Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

MasterCard Joining Push For Fingerprint ID Standard

timothy posted about 10 months ago | from the why-not-gum-prints dept.

The Almighty Buck 138

schwit1 writes with this selection from a story at USA Today: "MasterCard is joining the FIDO Alliance, signaling that the payment network is getting interested in using fingerprints and other biometric data to identify people for online payments. MasterCard will be the first major payment network to join FIDO. The Alliance is developing an open industry standard for biometric data such as fingerprints to be used for identification online. The goal is to replace clunky passwords and take friction out of logging on and purchasing using mobile devices. FIDO is trying to standardize lots of different ways of identifying people online, not just through biometric methods."

cancel ×

138 comments

Sorry! There are no comments related to the filter you selected.

Fingerprint != user authentication (5, Informative)

AliasMarlowe (1042386) | about 10 months ago | (#45046569)

I'll just leave this [dustinkirkland.com] here.

Re:Fingerprint != user authentication (1)

larwe (858929) | about 10 months ago | (#45046689)

Darn you for posting this before I could do so.

Re:Fingerprint != user authentication (-1)

Anonymous Coward | about 10 months ago | (#45046825)

Darn you for posting this before I could do so.

Thank you for your insightful and useful comment. It added so much to the conversation. Next time at least post AC so your score will start low and we won't have to waste mod points to drop it to -1.

Re:Fingerprint != user authentication (1)

Jeremiah Cornelius (137) | about 10 months ago | (#45048203)

I leave my fingerprint everywhere.

How secret can looking into my eyes be?

Fingerprint == user_name (5, Insightful)

Anonymous Coward | about 10 months ago | (#45046767)

Fingerprints should be treated as user names, not as a substitute for passwords.

Re:Fingerprint == user_name (3, Funny)

Jeremiah Cornelius (137) | about 10 months ago | (#45048213)

Pull my username...

Re:Fingerprint == user_name (1)

ShieldW0lf (601553) | about 10 months ago | (#45048509)

Fingerprints should be treated as user names, not as a substitute for passwords.

That is brilliant

Re:Fingerprint != user authentication (3, Insightful)

phantomfive (622387) | about 10 months ago | (#45046815)

It's worth mentioning that fingerprints CAN be used for authentication IF you can verify that the person is right there, and you can see that it is actually his fingerprint.

But that's not what's happening here. What's happening here is they are just creating a binary pattern. The binary pattern can be stolen and used by anyone. It's a lot harder to use someone else's actual finger.

User authentication != being present (2, Insightful)

Anonymous Coward | about 10 months ago | (#45047045)

That person may be forced to use his finger, and there is the opposite case, using a card on the internet for shopping should not require anyone being anywhere specific.

Re:Fingerprint != user authentication (2)

Jarik C-Bol (894741) | about 10 months ago | (#45049051)

This is why I think that POS terminals where you swipe your card, then sign your name should be replaced with a system where you swipe your card, then place your finger, which then attaches a high rez scan of your print to the sale.

Also, while we're at it, can we standardize fsking customer side POS systems finally? every one of them you come to is different, button layout, number of screen prompts for cash back or amount purchase confirmation. Working customer service in a store has taught me, despite their ubiquitousness, people are completely confused by credit card POS terminals, because they ALL work differently.

Re:Fingerprint != user authentication (1)

phantomfive (622387) | about 10 months ago | (#45049107)

a system where you swipe your card, then place your finger, which then attaches a high rez scan of your print to the sale.

That's a good idea.

Re:Fingerprint != user authentication (3, Interesting)

Austrian Anarchy (3010653) | about 10 months ago | (#45046817)

I'll just leave this [dustinkirkland.com] here.

Exactly where I was going too. It is somewhat amazing that as soon as we find out that fingerprints are not truly unique, we have all of these tools to use them as bona fide ID. Granted, the odds of someone with the same fingerprint as you trying to log into your account are slim, there still should be some other secret associated with the print to allow access. It should be an enhancement to the password, not a replacement.

On the other side of the coin, back in the early 1970s the US government had not one, but two fingerprint cards on a bank bomber I am researching right now. They did not make a match until they found his real name and pulled his existing fingerprint card to make a match to the prints he left all over his bombs and his notes to the press. That part took almost a full week. His 1972 and 1982 wanted posters had full fingerprint sets, even though he had never been arrested. They came from his US Army enlistment records from 1956, and an enlistment under an alias in 1971. He stayed on the loose until 1986, when he was identified by his picture.

While there is some science associated with fingerprint identification, it is not quite the science that the authorities want us to believe.

Re:Fingerprint != user authentication (1)

peragrin (659227) | about 10 months ago | (#45046865)

While what you are saying is true the trick with fingerprint back before the mid 90's was processing power. If you wanted to compare prints you had to pay one or more people to sit there and compare each print to a suspected print.

now you can compare hundreds of prints per second. and only have to use people to verify the half a dozen potential matches. The problem with completely automated systems is that they only compare a dozen points of interest. to be truely useful you would need to vector map the entire print.

Re:Fingerprint != user authentication (2)

Austrian Anarchy (3010653) | about 10 months ago | (#45047015)

While what you are saying is true the trick with fingerprint back before the mid 90's was processing power. If you wanted to compare prints you had to pay one or more people to sit there and compare each print to a suspected print.

now you can compare hundreds of prints per second. and only have to use people to verify the half a dozen potential matches. The problem with completely automated systems is that they only compare a dozen points of interest. to be truely useful you would need to vector map the entire print.

