MasterCard Joining Push For Fingerprint ID Standard

schwit1 writes with this selection from a story at USA Today: "MasterCard is joining the FIDO Alliance, signaling that the payment network is getting interested in using fingerprints and other biometric data to identify people for online payments. MasterCard will be the first major payment network to join FIDO. The Alliance is developing an open industry standard for biometric data such as fingerprints to be used for identification online. The goal is to replace clunky passwords and take friction out of logging on and purchasing using mobile devices. FIDO is trying to standardize lots of different ways of identifying people online, not just through biometric methods."

Fingerprint != user authentication

[AliasMarlowe]

I'll just leave this [dustinkirkland.com] here.

Re:

[larwe]

Darn you for posting this before I could do so.

Re:

[Jeremiah Cornelius]

I leave my fingerprint everywhere.

How secret can looking into my eyes be?

Fingerprint == user_name

[Anonymous Coward]

Fingerprints should be treated as user names, not as a substitute for passwords.

Re:Fingerprint == user_name

[Jeremiah Cornelius]

Pull my username...

Re:

[ShieldW0lf]

Fingerprints should be treated as user names, not as a substitute for passwords.

That is brilliant

Re:

[Twinbee]

Oh you mean two passwords instead of one? A username is effectively part of the password.

Re:

[sjames]

No. Identification and authentication are related but different things.

Re:

[CanHasDIY]

Fingerprints should be treated as user names, not as a substitute for passwords.

Ha, yea, I can just imagine the look on someone's face when they inevitable come across this error message:

The username you selected is in use; please choose another, or click here to reset your password.

WTF??!!

Re:Fingerprint != user_name

[ALeader71]

The problem with fingerprints as username goes back to the problem with all biometric data -- humans are made of squishy flesh. If I cut the finger used as a password or username, I loose access until that finger has healed.

A better idea already exists and could be improved upon - the chip-and-pin system. Granted, any hardware token can be cloned. Most people use the same PIN for everything. However the equipment is in place (except the US). Add a secondary "something you know" item to authentication.

Re:Fingerprint != user authentication

[phantomfive]

It's worth mentioning that fingerprints CAN be used for authentication IF you can verify that the person is right there, and you can see that it is actually his fingerprint.

But that's not what's happening here. What's happening here is they are just creating a binary pattern. The binary pattern can be stolen and used by anyone. It's a lot harder to use someone else's actual finger.

User authentication != being present

[Anonymous Coward]

That person may be forced to use his finger, and there is the opposite case, using a card on the internet for shopping should not require anyone being anywhere specific.

Re:

[Jarik C-Bol]

This is why I think that POS terminals where you swipe your card, then sign your name should be replaced with a system where you swipe your card, then place your finger, which then attaches a high rez scan of your print to the sale.

Also, while we're at it, can we standardize fsking customer side POS systems finally? every one of them you come to is different, button layout, number of screen prompts for cash back or amount purchase confirmation. Working customer service in a store has taught me, despite t

Re:

[phantomfive]

a system where you swipe your card, then place your finger, which then attaches a high rez scan of your print to the sale.

That's a good idea.

Re:

[Jarik C-Bol]

If your using a credit card, any privacy from the government you thought you had was merely a delusion. I did not say as tracking, I said as a replacement for the existing electronic pen signatures (which are wildly inconsistent in quality.)

Re:

[Austrian Anarchy]

I'll just leave this [dustinkirkland.com] here.

Exactly where I was going too. It is somewhat amazing that as soon as we find out that fingerprints are not truly unique, we have all of these tools to use them as bona fide ID. Granted, the odds of someone with the same fingerprint as you trying to log into your account are slim, there still should be some other secret associated with the print to allow access. It should be an enhancement to the password, not a replacement.

On the other side of the coin, back in the early 1970s the US government had no

Re:

[peragrin]

While what you are saying is true the trick with fingerprint back before the mid 90's was processing power. If you wanted to compare prints you had to pay one or more people to sit there and compare each print to a suspected print.

now you can compare hundreds of prints per second. and only have to use people to verify the half a dozen potential matches. The problem with completely automated systems is that they only compare a dozen points of interest. to be truely useful you would need to vector map the

Re:

[Austrian Anarchy]

While what you are saying is true the trick with fingerprint back before the mid 90's was processing power. If you wanted to compare prints you had to pay one or more people to sit there and compare each print to a suspected print.

now you can compare hundreds of prints per second. and only have to use people to verify the half a dozen potential matches. The problem with completely automated systems is that they only compare a dozen points of interest. to be truely useful you would need to vector map the entire print.

