Mastercard to add fingerprint sensors to cards, won't follow strict Apple Pay security pol...

Posted:
in iPhone
Mastercard is reportedly testing cards that integrate a fingerprint sensor, intended to offer a more convenient alternative to entering a PIN. Unlike Apple Pay, however, the cards would lack a series of important security features.


Looks close to apples, but its really closer to bananas. Source: Engadget


A report by Cherlynn Low for Engadget noted that the new biometric cards are currently being tested in South Africa, and that MasterCard hopes to roll them out globally by the end of 2017.

Low claimed that "our fingerprints are quickly replacing PINs and passwords as our primary means of unlocking our phones, doors and safes," saying, "they're convenient, unique, and ultimately more secure than easily guessed or forged passwords and signatures. So it makes sense that fingerprint sensors are coming to protect our credit and debit cards."

However, all fingerprint sensors are not alike. Low described Mastercard implementation as involving a trip to "an enrollment center," where a user could store one or two different prints (of their own) on their card.

"An encrypted digital template of your fingerprint is stored on the card's EMV chip," Low noted. The new cards authenticate when a matching fingerprint is supplied by the user after inserting the card into a Chip and Pin terminal (not swiped). The card sensor would also not work when used in an ATM that ingests the card.

Not like Apple Pay

The most obvious difference between a credit card with sensor and Apple Pay is the convenience advantage of Apple Pay over "Chip and Pin" cards: nothing needs to be inserted. The transaction time is nearly instant, compared to (particularly in the United States) a lengthy period of inserting a card and waiting for the transaction to complete.


Apple Pay is firstly fast, but more importantly secure


However, Mastercard's reported implementation is also radically different in its security policy compared to Touch ID and Apple Pay on iPhones and iPads and the new MacBook Pro. In Apple's implementation, fingerprints are not stored on the device at all.

Instead, representative information that can verify a user's fingerprint is copied in one direction to a Secure Enclave within the Application Processor. When a user touches the Touch ID sensor, print data is sent to the Secure Enclave and compared to determine if it matches. If it does, it approves the transaction as a separate computer system.

If a false print is supplied too many times, Apple Pay and the Touch ID authentication is disabled, and the user must unlock the device manually with a passcode. If Touch ID isn't used within 48 hours, authentication is also reset, requiring a passcode again.

Additionally, if the device loses power, the authentication system is also turned off until a passcode is used to unlock the device. All of these precautionary steps are taken to protect the user from repeated false attempts on a stolen device.

Fingerprint sensors are not all the same

Unlike an iPhone, the card-embedded Mastercard EMV chip is always powered off. There is no battery in the card. Instead, it is powered up only when it is inserted into a card reader, which provides power during the transaction.

This obviously means the print data isn't disabled when power is lost (because it's lost all the time when it's not in use), meaning that a lost card could be attacked with a false print at any point between being lost and discovered and reported stolen. It never resets.

Additionally, it's less clear how the chip stores the data. Fingerprint readers used on devices running Google's Android or Microsoft Windows--and built by leading, ostensibly tech savvy hardware makers including Samsung, HTC, Toshiba and Lenovo--don't follow the same security policy Apple created for Touch ID and Apple Pay.


Who needs facts when you can just be snarky?

Android fingerprint sensors have been a security mess

Initially, Android phones with fingerprint sensors (including the HTC One Max and Samsung Galaxy S5) stored fingerprint data irresponsibly in a way that allowed an attacker to extract fingerprint data from device storage.


Samsung Galaxy S5 claimed a fingerprint sensor "just like iPhone," except that it was slow and didn't secure users' prints or data


Security firm ElcomSoft noted that HTC stored fingerprints in an "uncompressed, unencrypted and unprotected bitmap at /data/dbgraw.bmp. Developers didn't bother assigning this files permissions other than 0666 (world readable), meaning that any process, even without root privileges, could easily read and extract fingerprints."

With Android 6, Google began implementing some minimum standards on fingerprint policy when it introduced "Nexus Imprint" as an answer to Touch ID. However, while Google appears to follow its own standards, security experts at ElcomSoft described other Android fingerprint security as "widely inconsistent."

Among the issues: Android hardware makers can build phones that enable fingerprint unlock after a reboot; they don't have a mandated 48-hour expiration time like Apple's Touch ID.

While modern Android 6 or later devices are mandated to use Trusted Execution Environment for storing fingerprint information, any attacker that can compromise the OS kernel can unlock the device and decrypt the entire phone. That isn't possible on iOS.