In the 1930s, the FBI was claiming that their classification and search system took 3 minutes or less to match an unknown print with a known print: http://youtu.be/6xgPqc5ROHI?t=20s [youtu.be] (skipped to 20 sec. in for the relevant content and skip the related promo. Contains video from the FBI on their fingerprint analysis system from the 1930s and after it became "digitized.") My primary objection is with how fingerprint analysis has been mis-characterized for over a century.

Re:Fingerprint != user authentication (1)

Opportunist (166417) | about 10 months ago | (#45046917)

To identify, authenticate etc, you can use something you

know
have
or are

A password, an ATM card, a fingerprint are examples of the three possible venues for identity management. Now, can someone please tell me why the hell a SINGLE one should be better than the dual system (card&code) we have currently in place? The only one that could possibly benefit from it is the card company, since they are adding a non-repudiation marker to the fold: You can claim someone stole your card, you can claim someone hacked your code, but it's not possible that someone steal your finger.

It's not? You wanna bet I can?

It's not as secure as it seems at first glance. First, of course, I'd have to get your fingerprint. Which is quite trivial, considering how we literally print our fingers on every surface we touch. Every waiter at every restaurant you have ever been could have your prints if he so chooses. You leave your prints on keyboards, on mice, on elevator buttons. Please don't tell me it's hard to get a print. It takes a bit more effort to match prints to people, but even that is fairly trivial considering the stakes we're dealing with. Frankly, if I was to steal big time using this venue, I'd go hire as a waiter in some rich corner of the world where people routinely use their credit cards to pay restaurant bills, gives you prints, name and credit company as a neat little package.

Now the "hard" part, getting the prints "authenticated". This is actually dependent on the reader in question, but since we're talking about a home version (because it's supposedly working on online trade), one thing is certain: There is an "analogue hole", where my finger gets read. Anyone here who couldn't see how this "reader" can be fed whatever information is necessary to read the print you want it to read, not necessarily by letting it "read" anything but simply by feeding it the correct data impulses at the right time?

And now please repeat why I, as a user, would prefer that kind of crap to my old card&code system.

Re:Fingerprint != user authentication (0)

Anonymous Coward | about 10 months ago | (#45047479)

can someone please tell me why the hell a SINGLE [authentication factor] should be better than the dual system (card&code) we have currently in place?

Your fingerprints are all over your cards, so it not even an extra authentication factor. It's moving from something you have and something you know, to something anyone can find out. Literally anyone can obtain the fingerprints of anyone by following them around a bit and collect the objects they touch. This is stupidity in it's extreme form.

Re:Fingerprint != user authentication (1)

girlintraining (1395911) | about 10 months ago | (#45047161)

MasterCard is joining the FIDO Alliance, signaling that the payment network is getting interested in using fingerprints and other biometric data to identify people for

the purposes of targetted advertising and because the government asked them to provide more ways of tracking people with rfid, massive databases of biometric data, cell phones, etc. We can always say it's for "fraud protection", in the same way that those automated messages say "this call is being recorded for your protection." O RLY? Pretty sure you meant to say our. -_-

Please. By adding new standards like this they're helping to lock out competition from places like Paypal or the extensive wire fund transfer systems in place in Europe. "Ah! Well, now you need biometrics to make transactions in this country, or with these vendors. It's Everywhere You Want To Be (the Visa slogan) is starting to sound less like a convenience and more like a crazy ex stalking you.

Re:Fingerprint != user authentication (1)

memnock (466995) | about 10 months ago | (#45047203)

When fingerprints fail, they'll be like, 'hmm, what else can we use to authenticate? Hey, DNA! Let's start using DNA for authentication!' So soon all these security consultants and security managers (and sure enough the CROOKS!) will have every last bit of your personally identifiable, physical information. Where does that leave you?

Keep your whizbang fingerprint readers Apple and Mastercard and whoever else. Security was never 100% and giving you a copy of every last molecule is not going to change that. I'll get by with the password and when I get f'ed by that, well, then I guess, I'll have to deal. At least I'll still be able to think of my body as belonging to me.

Re:Fingerprint != user authentication (2)

SlippyToad (240532) | about 10 months ago | (#45047281)

Exactly. Fingerprints are the worst password ever. You literally leave your password in plain sight RIGHT ON THE OBJECT you are supposed to be securing. How much less secure could you get?

Re:Fingerprint != user authentication (0)

Anonymous Coward | about 10 months ago | (#45047353)

Finger names should only be used as usernames, and never passwords.

To extrapolate, I'd love to throw away all the cards in my wallet for a way to just touch a finger to something and THEN receive a message on my cell phone approving the purchase a second time (eg you swiped with a finger print, so type in a Password this time.) If you swipe with NFC, then same thing, Password/PIN.

Something you have AND something you know. I'm really fed up with having to use emails as usernames, this is extremely insecure and is leading to widespread security breeches based on using the username and "password reuse" between sites.

