a day or every few days, when there are people skimming 10s or 100s in a day, every day?

Or to put it another way from an old systems security discussion we had at an old job. "If we have a knowledgable attacker going after us personally, we already have bigger issues than we can deal with or prepare for in this discussion".

That is... one guy, who puts effort into a target and wants to steal from that target, he is going to find a way. Maybe he uses gummies, maybe he enlists an unknown to take it by force, maybe he does any number of things. He chooses the time, the place, the action.

However, you CAN much more easily take steps to protect yourself from the "script kiddies", or anyone who just casts a wide net and trolls for hits.... and given how the numbers work, that tends to be a good starting point....because its unlikely that any individual gets the attention of a determined, intelligent attacker.... but nearly everyone ends up running into some manner of wide net phishing attempt.

Re:Great (1)

mrmeval (662166) | about 2 years ago | (#40910631)

Yes as I've said before and I'll say again the hard part about biometrics is keeping the body parts alive.

Re:Great (1)

AmiMoJo (196126) | about 2 years ago | (#40910679)

Don't worry, the card will be covered in your prints anyway. They are not hard to lift and clone.

Years ago I had a work laptop where they insisted I used the fingerprint reader. Then I cut my finger and was forced to go back to a password. It would suck if I couldn't access my money.

Biometrics are not secrets (4, Informative)

dido (9125) | about 2 years ago | (#40906417)

I do hope that they back it up with a PIN, making it full three-factor authentication. While biometrics are useful in being unique identifiers, they are not secrets [schneier.com] . An attacker could use the gummi bear fingerprint technique [schneier.com] using latent fingerprints extracted from a stolen card...

Re:Biometrics are not secrets (1)

jdastrup (1075795) | about 2 years ago | (#40906491)

Your're missing the point. The bank has more customers and is holding more of their customers money. Regardless of how more or less secure it is, the bank's decision is working. If it required a PIN and a fingerprint, the bank may have lost customers, but I could be wrong, don't know, market research may have already figured it out.

Re:Biometrics are not secrets (1)

fuzzyfuzzyfungus (1223518) | about 2 years ago | (#40907013)

So long as liability follows responsibility... Taking calculated risks, like offering unsecured or partially/illiquidly secured loans, or going with lousy-but-convenient UX choices, is one of the things that banks do because they turn out to be profitable if you do them right. As long as they accept the downsides of that, like the occasional default or account breach, that isn't a problem and might well be a virtue.

If, however, they manage to insulate themselves from those consequences, whether by wholesale regulatory capture or routine customer service brush-offs of the suckers whose cards were skimmed and cleaned out, the rot begins.

Re:Biometrics are not secrets (1)

TheLink (130905) | about 2 years ago | (#40908545)

The banks are just shifting more and more risks and responsibilities for losses to their customers.

They prefer to call stuff ID Theft rather than some sort of fraud. Since with ID Theft it's their customer's problem, whereas with fraud it might be their problem.

They also prefer debit cards. With credit cards, when "stuff happens", it's not my money that's gone, it's someone else's. They may try to get the money from me, but meanwhile I have my money. Whereas with debit cards, when "stuff happens" it's my money that's gone. In theory I might legally be entitled to get it back, but meanwhile I have lost my money.

Re:Biometrics are not secrets (5, Interesting)

fahrbot-bot (874524) | about 2 years ago | (#40906597)

I do hope that they back it up with a PIN, making it full three-factor authentication. While biometrics are useful in being unique identifiers, they are not secrets [schneier.com] . An attacker could use the gummi bear fingerprint technique [schneier.com] using latent fingerprints extracted from a stolen card...

In addition, The Mythbusters also fooled fingerprint scanners using the same techniques as the Schneier link (above), and also with a photocopy of a fingerprint [discovery.com] :

  • A 3-D thumbprint imprinted on a latex strip to be worn over someone else's thumb.
  • A 3-D thumbprint imprinted on ballistics gel, which has the same viscosity and density as human tissue.
  • A photocopy of a scanned image of Grant's thumbprint.