In the 1930s, the FBI was claiming that their classification and search system took 3 minutes or less to match an unknown print with a known print: http://youtu.be/6xgPqc5ROHI?t=20s [youtu.be] (skipped to 20 sec. in for the relevant content and skip the related promo. Contains video from the FBI on their fingerprint analysis system from the 1930s and after it became "digitized.") My primary objection is with how fingerprint analysis has been mis-characterized for over a century.

Re:

[Opportunist]

To identify, authenticate etc, you can use something you

know
have
or are

A password, an ATM card, a fingerprint are examples of the three possible venues for identity management. Now, can someone please tell me why the hell a SINGLE one should be better than the dual system (card&code) we have currently in place? The only one that could possibly benefit from it is the card company, since they are adding a non-repudiation marker to the fold: You can claim someone stole your card, you can claim someone hacke

Re:

[Opportunist]

Well, it could serve as a pretty good identification detail if, and only if, I can ensure that the fingerprint I get is actually certainly from the person I get it from. This in turn requires me to verify that he uses his finger to leave it wherever I need him to do it.

Sounds like a no-brainer, but it's far from it.

When I stand next to the guy and can verify that he uses his finger to leave a print, I can vouch that it is genuine. As far as I know, it isn't possible (yet) to somehow graft someone else's pri

Re:

[girlintraining]

MasterCard is joining the FIDO Alliance, signaling that the payment network is getting interested in using fingerprints and other biometric data to identify people for

the purposes of targetted advertising and because the government asked them to provide more ways of tracking people with rfid, massive databases of biometric data, cell phones, etc. We can always say it's for "fraud protection", in the same way that those automated messages say "this call is being recorded for your protection." O RLY? Pretty sure you meant to say our. -_-

Please. By adding new standards like this they're helping to lock out competition from places like Paypal or the extensive wire fund trans

Re:

[memnock]

When fingerprints fail, they'll be like, 'hmm, what else can we use to authenticate? Hey, DNA! Let's start using DNA for authentication!' So soon all these security consultants and security managers (and sure enough the CROOKS!) will have every last bit of your personally identifiable, physical information. Where does that leave you?

Keep your whizbang fingerprint readers Apple and Mastercard and whoever else. Security was never 100% and giving you a copy of every last molecule is not going to change that. I

Re:

[SlippyToad]

Exactly. Fingerprints are the worst password ever. You literally leave your password in plain sight RIGHT ON THE OBJECT you are supposed to be securing. How much less secure could you get?

Re:

[mrmeval]

Quotable: "Half the problem with biometrics is keeping the body parts alive."

http://www.youtube.com/watch?v=Dwxld-gs3Xk [youtube.com]

Re:

[rtaylor]

I don't see why this is a problem for me using a credit card.

Credit card companies (well, retailers) take on the risk of fraud themselves. When you see a charge you didn't make, you call up Mastercard and let them know. A few days and an affidavit later and the charges are reversed.

If this was a bank issuing a debit card I would be concerned. Getting debit charges reversed is nearly impossible IME.

Re:

[sjames]

Correction, everyone but the credit card company takes on the risk of fraud. Even though the credit card companies are the only ones in any position to prevent the fraud.

How about NO

[AmiMoJo]

If Bastardcard think I'm giving them my fingerprints, or even a hash of my fingerprints, they are going to be sorely disappointed. Even if their own systems are secure credit card related data is the number one target for thieves and crackers. Plus, they are Mastercard are bastards, hence my childish name-calling.

Re:How about NO

[phantomfive]

The worst part is once your fingerprint is compromised, you can't change it easily. You can't ever use it again.

At least if you have a bad password, you can change it.

Re:

[Dark$ide]

Please mod parent up.

It's clearly ok as a username. Although who cares if a user name ends up stored in a cookie? But not for authentication, not even as a two factor option.

Re:How about NO

[Nidi62]

The worst part is once your fingerprint is compromised, you can't change it easily. You can't ever use it again.

You could always selectively burn out small parts of your fingerprint and reburn them every time it grows back.. But then I guess that takes the pain of password management to a whole new level.