Re:Fingerprint != user authentication (1)

mrmeval (662166) | about 10 months ago | (#45047689)

Quotable: "Half the problem with biometrics is keeping the body parts alive."

http://www.youtube.com/watch?v=Dwxld-gs3Xk [youtube.com]

Re:Fingerprint != user authentication (0)

Anonymous Coward | about 10 months ago | (#45047839)

This is relevant as well:

Anonymous claims link between iPhone 5S TouchID and US gov biometric database

http://www.itproportal.com/2013/10/01/anonymous-claims-link-between-iphone-5s-touchid-and-us-gov-biometric-database/ [itproportal.com]

anonymous PasteBin with details:

http://pastebin.com/cmHs2VBn [pastebin.com]

In a nutshell:

3. It may be immaterial whether or not Apple's scanner is easily hackable and whether or not the NSA will have direct access to fingerprints granted to it by Apple and the FISA Court. Multiple industry leaders indicate that the real reason why the Intelligence Community was so keen on Apple launching AuthenTec’s biometric technology is because anything Apple touches automatically becomes über cool. Other biometric corporations are wetting themselves with delight.

Shortly on the heels of this news suddenly we see this Mastercard/FIDO article.

Re:Fingerprint != user authentication (1)

rtaylor (70602) | about 10 months ago | (#45048753)

I don't see why this is a problem for me using a credit card.

Credit card companies (well, retailers) take on the risk of fraud themselves. When you see a charge you didn't make, you call up Mastercard and let them know. A few days and an affidavit later and the charges are reversed.

If this was a bank issuing a debit card I would be concerned. Getting debit charges reversed is nearly impossible IME.

How about NO (3, Interesting)

AmiMoJo (196126) | about 10 months ago | (#45046571)

If Bastardcard think I'm giving them my fingerprints, or even a hash of my fingerprints, they are going to be sorely disappointed. Even if their own systems are secure credit card related data is the number one target for thieves and crackers. Plus, they are Mastercard are bastards, hence my childish name-calling.

Re:How about NO (5, Insightful)

phantomfive (622387) | about 10 months ago | (#45046621)

The worst part is once your fingerprint is compromised, you can't change it easily. You can't ever use it again.

At least if you have a bad password, you can change it.

Re:How about NO (2)

Dark$ide (732508) | about 10 months ago | (#45046743)

Please mod parent up.

It's clearly ok as a username. Although who cares if a user name ends up stored in a cookie? But not for authentication, not even as a two factor option.

Re:How about NO (4, Funny)

Nidi62 (1525137) | about 10 months ago | (#45047031)

The worst part is once your fingerprint is compromised, you can't change it easily. You can't ever use it again.

You could always selectively burn out small parts of your fingerprint and reburn them every time it grows back.. But then I guess that takes the pain of password management to a whole new level.

Re:How about NO (2)

SlippyToad (240532) | about 10 months ago | (#45047335)

Play the bass. Don't use a pick. My fingerprints are hamburger from 30+ years of abuse.

physical solution (1)

globaljustin (574257) | about 10 months ago | (#45047229)

once your fingerprint is compromised, you can't change it easily

I just thought of this, but an attacker could just cut off your finger...

it's obvious...but not really discussed in this context...

I see fingerprints being used in mostly specific high-value cases...briefcase, door entry, pricey gagets...

It just seems that having a small device that just needs your finger to crack encourages finger-chopping or more likely personal physical cooercion

Re:How about NO (1)

AHuxley (892839) | about 10 months ago | (#45048221)

Yes and if your dumped as a security risk by a duopoly or international or online auction sites with 'the other' brand of CC sharing this method?
Give to the wrong charity or a group connected to wrong charity , political organization, its hard to get your "fingerprint" as username and pw back :)

Re:How about NO (1)

Anonymous Coward | about 10 months ago | (#45046695)

Oh no! With you're fingerprints they could... uh. Uhm... Hmmm.

What exactly can they do with your fingerprints that's dastardly and evil? I think I'm missing something.

Re:How about NO (3, Insightful)

0123456 (636235) | about 10 months ago | (#45046727)

What exactly can they do with your fingerprints that's dastardly and evil? I think I'm missing something.

Break into your account on any other service that's retarded enough to think fingerprints are passwords?

Hand them to the NSA so they can link your online activities to your fingerprints?

Just two that come to mind in about ten seconds.

Re:How about NO (0)

Anonymous Coward | about 10 months ago | (#45046837)

...muggers will have to take your wallet AND your fingers.

Re:How about NO (3, Insightful)

Opportunist (166417) | about 10 months ago | (#45046923)

You think I can't do anything evil when I have access to your fingerprints?

Need an email address to mail them to? A set of prints that ain't mine could be handy at times...

Re:How about NO (0)

Anonymous Coward | about 10 months ago | (#45046947)

The records indicate your fingerprint pattern was used as verification. Proof you bought those 1,095 butterfly specimens. There is no proof of fraud. Have a nice day.

Re:How about NO (0)

Anonymous Coward | about 10 months ago | (#45046905)

How about a butt-print? Would you give them that?

Re: How about NO (0)

Anonymous Coward | about 10 months ago | (#45047247)

On dogs, a noseprint is unique.

Stolen passwords can change, fingerprints don't (0)

Anonymous Coward | about 10 months ago | (#45046629)

Plus, fingerprints are easy to be replicated. And they still identify you (with some degree of uncertainty), which is what they want.

liability (0)

Anonymous Coward | about 10 months ago | (#45046631)

I'm sure they'll buy me credit monitoring for a year after they lose my finger print.