Replacing the Touch ID sensor and replacing it with an unauthorized sensor renders an iOS device unable to use Touch ID or Apple Pay. That isn't the case on Android, where a compromised sensor can be installed.

Additionally, only 36 percent of the Android installed base is currently even using a fairly modern version of Android (since 6.0) designed to coach hardware makers into building more secure fingerprint systems. And Google's Full Disk Encryption implementation is so slow (and bad) that it is generally turned off, rendering all the security of the fingerprint sensor worthless.

Windows PCs similarly slopped out worthless fingerprint sensors

Several years before Apple made Touch ID popular on iPhones starting in 2013--backed by a strong security policy--a series of PC makers issued Windows laptops with UPEK fingerprint sensors billed as offering strong alternative security: Acer, Amoi, ASUS, Clevo, Compal, Dell, Gateway, IBM/Lenovo, Itronix, MPC, MSI, NEC, Sager, Samsung, Sony and Toshiba.


Fingerprint sensors on Windows PC notebooks were not secure


However, security researcher Olga Koksharova reported that the sensor "stores Windows account passwords in the registry 'almost in plain text, barely scrambled but not encrypted,'" resulting in "nothing but a big, glowing security hole compromising (and effectively destroying) the entire security model of Windows accounts."

Hopefully, the brains behind the incredibly slow and clumsy EMV Chip and Pin cards are more careful with security than the likes of Samsung and Lenovo. In any case, there's no way they can implement the same kind of security policy that Apple developed for Touch ID and Apple Pay, simply because credit cards aren't self-powered smartphones.
watto_cobra
«13

Comments

  • Reply 1 of 45
    sog35sog35 Posts: 12,408member
    This sounds like a HORRIBLE idea. HORRIBLE.
    georgie01watto_cobra
  • Reply 2 of 45
    lkrupplkrupp Posts: 4,726member
    And of course the fake techies pontificate all over tech blogs claiming that fingerprint sensors are ‘trivial’ to bypass. Why there are even YouTube videos showing how it’s child’s play to take over an iPhone with a few swipes of a finger. Or is all that simply smelly bullshit?
    edited April 20 watto_cobra
  • Reply 3 of 45
    SpamSandwichSpamSandwich Posts: 26,254member
    Wouldn't be that big of a deal for Apple to start their own credit card company... or bank. Just sayin'. Remember, Apple has Susan L. Wagner on their BOD. She co-founded BlackRock.


    edited April 20 watto_cobra
  • Reply 4 of 45
    also "In any case, there's no way they can implement the same kind of security policy that Apple developed for Touch ID and Apple Pay"

    Here's a tip DED - Apple Pay is just VSTS - Visa Token Services 
    https://usa.visa.com/partner-with-us/payment-technology/visa-digital-solutions.html and guess what, it's just as secure as the other systems. 


    adm1
  • Reply 5 of 45
    sog35 said:
    This sounds like a HORRIBLE idea. HORRIBLE.
    How in the world does it sound horrible? It sounds great to me for those that don't know how or want to use Apple Pay.
  • Reply 6 of 45
    also "In any case, there's no way they can implement the same kind of security policy that Apple developed for Touch ID and Apple Pay"

    Here's a tip DED - Apple Pay is just VSTS - Visa Token Services https://usa.visa.com/partner-with-us/payment-technology/visa-digital-solutions.html and guess what, it's just as secure as the other systems. 


    The issue isn't tokenization. it's how the hardware can be attacked. If you read the article that jumps out rather clearly. 

    Also, you don't hand your phone to random merchants. You do frequently do this with cards, particularly in the US. That give anyone access to a card with your prints already all over it for a long enough time to capture your print data while in possession of the card. 

    So all around, having a sensor on the card is radically worse in terms of real world security than having an expensive phone that you don't hand around to others. 

    Your criticism is welcome, but if you keep posting abusive comments your account will be terminated. Forums are provided for intelligent discourse on articles. 
    chiarob53Solimanfred zornStrangeDaysdysamoriapscooter63watto_cobra
  • Reply 7 of 45
    SpamSandwichSpamSandwich Posts: 26,254member
    also "In any case, there's no way they can implement the same kind of security policy that Apple developed for Touch ID and Apple Pay"

    Here's a tip DED - Apple Pay is just VSTS - Visa Token Services https://usa.visa.com/partner-with-us/payment-technology/visa-digital-solutions.html and guess what, it's just as secure as the other systems. 