Re:

[SlippyToad]

Play the bass. Don't use a pick. My fingerprints are hamburger from 30+ years of abuse.

physical solution

[globaljustin]

once your fingerprint is compromised, you can't change it easily

I just thought of this, but an attacker could just cut off your finger...

it's obvious...but not really discussed in this context...

I see fingerprints being used in mostly specific high-value cases...briefcase, door entry, pricey gagets...

It just seems that having a small device that just needs your finger to crack encourages finger-chopping or more likely personal physical cooercion

Re:

[AHuxley]

Yes and if your dumped as a security risk by a duopoly or international or online auction sites with 'the other' brand of CC sharing this method?
Give to the wrong charity or a group connected to wrong charity , political organization, its hard to get your "fingerprint" as username and pw back :)

Re:

[Anonymous Coward]

Oh no! With you're fingerprints they could... uh. Uhm... Hmmm.

What exactly can they do with your fingerprints that's dastardly and evil? I think I'm missing something.

Re:How about NO

[0123456]

What exactly can they do with your fingerprints that's dastardly and evil? I think I'm missing something.

Break into your account on any other service that's retarded enough to think fingerprints are passwords?

Hand them to the NSA so they can link your online activities to your fingerprints?

Just two that come to mind in about ten seconds.

Re:

[b4upoo]

Extra security measures on credit and debit cards are welcomed by myself and some others. Identity theft and store credit can be aimed at many innocent people. I've already had it happen. Someone went into Home Depot store and wanted very expensive tools and applied for credit on the spot in my name. Fortunately the store as well as their bank called me and I was able to prevent the transaction. A good national ID card combined with more secure credit and debit cards could save this nation a fortu

Re:

[hawkinspeter]

I have my doubts about anyone producing a "good" national ID card. Credit card companies are unable to keep their system secure and they have a financial incentive to do so. However, government employees typically don't have such a good incentive to keep everything secure and often have reasons to sabotage such a system. I really don't think that national ID cards solve anything except creating more government jobs to administer them.

Re:How about NO

[Opportunist]

You think I can't do anything evil when I have access to your fingerprints?

Need an email address to mail them to? A set of prints that ain't mine could be handy at times...

Boy do feel safer

[Rosco P. Coltrane]

Fingerprint identification is great as long as (1) you trust the organization that uses it with that very, VERY personal data, and (2) you trust that they're not so lame as to lose your fingerprint data.

(1) I wouldn't trust credit card companies with anything more serious than an easily replaceable 4-digit PIN number

(2) Sheesh, even government routinely misplace confidential tax data of their citizens. Need I say more?

In short, I'll keep using good ole anonymous cash to spend at local retailers for my purchases thank you very much.

Re:Boy do feel safer

[savuporo]

You lose your fingerprint data every time you step out of your private quarters, unless you wear latex gloves every all day. Copying and faking your fingerprints costs about $10 Fingerprints are the most easily collected biometric information on you - using them for any sort of authentication is stupid.

Re:

[VortexCortex]

I agree. Additionally, s/fingerprint/DNA/

My parents were duped into getting me fingerprinted pre-emptively, "in case I got lost" -- What the fuck, and I wouldn't know my name? Dental records don't exist? Morons. Today's equivalent would be RFID chipping your kids. So, no service can even convince me they're only storing the hash. So fucking what. The corrupt police state has a copy. IMHO, that means my fingerprints shouldn't be admissible in court as evidence against me either, since it's so easy to

Re:

[Zumbs]

Fingerprint identification is great as long as (1) you trust the organization that uses it with that very, VERY personal data, and (2) you trust that they're not so lame as to lose your fingerprint data.

You forget one important issue: *You* leave your fingerprints all over. Anyone interested could lift them from you using fairly simple techniques.

Re:

[samjam]

You leave your finger prints on your credit card.
They steal you card they also have your prints.

How dumb is that?

Re:Boy do feel safer

[failedlogic]

Mastercard surely employs security experts who should know better. I would think most of them would come up with the same counter-arguments we'll be reading on Slashdot in the next few hours.

So the question is, who came up with this idea and why authorize to release it to the media?

Re:

[Solandri]

Mastercard and the other credit card companies have pulled off one of the greatest scams of modern times. They've convinced everyone that they care about security. They don't. They've gamed the system so the merchant bears all the cost of fraud and theft. If your credit card is stolen, the thief uses it to buy gas, and you report it stolen, Mastercard tells the gas station "prove that it was the card owner who actually used the card." Of course the gas station can't (because the credit card companies g

Re:

[Areyoukiddingme]

You almost got it right.