Boy do feel safer (2)

Rosco P. Coltrane (209368) | about 10 months ago | (#45046635)

Fingerprint identification is great as long as (1) you trust the organization that uses it with that very, VERY personal data, and (2) you trust that they're not so lame as to lose your fingerprint data.

(1) I wouldn't trust credit card companies with anything more serious than an easily replaceable 4-digit PIN number

(2) Sheesh, even government routinely misplace confidential tax data of their citizens. Need I say more?

In short, I'll keep using good ole anonymous cash to spend at local retailers for my purchases thank you very much.

Re:Boy do feel safer (0)

Anonymous Coward | about 10 months ago | (#45046707)

(3) you trust that robbers don't start carrying seccateurs.

Re:Boy do feel safer (4, Insightful)

savuporo (658486) | about 10 months ago | (#45046835)

You lose your fingerprint data every time you step out of your private quarters, unless you wear latex gloves every all day. Copying and faking your fingerprints costs about $10 Fingerprints are the most easily collected biometric information on you - using them for any sort of authentication is stupid.

Re:Boy do feel safer (0)

VortexCortex (1117377) | about 10 months ago | (#45047109)

I agree. Additionally, s/fingerprint/DNA/

My parents were duped into getting me fingerprinted pre-emptively, "in case I got lost" -- What the fuck, and I wouldn't know my name? Dental records don't exist? Morons. Today's equivalent would be RFID chipping your kids. So, no service can even convince me they're only storing the hash. So fucking what. The corrupt police state has a copy. IMHO, that means my fingerprints shouldn't be admissible in court as evidence against me either, since it's so easy to fake a print and/or plant DNA.

They should just standardize on existing tech that I've been using for years: For Authentication to my LDAP I initiate a SSH tunnel, then thrust both middle fingers in the air and do interpretive dance on a DDR pad. I call it: DR-SSHADAP

Re:Boy do feel safer (1)

Zumbs (1241138) | about 10 months ago | (#45046849)

Fingerprint identification is great as long as (1) you trust the organization that uses it with that very, VERY personal data, and (2) you trust that they're not so lame as to lose your fingerprint data.

You forget one important issue: *You* leave your fingerprints all over. Anyone interested could lift them from you using fairly simple techniques.

Re:Boy do feel safer (2)

samjam (256347) | about 10 months ago | (#45046891)

You leave your finger prints on your credit card.
They steal you card they also have your prints.

How dumb is that?

Re:Boy do feel safer (4, Insightful)

failedlogic (627314) | about 10 months ago | (#45046861)

Mastercard surely employs security experts who should know better. I would think most of them would come up with the same counter-arguments we'll be reading on Slashdot in the next few hours.

So the question is, who came up with this idea and why authorize to release it to the media?

Pass, thank you, though. (0)

Anonymous Coward | about 10 months ago | (#45046647)

No, thank you. Please just charge me more to cover the fraud. My rights are not worth the price you're offering.

Can't change more than nine times (1)

TWX (665546) | about 10 months ago | (#45046649)

This is a bad idea, as one can change a compromised password as many times and necessary or desired.

Assuming a print from a single digit is enough, you're limited to ten total passwords without starting to leave the realm of social acceptability. On top of that, this uses only a public, nonsecret method. It's not combining something that you have with something that you know, preferably something known only to you, and since it's from a read-only source, once it is compromised you're screwed.

If some biometric system is used in concert with a strong user-selected bit of information, like a password, passphrase, or numeric string, then maybe it'll be okay, especially if the system does not indicate to the user where the failure in authentication happens (ie, confirm that one has the right fingerprint before rejecting the password). If the fingerprint is used as an analog for the user id, and the password is still one's personal secret, that may work.

If the issue is PINs being commonly four digits long, people have demonstrated an ability to remember ten-digit numbers as many markets now have ten-digit dialing for local calls with several area codes. I don't think that it would be an undue burden to use PINs longer than four digits in this age on account of that. What would be best is for there to be a minimum length that's greater than four or five, but a max possible length that would be well larger than most users would need, so those who do want longer credentials can use them, and with all of the number of places in between also being supported.

Re:Can't change more than nine times (1)

0123456 (636235) | about 10 months ago | (#45046685)

That's why you use someone else's finger.

Re:Can't change more than nine times (1)

mjr167 (2477430) | about 10 months ago | (#45046687)

So perhaps we can use fingerprints as the user id and still need a password? Then we don't have to keep coming up with user names or memorizing account numbers every time we want to be able to download our statement.

Re:Can't change more than nine times (1)

mjwalshe (1680392) | about 10 months ago | (#45046737)

only some people can remember 10 digit numbers dyslexics have severe difficulties in remembering more than 3

Re:Can't change more than nine times (1)

JustOK (667959) | about 10 months ago | (#45046879)

You mean more than 2.718281828 ?

Re:Can't change more than nine times (0)

Anonymous Coward | about 10 months ago | (#45046889)

Good point. We should reduce the complexity of everything in the world to a level that even the most retarded or disabled person can handle easily. Ever see that "Idocracy" movie? A model of the perfect future.

Dear Mastercard, (1)

Anonymous Coward | about 10 months ago | (#45046671)

Fuck off. You're not getting my fingerprints.