Re:Biometrics are not secrets (2)

climb_no_fear (572210) | about 2 years ago | (#40908645)

The fingerprint reader at my local video store failed miserably and they had to give me a regular PIN. I do rock climb a lot in the summer and my fingerprints sort of wear off. What about people like me? Can't you bank there?

It's like writing the PIN on the card (1)

Anonymous Coward | about 2 years ago | (#40906423)

Considering most people don't handle their debit cards with gloves, that means your fingerprints are all over it. It's like you wrote your PIN on the card, front and back.

Why "instead of"? (4, Insightful)

Picass0 (147474) | about 2 years ago | (#40906437)

The use of a fingerprint and a pin together would raise the security further still. Many institutions are switching to two forms of authentication, which is why you're seeing more security questions. A fingerprint is a second authentication that an account holder doesn't need to remember.

Time to invest in Jello? (0)

Anonymous Coward | about 2 years ago | (#40906485)

And expect The Department of Fatherland Security here in the US to start monitoring sales of Jell-O, Knox-Blox, and all the other gelatin products from store shelves.

        http://cryptome.org/gummy.htm

Triple? and also - selection bias (1)

thePowerOfGrayskull (905905) | about 2 years ago | (#40906527)

Not only has Mekong’s account base tripled through the use of fingerprint technology since its launch in June,

Without any actual numbers (say, for example, the number of accounts they had before introducing this), this is fairly meaningless. If you have 3 customers it's easy to triple them; if you have 3 million, not so easy.

but the deposit balance per debit card account is two times higher than a regular account.

This seems completely irrelevant; in the very best case it sounds like selection bias. The people using this technology will be more like to be tech enthusiasts. While I don't know the demographics of Vietnam, I know that in the States that kind of audience will typically have higher income levels.

But even that's a tenuous guess - my point was that the phrasing of the statement strongly implies that deposit balances are directly connected to card type (fingerprint vs pin); but there's nothing in TFA that supports that.

Re:Triple? and also - selection bias (1)

MozeeToby (1163751) | about 2 years ago | (#40906937)

This seems completely irrelevant; in the very best case it sounds like selection bias. The people using this technology will be more like to be tech enthusiasts. While I don't know the demographics of Vietnam, I know that in the States that kind of audience will typically have higher income levels.

But even that's a tenuous guess - my point was that the phrasing of the statement strongly implies that deposit balances are directly connected to card type (fingerprint vs pin); but there's nothing in TFA that supports that.

That is exactly what the point of the statement was. Banks want to have people with large accounts, implementing the print scanners on the cards increased the number of large accounts they have, therefore increasing the bank's profitability. It's probably taken directly out of a press release full of self-praise for what a great decision it was, which explains why the intent of the statement got so muddled.

Re:Triple? and also - selection bias (1)

mkkohls (2386704) | about 2 years ago | (#40907335)

That is exactly what the point of the statement was. Banks want to have people with large accounts, implementing the print scanners on the cards increased the number of large accounts they have, therefore increasing the bank's profitability. It's probably taken directly out of a press release full of self-praise for what a great decision it was, which explains why the intent of the statement got so muddled.

Exactly the point was to say that the decision was good for the bank. I've used fingerprint scanners in the past, and I have to wonder if the higher balances are from people not being able to take their money out versus actually having wealthier customers given how finkiky these scanners can be.

Why not just get rid of the card? (2)

DeTech (2589785) | about 2 years ago | (#40906557)

Finger prints and a pin should be enough to locate your account number. Not having a card to lose wold be an awesome side effect.

Re:Why not just get rid of the card? (1)

canadiannomad (1745008) | about 2 years ago | (#40906849)

Yeah, get rid of the card, use the fingerprint(s) to identify the account, change the keypad to read the fingerprints as you type, use a pin, and record the exact way that the pin is entered. As always you wouldn't have perfect security, but you could probably get a % accuracy that could be adjusted on a per user basis. Also you could weed out systems trying to game the system by honey potting them and checking for patterns that indicate automatic entry.

Re:Why not just get rid of the card? (1)

Anonymous Coward | about 2 years ago | (#40906949)

This wouldn't work for the same reason magstripe cards are bad: replay attacks. Someone just needs to design a fingerprint skimmer keypad that would save your fingerprints and your pin and you would be screwed. Additionally, changing your fingerprints is not nearly as practical as getting a new bank card.