It isn't just the merchant who bears all the cost of fraud and theft. The credit card holder also pays. Have your identity stolen by shitty credit card company security? It's YOUR credit score that gets trashed. Not the bank that issues the card. Not Visa or Mastercard. Not the merchant who was defrauded.

Of course they have no security. They never pay any but the most miniscule of penalties for their total lack of security. Merchants pay it and card holders pay it. Over and o

Re:

[sjames]

In a fair legal system, the credit agencies would be guilty of libel Given how common credit card fraud is and that banks always try to make the individual the victim instead of them, simply taking a bank's word for it that you defaulted *IS* a reckless disregard for the truth.

Re:

[Bite The Pillow]

Who? Marketing. Why? Because Apple.

Riding the popular trend, because it is also convenient to ignorant users. First adopters will ride the wave, ad secondary users will get bitten by fraud because there is no "that wasn't the cardholder" defense without shitting on decades of fingerprint testimony.

And there's your final answer. Chargebacks, meaning accounting was involved.

Re:

[mjwx]

Mastercard surely employs security experts who should know better. I would think most of them would come up with the same counter-arguments we'll be reading on Slashdot in the next few hours.

So the question is, who came up with this idea and why authorize to release it to the media?

MasterCard and Visa dont give two shits about security.

Because they've passed that buck onto the individual banks. The Banks are responsible for losses through stolen cards, not MasterCard. Now the banks only care about security as long as it doesn't interfere with profit.

Visa and MasterCard have been pushing an extremely insecure system which transmits your card number, name and card expiry to any NFC device that asks for it. This is many Android phones. The authentication on PayPass/Wave cards has a

Re:

[hawkinspeter]

Fingerprints are public data unless you never touch anything in a public place.

Can't change more than nine times

[TWX]

This is a bad idea, as one can change a compromised password as many times and necessary or desired.

Assuming a print from a single digit is enough, you're limited to ten total passwords without starting to leave the realm of social acceptability. On top of that, this uses only a public, nonsecret method. It's not combining something that you have with something that you know, preferably something known only to you, and since it's from a read-only source, once it is compromised you're screwed.

If some

Re:

[0123456]

That's why you use someone else's finger.

Re:

[mjr167]

So perhaps we can use fingerprints as the user id and still need a password? Then we don't have to keep coming up with user names or memorizing account numbers every time we want to be able to download our statement.

Re:

[hawkinspeter]

That would be less secure as it's not always easy to guess someone's username whereas people leave their fingerprints everywhere they go.

Re:

[mjwalshe]

only some people can remember 10 digit numbers dyslexics have severe difficulties in remembering more than 3

Re:

[JustOK]

You mean more than 2.718281828 ?

Re:

[Imrik]

Most people don't actually remember phone numbers anymore.

Dear Mastercard,

[Anonymous Coward]

Fuck off. You're not getting my fingerprints.

Yours Sincerely,

an ex-customer.

Biometrics

[TheRecklessWanderer]

The biggest problem with successfully implementing biometrics right now is the perception that the public has that you can take a number generated by a finger print reader and make a usable finger print. Having said that there is also the issue of false positives and false negatives. I doubt it will really circumvent much fraud, because much of it is online where fingerprint reading never comes into it. (Source is a 2009 LexisNexis study behind a paywall). It will stop the casual thief and maybe some ca

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:

[Bite The Pillow]

Your carefully reasoned plan will not work because money is involved.

Shut down payment processing of which they get a percentage, plus interest, without being exposed to fraud? No.

New card is cheap, investigations cost money. Ask why this is being considered, and it is obvious. The business plan is money, not security.

Fingerprints are IDs, not passwords

[thb3]

Fingerprints are a great way to ID someone, but not for passwords.

There are better ways.

[Anonymous Coward]

The system of telling someone a secret to identify your self and thus authorize something is inherently stupid. I con't care if its a credit card number, security code, or finger print.

We have public key cryptography, there is no reason to tell every vender you make a purchase from enough information to allow them to make arbitrary purchases. They should provide you with a request, which you can sign/authorize with your private key. This signed transation request goes to the payment processor (mastercard in this case). Then they can, if you dispute the validity of it. provide the signed request as proof that someone with your private key (which they don't have, and you never give out) authorized it. Thus they are more resistant to false fraud claims, you are more resistant to identity theft/fraudulent purchases.