Yours Sincerely,

an ex-customer.

Biometrics (1)

TheRecklessWanderer (929556) | about 10 months ago | (#45046693)

The biggest problem with successfully implementing biometrics right now is the perception that the public has that you can take a number generated by a finger print reader and make a usable finger print. Having said that there is also the issue of false positives and false negatives. I doubt it will really circumvent much fraud, because much of it is online where fingerprint reading never comes into it. (Source is a 2009 LexisNexis study behind a paywall). It will stop the casual thief and maybe some cards that get stolen by a pickpocket and quickly used to rack up some bills.

Re:Biometrics - user risk... (0)

Anonymous Coward | about 10 months ago | (#45047529)

Hi,

In Europe there is ubiquitous chip+pin. It has cut down on fraud, but everyone knows there are dodgy terminals etc...

I remember reading somewhere, that the reason they are NOT used in the USA is because of perceived user/customer risk. If your card is stolen and usable without the user there is no risk as the criminal doesn't need you. Anecdotally, in London this leads to "cashpoint muggings" - I do not know how prevalent this is.

It would appear this biometric falls in the same category, that it is something that you can be compelled through violence (or fraud) to be bypassed.

Hence, I suspect this will get no traction in the USA...

stop jumping the gun. (5, Interesting)

nimbius (983462) | about 10 months ago | (#45046749)

1. perfect the payment card identification solutions you currently have.
2. deprecate the solutions that are blatantly flawed. junk marketing flair such as RFID was a terrible idea.
3. take a more proactive approach in identity theft, dont just triage it with a new card. target and eliminate payment card processors with a consistent history of exploit or breech. refuse to reinstate service until an independent third party audit is conducted.
4. use when ready a new standard with a proven track record and a history of functional security. Stop inventing nonsense piecework systems that hackers swarm like flies on sugar.

Re:stop jumping the gun. (0)

Anonymous Coward | about 10 months ago | (#45049263)

Well - I thinbk the NSA would LOVE your arguments...

Go on with the good work patriot....

privacy is history (0)

Anonymous Coward | about 10 months ago | (#45046763)

from here on out privacy is just not going to be a thing anymore. sort of like how some time 5000 years ago or so people started accepting the idea of private property and "owning land" and now most people would consider it preposterous to go back to a time before private property, eventually imagining going back to a time when we had privacy will seem equally preposterous. sure, it sucks but eventually we'll all die and the new people won't know any different so no loss, right? hell, the same way we today believe that private property and economic competition is "human nature" future people will probably just believe that having every second of you life being public record is "natural".

MasterCard = Criminal (1)

zenlessyank (748553) | about 10 months ago | (#45046787)

Only time my fingerprints were needed was when I was arrested, so it must be an automatic crime to deal with MasterCard.

Fingerprints are IDs, not passwords (1)

thb3 (19142) | about 10 months ago | (#45046801)

Fingerprints are a great way to ID someone, but not for passwords.

There are better ways. (4, Insightful)

Anonymous Coward | about 10 months ago | (#45046805)

The system of telling someone a secret to identify your self and thus authorize something is inherently stupid. I con't care if its a credit card number, security code, or finger print.

We have public key cryptography, there is no reason to tell every vender you make a purchase from enough information to allow them to make arbitrary purchases. They should provide you with a request, which you can sign/authorize with your private key. This signed transation request goes to the payment processor (mastercard in this case). Then they can, if you dispute the validity of it. provide the signed request as proof that someone with your private key (which they don't have, and you never give out) authorized it. Thus they are more resistant to false fraud claims, you are more resistant to identity theft/fraudulent purchases.

Its clearly a Win/Win, but requires you to have a "smart card" of some kind thats capable of displaying some minimal information, lets you select to authorize or not. The transfer of data to and from the card, and the powering of it would be easy to do over NFC, and it just needs enough of a display to show the amount. It should be possible to make such a device for ~5$ in large quantities, but you could also just use a smart phone.

You obviously would want a system where you could contact the payment processor and update your public key incase your card is stolen (generally, changing your key frequently isn't a bad idea, assuming you have some nice way to authenticate to change it, like using a key you don't carry around with you).

Also, its trivial to allow such a system to transfer money in either direction, and extend it to multiple payment processors and currencies (open the standards for the interface, so you can make a single card that works with mastercard, bitcoin, visa, etc).

Do to the reduced rates of fraud, liability and thus fees can be reduced, and even the potential for privacy is added (unique keys for each transaction + third party payment processors which work as proxies and protect the content of your purchase from the actual payment processor+credit card company, and protect your identity from the store). Even things like bitcoins and cham tokens could be used if you really wanted to go privacy crazy.

So, why arn't stores using such a lower risk, lower fee, more secure and more user friend system? Because the payment processors have a monopoly and like it this way. Don't buy into their stupid schemes like finger print id; they just want to keep their monopoly, and access to all that valuable data you provide, and all those fees the venders provide. Better security (and privacy) is trivial, and this is not how to get it. Privacy is impossible with the finger print system, and the security isn't good either.

Thank Apple (0)

Anonymous Coward | about 10 months ago | (#45046821)

The first step (and the most difficult) to getting this implemented will be getting people used to scanning their fingerprints and storing it on a computer. Thank Apple and iOS7 for taking care of this. In a few years there will be a whole generation of Apple fanboys totally comfortable with scanning their fingerprints just to unlock their iphone. How hard will it be to get them to do the same thing for online payments?