Re:Why not just get rid of the card? (1)

canadiannomad (1745008) | about 2 years ago | (#40907281)

Mostly agree, except that you can actually watch the hand, replays could be detected as replays. More advanced systems could of course be created to mimic the angles, pression, velocity, torque, etc in a human way that mimics the original without exactly repeating itself, but then they still have to know the pin, change the pin, and all other factors change. Still I agree that is is vulnerable to someone with enough resources and the same access to the the person/machine that they require now to get access to the pin in the first place. In reality "chip" technology with a pin is probably much better.

Re:Why not just get rid of the card? (1)

Idbar (1034346) | about 2 years ago | (#40911945)

What about putting for of your fingers in certain order, creating a fingerprint pin. :-)

Point / Counterpoint. (2)

localman57 (1340533) | about 2 years ago | (#40906737)

On the one hand, they may well have implemented 3 factor security. That's pretty cool. But on the other hand, you have to put your money in a fucking Vietnamese bank to get it. From Reuters in May of this year:

Last November, State Bank of Vietnam Governor Nguyen Van Binh said eight small banks were "unhealthy" while in January he said 10 percent of the country's nearly 50 banks were "ailing."

Apparently they have a deposit insurance program, but it's limited to about $3,000.

Re:Point / Counterpoint. (3, Funny)

fuzzyfuzzyfungus (1223518) | about 2 years ago | (#40907071)

Luckily, you'll presumably be moving your money out of a bank in some other country, so the risks should even out somewhat...

Re:Point / Counterpoint. (0)

Anonymous Coward | about 2 years ago | (#40909795)

On the one hand, they may well have implemented 3 factor security. That's pretty cool. But on the other hand, you have to put your money in a fucking Vietnamese bank to get it.

Apparently they have a deposit insurance program, but it's limited to about $3,000.

$3000 is about twice the estimated 2012 per capita of Vietnam.

http://en.wikipedia.org/wiki/Viet_nam

dare you .. (-1)

ImSoConfused (1489285) | about 2 years ago | (#40906961)

Have you thought about how your identity is being used by the bank - or the gov't ? In VN, there is no identity protection laws (or at least enforceable or being enforced ). Your finger prints is part of your identity - just like your signature. so leaving your prints at the bank means the VN government now have access to part of your identity. They can track where you are (when leaving/entering the country) or what financial assets you have. It's a scam to get more information from the "people" so the communist (government - less you forget) has yet another tool to control/manage its citizens or persons of interest.. haven't we learned anything from that war?

The finger (0)

Anonymous Coward | about 2 years ago | (#40907485)

I can see a lot of people being forced to give someone "the finger" - which will result in a loss of appendage as well as funds from their bank account.

Worked in retail banking backend's and... (1)

twebb72 (903169) | about 2 years ago | (#40911709)

Cool that they've added additional security; but doubling the balance of the 'average' account? Sounds completely unlikely.

I've had privilege to see large amounts of transaction data from where the law of large numbers reigns supreme. The 99%ers, keep a very low to no balance, generally breaking even each month. Its insanity to look at the actual trends.

So when a bank opens a product that magically doubles the deposits, clearly they're either marketing either to a different segment, or the additional security means it costs more to keep that account, therefor the natural response is to keep a higher balance, often to avoid paying fees.

While the security aspect is notable (FYI already in R&D at many banks with fingerprint scanners becoming ubiquitous); the whole 'double their deposit' notion sounds wholly unlikely.

Compliance with the law? (0)

Anonymous Coward | about 2 years ago | (#40912711)

AFAIK, taking a photo of a person's finger without consent and posting it on the internet is not illegal. This shit needs to go.

Why not toeprints (0)

Anonymous Coward | about 2 years ago | (#40915021)

As has been pointed out repeatedly, your debit card will likely have your fingerprints on it and they can be lifted easily. So, to raise security, I propose to use toeprints instead of fingerprints. They are as unique as fingerprints and not likely to be on the card. There are added health benefits from this, because you are regularly forced to do light calisthenics at the ATM, not to mention that waiting in the queue will be much more entertaining.

Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...