Its clearly a Win/Win, but requires you to have a "smart card" of some kind thats capable of displaying some minimal information, lets you select to authorize or not. The transfer of data to and from the card, and the powering of it would be easy to do over NFC, and it just needs enough of a display to show the amount. It should be possible to make such a device for ~5$ in large quantities, but you could also just use a smart phone.

You obviously would want a system where you could contact the payment processor and update your public key incase your card is stolen (generally, changing your key frequently isn't a bad idea, assuming you have some nice way to authenticate to change it, like using a key you don't carry around with you).

Also, its trivial to allow such a system to transfer money in either direction, and extend it to multiple payment processors and currencies (open the standards for the interface, so you can make a single card that works with mastercard, bitcoin, visa, etc).

Do to the reduced rates of fraud, liability and thus fees can be reduced, and even the potential for privacy is added (unique keys for each transaction + third party payment processors which work as proxies and protect the content of your purchase from the actual payment processor+credit card company, and protect your identity from the store). Even things like bitcoins and cham tokens could be used if you really wanted to go privacy crazy.

So, why arn't stores using such a lower risk, lower fee, more secure and more user friend system? Because the payment processors have a monopoly and like it this way. Don't buy into their stupid schemes like finger print id; they just want to keep their monopoly, and access to all that valuable data you provide, and all those fees the venders provide. Better security (and privacy) is trivial, and this is not how to get it. Privacy is impossible with the finger print system, and the security isn't good either.

Re:

[Areyoukiddingme]

This would go a long way. The problem is public/private crypto is just slightly complicated. It's impossible to explain in a 5 second sound bite. The current system is a 2 second sound bite. "Swipe card. Sign."" How do you explain public/private crypto?

The following script should be read by John Cleese and Terry Gilliam.