MasterCard SecureCode (0)

Anonymous Coward | about 10 months ago | (#45046863)

What is wrong with MasterCard's already implemented SecureCode? Why do I need to send my fingerprints to MasterCard just to make an online transaction? I've only ever seen a few airline websites and Ticketmaster actually require me to use the SecureCode authentication. The vast majority of websites have zero security other than just requiring you to enter the correct billing information. If MasterCard would just start requiring websites to actually use SecureCode, it would cut down on a vast majority of stolen credit card use and wouldn't require giving your biometric info to Mastercard.

Re:MasterCard SecureCode (1)

0123456 (636235) | about 10 months ago | (#45047049)

What is wrong with MasterCard's already implemented SecureCode?

Other than being a fscking disaster that encourages people to hand personal information to unknown web sites?

Re:MasterCard SecureCode (0)

Anonymous Coward | about 10 months ago | (#45047371)

And how is that different from any other e-commerce website that doesn't use it?

Fuck You (0)

Anonymous Coward | about 10 months ago | (#45046885)

I'm not giving my fingerprints to the Internet to be stored in some database and handed over to the NSA/FBI/CIA so I can be wrongly implicated in crimes just because I happened to be some place at some time in the past.

I mean, I am sure they already have them. I had to submit fingerprints to get my GA driver's license back in the 1990s and to get my Florida and South Carolina CWPs, but still... in principle. FUCK YOU.

Sounds great, but... (0)

Anonymous Coward | about 10 months ago | (#45046897)

It sounds like a great idea until someone grabs your fingerprint template off an online database (just like they do with password hashes), reverses it (fingerprint templates, unlike hashes, are indeed reversible), and uses that to gain access to your other online accounts... all because you couldn't be bothered with "clunky passwords".

Keep the fingerprint on the device... (2)

John.P.Jones (601028) | about 10 months ago | (#45046937)

The key is to not use the fingerprint as a key for online authentication, we have a technique for that it is called cryptographic keys (either symmetric or asymmetric). Now people are generally bad at remembering these strong keys (and even worse at using them) so instead they use a trusted device (used to be a desktop computer but that day is past, now its a phone) to both store and use those keys. The user can then authenticate locally to their device using a less strong mechanism (traditionally passwords). Apple has this right, the device is the only thing that needs to use the fingerprint to authenticate the user (local authentication is by its nature two factor since you need the device). There is no advantage & clear disadvantages to using fingerprints directly for online authentication (passwords too as we have seen time and time again).

Re:Keep the fingerprint on the device... (0)

Anonymous Coward | about 10 months ago | (#45047615)

There is no advantage & clear disadvantages to using fingerprints directly for online authentication (passwords too as we have seen time and time again).

1. fingerprint is as much authentication as typing in your name. They are IDs, not passwords.
2. passwords and passphrases are excellent for their purposes

All the problems about passwords have little to do with technology. And when these problems are about technology, using something else in place of password would not help.

Re:Keep the fingerprint on the device... (0)

Anonymous Coward | about 10 months ago | (#45047631)

You call apple "right", when you can simply swipe away their "protections" and use the device without ever having to give any fingerprints?

Besides all the inherent problems of compromisable but only really painfully replaceable passwords and all the trouble of having to trust someone else('s cheap code) to keep your data safe. Best not build that dependency into the systems in the first place. Any time you do, you are wrong.

I really wish the industry would stop fapping themselves silly over "do away with passwords" and "biometrics" and whatever malarky. Especially the financial people. Instead, work on safe ways to NOT need to leave a paper trail at all. You know, anonymous electronic payments like cash. We really need to stop trying to make things "easier" for "the user", by criminalising him!

Re:Keep the fingerprint on the device... (0)

Anonymous Coward | about 10 months ago | (#45047649)

Are you aware of the particularly bloodthirsty group of thieves who were stealing electronic devices AND the fingers necessary to unlock them? Painful and crippling.

Wrong Technology / Wrong Solution (1)

bradgoodman (964302) | about 10 months ago | (#45046939)

I can (half) see using "biometric" data in something like a grocery store. You swipe your card, and have to press your finger against the scanner in the store. No fingerprint match - no groceries.

But to insist on using "biometric" data for "online" purchases - how are they expecting to receive the biometric data? Through a scanner on the *users* computer? Even if it was done by some sort of credit-card hardware - you are now relying on not *biometric* data - but just *data* - as the users' computer has to send the data - and therefore who's to say if it's really "biometric" or not. (i.e. Some sort of reply attack - or something like it). My point is - there is no way to assure that it's really the user's fingerprint - just data matching the user's fingerprint. So how is this different than a conventional password?

At least a the grocery store - if you stick a "fake" finger on the scanner - you're going to at least create some suspicion - at minimum.

As a Colombian, I'll tell you how it goes... (0)

Anonymous Coward | about 10 months ago | (#45046991)

People with missing fingers, and no property left in their name.

It's far faster to just remove the finger, than fucking around finding prints.