John: "Get the merchant's public key."
Terry: "Ok, how do I do that?"
John: "Get out your phone and run the key management app from you bank."
Terry: "What app?"
John: "Ok, go get the app."
Terry: long pause "Uh, I can't find it."
John: "Here, let me see that... yeah, here it is. No wait. This is Bonk of America. How did that get through the review process... Hold on... yeah, ok, here it is. It's installed. Now you start it up."
Terry: "Uhm. Where is it?"
John: "I dunno. Look on the next page."
Terry: page page page "I can't find it."
John: "What? It's gotta be there. Didn't you see your bank logo?"
Terry: "I dunno. What's my bank's logo look like?"
John: "I dunno. Just look for the name."
Terry: page ... page ... page ........ page back .... page "Oh here it is. Ok, started. Now what?"
John: "Tap 'Scan Public Key.' "
Terry: "I don't have that."
John: "What? It should say..."
Terry: "It wants to know if I want to sign up for free checking."
John: "Oh. Make it go away."
Terry: "Now it wants to know if I want to order checks."
John: "Yeah, make that go away too."
Terry: "Now it wants to know if I've heard about their low low rates on car loans."
John: "Bugger. Make that go away too."
Terry: "Now it wants to know..."
John: "What?!"
Terry: "Just kidding. I've got buttons."
John: "Ok, tap 'Scan Merchant Code.' "
Terry: "I don't have that."
John: "What?? Let me see that... What IS all this crap..." scroll scroll scroll "Here it is, at the bottom. Push this."
Terry: "Ok. It says Ready. It looks like it's ready to take a picture. Is that right?"
John: "YES! At last. Ok, take a picture of this card."
Terry: "Ok..... wait. It didn't do anything."
John: "What?"
Terry: "Yeah, nothing. I always touch it just here to take a picture. It didn't work."
John: "Are you sure?"
Terry: "Of course I'm sure. Nothing happened."
John: "Read the display. Is there a button somewhere?"
Terry: "Maybe. There's this thing that says 'Go' over in the far corner. Should I hit that?"
John: "Uhm, yeah, I guess. My bank's app calls it 'Capture' and it's in the other corner."
Terry: "Ok, got it. No wait. It says it failed."
John: "Were you aiming at this card?"
Terry: "Oops. No. Let me try again... What the hell? I'm back at the main interface. Where was that option?"
John: "All the way to the bott..."
Terry: "Right, the bottom." scroll scroll scroll It's not here.
John: "WHAT?!"
Terry: "I'm telling you, it's not here!"
John: "Scroll back up."
Terry: scroll scroll scroll "Oh, here it is. At the bottom of the first page. In gray. With a tiny button. All I saw was the giant red glittery animated thing that said 'Apply for a car loan now! Now! NOW!'"
John: "Ok, try again."
Terry: "Yeah, ok." click "Yeah, it says it captured a key for 'Home Despot' and wants to know if it should save it."
John: "Home... ?"
Terry: "Despot."
John: "Are you sure?"
Terry: "Yes."
John: "Let me see that.... Despot. It says Despot. What is this?"
Hapless Cashier (played by Terry Jones): "Sorry sir. It's the correct code card. They spelled it wrong. Very sorry. They're supposed to give us replacement cards."
John: "When?"
Hapless Cashier: "Uh, soon."
John: "When's soon?"
Hapless Cashier: "Sorry sir, I don't know."
John: "How long as it been?"
Hapless Cashier: "A week."
John: "A week?"
Hapless Cashier: "Yes sir, a week."
John: "Ok ok ok, fine, we'll use it. Here."
Terry: "Ok, what do I do now?"
John: "Now you have to give them your public key code."
Terry: "Ok, how do I do that?"
John: "Find the option..."
Terry: "Right." scroll scroll scroll "Here it is..... ... Uhm. it doesn't work."
John: "WHAT?!?!?!"
Terry: "It doesn't work! See, it's greyed out!"
John: "Why is it greyed out?!"
Terry: "I don't know! How would I know?!"
Hapless Cashier: "Uh."
John: "WHAT?!"
Hapless Cashier: "Uh, it's because he has to generate a key pair."
John: "What? Are you sure?"
Hapless Cashier: "Yes sir."
John: "It doesn't do it automatically?"
Hapless Cashier: "No sir."
John: "It has to be told?"
Hapless Cashier: "Yes sir."
John: "Tell it to generate a key pair."
Terry: "Ok". scroll scroll scroll "I don't have that option."
John: long suffering sigh "You mean you didn't see it."
Terry: "No, I mean I don't have that option."
John: "Right. What do you have?"
Terry: "Apply for a car.."
John: interrupting "Besides that."
Terry: "Apply for a mortgage."
John: "Not that."
Terry: "Apply for a credit card."
John: pregnant pause "Not that."
Terry: "Make payment."
John: "Not that, but remember it for later."
Terry: "Change address."
John: "Not that."
Terry: "Change phone number."
John: "Not that."
Terry: "Change email."
John: "Not that."
Terry: "Create PIN."
John: "Not that."
Terry: "Change PIN."
John: "Not that."
Terry: "Catch fire."
John: stare
Terry: "Sorry, couldn't resist. It says 'Make a key.' "
John: "Yeah, that."
Terry: "It says I should shake my phone around."
John: "Yes, you have to shake your phone around."
Terry: "I do?"
John: "Yes."
Terry: "Wouldn't that make me look a bit of a tit?"
John: "Maybe, but you have to do it anyway."

I could go on, but I'm not getting paid to write scripts. I think I've made the point. Possibly bludgeoned the point... (On reviewing the script, the instructor character is more Jo

Keep the fingerprint on the device...

[John.P.Jones]

The key is to not use the fingerprint as a key for online authentication, we have a technique for that it is called cryptographic keys (either symmetric or asymmetric). Now people are generally bad at remembering these strong keys (and even worse at using them) so instead they use a trusted device (used to be a desktop computer but that day is past, now its a phone) to both store and use those keys. The user can then authenticate locally to their device using a less strong mechanism (traditionally passwords). Apple has this right, the device is the only thing that needs to use the fingerprint to authenticate the user (local authentication is by its nature two factor since you need the device). There is no advantage & clear disadvantages to using fingerprints directly for online authentication (passwords too as we have seen time and time again).

Wrong Technology / Wrong Solution

[bradgoodman]

I can (half) see using "biometric" data in something like a grocery store. You swipe your card, and have to press your finger against the scanner in the store. No fingerprint match - no groceries.

But to insist on using "biometric" data for "online" purchases - how are they expecting to receive the biometric data? Through a scanner on the *users* computer? Even if it was done by some sort of credit-card hardware - you are now relying on not *biometric* data - but just *data* - as the users' computer has to

Yet despite all the discussion...

[tlambert]

Yet despite all the discussion... MasterCard remains about as relevant as Diners Club.

Credential requirement

[Todd Knarr]

I have one basic requirement before I'll use a logon credential system: I must be able to change the credential in the event it's compromised. If I can't recover from a compromise by changing the credential so it's no longer available to whoever compromised it, I won't use it. I never ever want to be in a position where my login has been compromised, I have to continue using it and I can't make it so the bad guy can't use it anymore.

The people pushing biometrics are handwaving away the difference between id

Who Says MC Actually cares about Your Security?

[rueger]

A lot of years ago I spent some time with a Canadian guy who more or less invented the idea of no-name white box cash machines up here. I think we talked about his "high-end" Quake gaming rig....

In any event, one topic of discussion was the technology behind bank cards and debit cards. I can still recall him telling me that the bank card was about the most insecure thing ever invented, and that using four-digit PIN was pretty much laughable.

In his words, "You do not want to trust these things."

So

Industry Not Known For Intelligence

[Anonymous Coward]

The Chaos Computer Club put it nicely: "It is plain stupid to use something that you cant change and that you leave everywhere every day as a security token."

In Soviet Russia...

[JoeSchmoe007]

...Fingerprint changes you???

Very likely fueled by the sensor manufacturer

[khrome]

So, having worked in this industry:

1) There are many much more insecure areas (card cloning comes to mind) which already have solutions ( http://www.magtek.com/V2/products/secure-card-reader-authenticators/bullet.asp ), and nearly 0 adoption. Why is everyone suddenly jumping on the fingerprint bandwagon?

2) There is no point in more physical security: The card issuers guarantee the safety of cardholders funds and merchants tend to be very touchy about missing funds (the traditional 30 day lag of AMEX *seriously* affects their market penetration, and there's a massive effort to do statistical fraud analysis at a high level, so truthfully a very basic security at the register is effective, because card fraud stays at a relatively fixed level (it could be even better but that would lead to more false positives and worsen the customer experience)), the cost of the round of hardware upgrades for the whole network far exceeds the cost of fraud.

3) What makes *sense* is to let consumers swipe their own cards so they can have card-present transactions from their own home, in conjunction to card profiling tech like the link above (it builds a 'fingerprint' of the iron filings suspended in your magswipe to preventing cloning).

4) This sounds like an attempt to me to reduce the number of card present transactions (which are much less expensive for the merchant) and make more money by claiming a larger percentage of the transaction and to fuel a round of upgrades at the register, much like when checks switched from magnetic ink to frontal scans (check21), which also had little to do with fraud and was mostly a internal cost reduction as well as eliminating some friction for depositors, but required widespread merchant upgrades(with those upgrades not helping the merchant at all).

5) I'm not sure how PIN security factors in here, since debit pins use an injectable encryption scheme that is performed *on* the pinpad which is injected onto it in a *tightly* controlled process. It is a completely different protocol (at least in the US).

6) There have been a number of transaction network breakins, and I for one (knowing some of the players in this space), would *never* want any kind of data on their servers that could not be reissued.

I like clunky passwords and spending slowdowns

[gnerdalot]

"The goal is to replace clunky passwords and take friction out of logging on and purchasing using mobile devices." Also slows down my impulsive purchases - I don't see the problem.

I raise a finger to the idea!

[Impy the Impiuos Imp]

1. Hack and get the files.
2. Someone writes a 3D printer conversion utility.
3. Print fake fingers.
4. Illegally profit!

I left out the ??? step because it wasn't needed.

Don't allow them to have your prints...

[markdavis]

This is just stupid.

Fingerprints are left all over the place and can be used in ways that are opposed to freedom and privacy. You should never allow your prints to be registered, if you can avoid it.

If they want to use a safe biometric, it would have to be a vein pattern or retinal scan. Something that can't be obtained without permission/participation and can't be easily replicated.

NO

[SomeRADDude]

How about just NO!

No. Use one time passwords or parallel auth

[Hyperhaplo]

Some banks issue a key fob for which generates a 6 digit number when the button is pressed. To logon to the bank's website you need your username, your password and a six digit number. This provides two factor identification - that which you know (username and password) and that which you have (keyfob to generate the one time password).