Besides the obvious, that this won't work. (0)

Anonymous Coward | about 10 months ago | (#45047019)

How many people are going to be willing give up their finger prints, knowing perfectly well that the KGB, errr NSA will acquire all of their biometric information? Also, that you will not know who has a copy of it, where it is being used. Who wants to wait until their framed for something that they didn't do by using this information?

JEWS pushing for fingerprints, more like... (-1)

Anonymous Coward | about 10 months ago | (#45047053)

Who runs the credit card companies? Who prints money out of thin air? The eternal Jew...

Yet despite all the discussion... (1)

tlambert (566799) | about 10 months ago | (#45047087)

Yet despite all the discussion... MasterCard remains about as relevant as Diners Club.

What about anonymous paiements ? (0)

Anonymous Coward | about 10 months ago | (#45047111)

The other day I bought something at a "The Source" store. They asked me my name and my email address, I refused to tell them. I told them it was bad practice and that I find it very insulting as a customer, to feel the need to answer interrogations.

I felt like if my rights and my freedom were violated.

Chip and Pin? (0)

Anonymous Coward | about 10 months ago | (#45047151)

For companies who struggle to this day with converting people to Chip and Pin technology, I can't take this seriously at all it would be a massive undertaking.

Credential requirement (1)

Todd Knarr (15451) | about 10 months ago | (#45047187)

I have one basic requirement before I'll use a logon credential system: I must be able to change the credential in the event it's compromised. If I can't recover from a compromise by changing the credential so it's no longer available to whoever compromised it, I won't use it. I never ever want to be in a position where my login has been compromised, I have to continue using it and I can't make it so the bad guy can't use it anymore.

The people pushing biometrics are handwaving away the difference between identification and authentication. Authentication usually requires identification as a first step, but it then requires a second step: proving that you truly are the person you've been identified as. Think of it like a safe-deposit box: the bank checks your driver's license to see who you are and from that which deposit box is yours. That's identification. But they won't open the box for you. You have to authenticate by making use of the key you were issued to open the box, which someone who was merely impersonating you wouldn't have. Western Union would be an example of a system of authentication without identification. When money's sent the sender can provide a question and answer instead of requiring identification. Anyone who can provide the correct answer to the question is authorized to pick up the money, identification not (normally) needed. That's a lifesaver for people who've eg. been robbed and whose ID was taken along with the wallet.

Who Says MC Actually cares about Your Security? (1)

rueger (210566) | about 10 months ago | (#45047373)

A lot of years ago I spent some time with a Canadian guy who more or less invented the idea of no-name white box cash machines up here. I think we talked about his "high-end" Quake gaming rig....

In any event, one topic of discussion was the technology behind bank cards and debit cards. I can still recall him telling me that the bank card was about the most insecure thing ever invented, and that using four-digit PIN was pretty much laughable.

In his words, "You do not want to trust these things."

So now we have Chip and PIN; and stupidly annoying multiple factor authentication; and bio-metrics; and whatever some security company can cook up next week.

I still don't trust them, and really don't ever assume that any of this stuff is really secure.

Sum Ten Very Fishy (0)

Anonymous Coward | about 10 months ago | (#45047675)

The Alliance is developing an open industry standard for biometric data such as fingerprints to be used for identification online.

At the very least this company, with whom I do business with, could have informed me by now with this news. I will not give my fingerprints up for free. They are not publicly accessable either. Also, I should not be hearing this for the first time on /..

nope (0)

Anonymous Coward | about 10 months ago | (#45047789)

no / never / over my dead body

I smell a rat (0)

Anonymous Coward | about 10 months ago | (#45047827)

So, the NSA has found a way to collect all of our fingerprints after all...

Industry Not Known For Intelligence (2, Insightful)

Anonymous Coward | about 10 months ago | (#45047859)

The Chaos Computer Club put it nicely: "It is plain stupid to use something that you cant change and that you leave everywhere every day as a security token."

In Soviet Russia... (1)

JoeSchmoe007 (1036128) | about 10 months ago | (#45047981)

...Fingerprint changes you???

Very likely fueled by the sensor manufacturer (3, Informative)

khrome (85018) | about 10 months ago | (#45048087)

So, having worked in this industry:

1) There are many much more insecure areas (card cloning comes to mind) which already have solutions ( http://www.magtek.com/V2/products/secure-card-reader-authenticators/bullet.asp ), and nearly 0 adoption. Why is everyone suddenly jumping on the fingerprint bandwagon?

2) There is no point in more physical security: The card issuers guarantee the safety of cardholders funds and merchants tend to be very touchy about missing funds (the traditional 30 day lag of AMEX *seriously* affects their market penetration, and there's a massive effort to do statistical fraud analysis at a high level, so truthfully a very basic security at the register is effective, because card fraud stays at a relatively fixed level (it could be even better but that would lead to more false positives and worsen the customer experience)), the cost of the round of hardware upgrades for the whole network far exceeds the cost of fraud.

3) What makes *sense* is to let consumers swipe their own cards so they can have card-present transactions from their own home, in conjunction to card profiling tech like the link above (it builds a 'fingerprint' of the iron filings suspended in your magswipe to preventing cloning).

4) This sounds like an attempt to me to reduce the number of card present transactions (which are much less expensive for the merchant) and make more money by claiming a larger percentage of the transaction and to fuel a round of upgrades at the register, much like when checks switched from magnetic ink to frontal scans (check21), which also had little to do with fraud and was mostly a internal cost reduction as well as eliminating some friction for depositors, but required widespread merchant upgrades(with those upgrades not helping the merchant at all).