This system works very well. You can't logon to the bank's internet banking website without both whatyouknow and whatyouhave and once you are logged in you can not use major

Re:

[viperidaenz]

Some banks go a step further. The keyfob has a keypad and requires a pin code to unlock it. too many invalid attempts brick the thing.

Rabo do this. It's a pain in the ass though, entering challenge codes every time you want to transfer your money via internet banking, even after authenticating. The logon only gives you read only access.

Chp and Pin

[David_Hart]

Chip and Pin, in use in Europe and Canada, is 1000x better than fingerprints for multiple reasons, not the least of which is personal privacy. There is NO way that I would trust any corporation with my fingerprints. It's bad enough that the credit card companies have my social security number.

Re:

[profplump]

It's definitely better. Though if the banks were even marginally more willing to subscribe to a standard for data exchange it could be 1000 times better. For example, the current system does not allow the retailer to ensure that the same transaction type they requested was actually used in the approved transaction.

Re:

[TomGreenhaw]

They are already mandating that here in 2014.

and if your fingerprints don't scan, then?

[Nicholas Cullingham]

I dealt with fingerprint scan failure at SeaWorld San Diego last year. I get cracked skin in our dry winters, mainly on my fingers. Based on my experience with dermatologists, it's not that uncommon around here. They ended up accepting that my fingers wouldn't scan - thank goodness for a human in the loop. Getting locked out of banking because of dry skin would be a pretty epic fail here.

Re:

[viperidaenz]

If my contactless credit card doesn't work wirelessly, I can insert it in to the chip reader. If that doesn't work I can swipe the mag strip. If that doesn't work. the poor guy behind the counter can get out his zip-zap machine and take a physical imprint copy of my credit card on the carbon paper stuff VISA hands out. Or I could purchase it online, with the set of 3 numbers.

The last thing a credit card company want is for their customer to not be able to spend money and generate them revenue.

Does not work

[arthurpaliden]

I once saw demo given by a security expert fooling a fingerprint scanner with a print lifted with a gummy bear.

FIDO is not just about fingerprints

[axlash]

Most of the comments here seem to be focusing on FIDO being all about identification via fingerprint, when in fact, the standards it is seeking to develop also include 2FA authentication. There's nothing saying that Mastercard might not in the end opt for 2FA.

Uh... no. I do not want.

[mark-t]

Even though proponents would argue that biometrics take orders of magnitude more effort to crack or defeat (a dubious claim, but giving them the benefit of the doubt), it's impossible to escape the fact that if or when a biometric security system *IS* cracked, then it's game over for the person who was hacked, since changing his biometrics is not an option, whereas if your PIN is hacked, you can at least change to a new one to keep the damage from recurring in the future.

Horrible

[Trogre]

What a horrible idea, but at least it's better than Visa, who seem to think you don't need any authentication at all now, with their retarded "PayWave" system they're pushing onto all their customers.

Hash the fingerprint

[TomGreenhaw]

If your fingerprint is hashed with a well protected device unique ID, that eliminates anyone from easily hijacking your finger print identity and you get a new code when you register a new device. Good authentication is generally based on 3 things - something you are, something you have and something you know. Chip and PIN is have and know. Mag strip cards are have and know (how to write your signature but seldom checked); eCommerce is just know and shipping location. Apple is the first of I'm sure many t

Re:

[viperidaenz]

Something you are cannot be changed. Once it is discovered, it is a pointless part of the equation.
Like how that guy took a photo of a glass, photo-shopped it, printed it on to plastic on a laser printed, smeared if with wood glue, peeled it off and used it to unlock an iPhone 5S.

Now your iPhone and its contents are accessible to anyone with a printer, a camera and anything you've touched, at any time in recent history.

Re:

[TomGreenhaw]

Something you are hashed with a device unique ID can be changed. They would also need your device and your PIN or password to access your data. I'm not necessarily defending the iPhone, but suggesting a way to save the convenience of fingerprint scanning. If your phone is lost or stolen, have it bricked or wiped remotely. Also, don't store anything sensitive on a device that's easily lost or stolen.

Uh oh

[viperidaenz]

To meet our password policy, you'll need to change your finger print every 30 days.

Re:

[0123456]

What is wrong with MasterCard's already implemented SecureCode?

Other than being a fscking disaster that encourages people to hand personal information to unknown web sites?

Re:

[viperidaenz]

Once you're dead, you wont mind if someone cuts off your finger...

Re:

[viperidaenz]

Your finger prints are publicly accessible.