5) I'm not sure how PIN security factors in here, since debit pins use an injectable encryption scheme that is performed *on* the pinpad which is injected onto it in a *tightly* controlled process. It is a completely different protocol (at least in the US).

6) There have been a number of transaction network breakins, and I for one (knowing some of the players in this space), would *never* want any kind of data on their servers that could not be reissued.

I like clunky passwords and spending slowdowns (2)

gnerdalot (3382307) | about 10 months ago | (#45048113)

"The goal is to replace clunky passwords and take friction out of logging on and purchasing using mobile devices." Also slows down my impulsive purchases - I don't see the problem.

I raise a finger to the idea! (2)

Impy the Impiuos Imp (442658) | about 10 months ago | (#45048137)

1. Hack and get the files.
2. Someone writes a 3D printer conversion utility.
3. Print fake fingers.
4. Illegally profit!

I left out the ??? step because it wasn't needed.

Lose your finger (0)

Anonymous Coward | about 10 months ago | (#45048259)

I have heard of people losing a fingers because thieves wanted to carjack their Mercedes which uses fingerprint ID

Don't allow them to have your prints... (1)

markdavis (642305) | about 10 months ago | (#45048419)

This is just stupid.

Fingerprints are left all over the place and can be used in ways that are opposed to freedom and privacy. You should never allow your prints to be registered, if you can avoid it.

If they want to use a safe biometric, it would have to be a vein pattern or retinal scan. Something that can't be obtained without permission/participation and can't be easily replicated.

NO (1)

SomeRADDude (635369) | about 10 months ago | (#45048423)

How about just NO!

Mastercard (0)

Anonymous Coward | about 10 months ago | (#45048577)

I'll give them the finger, but without prints

No. Use one time passwords or parallel auth (1)

Hyperhaplo (575219) | about 10 months ago | (#45048699)

Some banks issue a key fob for which generates a 6 digit number when the button is pressed. To logon to the bank's website you need your username, your password and a six digit number. This provides two factor identification - that which you know (username and password) and that which you have (keyfob to generate the one time password).

This system works very well. You can't logon to the bank's internet banking website without both whatyouknow and whatyouhave and once you are logged in you can not use major functions without generating a key using the fob which prevents someone taking over the session. This security provides solid protection from most types of automated and associated attacks including some MITM. I was very impressed with this system and heartily endorse it.

Other banks have two factor authentication using SMS or other side channels. Another bank I have an account with uses SMS as a side channel to confirm that the user at the computer is the user who owns the phone registered with the bank. This is similar to the key fob in that you need to be able to receive the SMS to make changes to the account using the bank's internet banking website or major functions like large money transfers or adding a new account to transfer money to. Again, this works quite well.

In both cases this is not about perfect security it is about increasing the cost and effort involved for an attacker to compromise the system.

I will never willingly give my fingerprints or any other biometric data. Yes, I know, someone could go all CSI on me and take my prints off of my glass when I put it down at the pub.

This idea of biometric identification needs to be shot down and buried. Perhaps in a future time we will have the infrastructure to support this and it may well be feasible but for now we have two factors systems which are in the field and work well.

Chp and Pin (1)

David_Hart (1184661) | about 10 months ago | (#45048789)

Chip and Pin, in use in Europe and Canada, is 1000x better than fingerprints for multiple reasons, not the least of which is personal privacy. There is NO way that I would trust any corporation with my fingerprints. It's bad enough that the credit card companies have my social security number.

Re:Chp and Pin (1)

profplump (309017) | about 10 months ago | (#45048839)

It's definitely better. Though if the banks were even marginally more willing to subscribe to a standard for data exchange it could be 1000 times better. For example, the current system does not allow the retailer to ensure that the same transaction type they requested was actually used in the approved transaction.

and if your fingerprints don't scan, then? (1)

Nicholas Cullingham (2939687) | about 10 months ago | (#45048805)

I dealt with fingerprint scan failure at SeaWorld San Diego last year. I get cracked skin in our dry winters, mainly on my fingers. Based on my experience with dermatologists, it's not that uncommon around here. They ended up accepting that my fingers wouldn't scan - thank goodness for a human in the loop. Getting locked out of banking because of dry skin would be a pretty epic fail here.

Does not work (1)

arthurpaliden (939626) | about 10 months ago | (#45048879)

I once saw demo given by a security expert fooling a fingerprint scanner with a print lifted with a gummy bear.

FIDO is not just about fingerprints (1)

axlash (960838) | about 10 months ago | (#45049317)

Most of the comments here seem to be focusing on FIDO being all about identification via fingerprint, when in fact, the standards it is seeking to develop also include 2FA authentication. There's nothing saying that Mastercard might not in the end opt for 2FA.

Uh... no. I do not want. (1)

mark-t (151149) | about 10 months ago | (#45049325)

Even though proponents would argue that biometrics take orders of magnitude more effort to crack or defeat (a dubious claim, but giving them the benefit of the doubt), it's impossible to escape the fact that if or when a biometric security system *IS* cracked, then it's game over for the person who was hacked, since changing his biometrics is not an option, whereas if your PIN is hacked, you can at least change to a new one to keep the damage from recurring in the future.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>