    With Apple Pay, there's no credit card involved and no need to divulge personal details to retailers or online shops which may be hacked, or in the case of physical stores, bad employees may decide to help themselves to this information.
    Soliwatto_cobra
  • Reply 8 of 45
    also "In any case, there's no way they can implement the same kind of security policy that Apple developed for Touch ID and Apple Pay"

    Here's a tip DED - Apple Pay is just VSTS - Visa Token Services https://usa.visa.com/partner-with-us/payment-technology/visa-digital-solutions.html and guess what, it's just as secure as the other systems. 


    With Apple Pay, there's no credit card involved and no need to divulge personal details to retailers or online shops which may be hacked, or in the case of physical stores, bad employees may decide to help themselves to this information.
    As per the VISA link, Apple Pay is just VSTS - a Visa implementation of tokenization. The other payment systems listed on the Visa page (Android Pay, etc) do the same and offer the same protection.
  • Reply 9 of 45
    boredumbboredumb Posts: 1,344member
    Just another chip off the same old unsecure block...
    watto_cobra
  • Reply 10 of 45
    SoliSoli Posts: 2,897member
    "Mastercard's reported implementation is also radically different in its security policy compared to Touch ID and Apple Pay"
    "Additionally, it's less clear how the chip stores the data."

    Why the hell does AI keep this idiot around with his articles? What a disgrace.
    What issue are taking with those sentences?
  • Reply 11 of 45
    coolfactorcoolfactor Posts: 1,061member
    also "In any case, there's no way they can implement the same kind of security policy that Apple developed for Touch ID and Apple Pay"

    Here's a tip DED - Apple Pay is just VSTS - Visa Token Services https://usa.visa.com/partner-with-us/payment-technology/visa-digital-solutions.html and guess what, it's just as secure as the other systems. 


    With Apple Pay, there's no credit card involved and no need to divulge personal details to retailers or online shops which may be hacked, or in the case of physical stores, bad employees may decide to help themselves to this information.
    As per the VISA link, Apple Pay is just VSTS - a Visa implementation of tokenization. The other payment systems listed on the Visa page (Android Pay, etc) do the same and offer the same protection.

    You're missing the point. This article is about the security of the authentication device, not the transmission of that authentication to the banking system. Tokenization replaces that transmission process so that it can not be linked to a specific card/person en-route.

    This is about what can be used to authorize, and Apple Pay handles that aspect in a far more secure way than the competing options.

    You're correct that Apple Pay uses tokenization, but that's beside the point.
    waverboyStrangeDaysdysamoriapscooter63watto_cobra
  • Reply 12 of 45
    also "In any case, there's no way they can implement the same kind of security policy that Apple developed for Touch ID and Apple Pay"

    Here's a tip DED - Apple Pay is just VSTS - Visa Token Services https://usa.visa.com/partner-with-us/payment-technology/visa-digital-solutions.html and guess what, it's just as secure as the other systems. 


    The issue isn't tokenization. it's how the hardware can be attacked. If you read the article that jumps out rather clearly. 

    Also, you don't hand your phone to random merchants. You do frequently do this with cards, particularly in the US. That give anyone access to a card with your prints already all over it for a long enough time to capture your print data while in possession of the card. 

    So all around, having a sensor on the card is radically worse in terms of real world security than having an expensive phone that you don't hand around to others. 

    Your criticism is welcome, but if you keep posting abusive comments your account will be terminated. Forums are provided for intelligent discourse on articles. 
    Please do tell how the hardware can be hacked.

    "There is no battery in the card. Instead, it is powered up only when it is inserted into a card reader, which provides power during the transaction. 

    This obviously means the print data isn't disabled when power is lost (because it's lost all the time when it's not in use), meaning that a lost card could be attacked with a false print at any point between being lost and discovered and reported stolen. It never resets."

    EMV cards (the "chip") in the credit card is a really sophisticated piece of technology with processor(s) as well. These things wipe themselves securely when they detect tampering, and are fully encrypted. This technology has all but killed the satellite/cable hacking cards from years ago, and it's proved almost impossible to clone a chip/pin card. The EMV "hacks" that was published at BlackHat a few years ago was about a man in the middle due to bad implementations on the card reader software, nothing with the card itself. If someone is able to hack this hardware, they have managed to create a billion dollar industry for themselves across many systems.

    So no, based on the capabilities of the chips and the success it has shown on previous implementations I don't believe that there is much cause for concern.
    adm1
  • Reply 13 of 45
    SoliSoli Posts: 2,897member
    Scenario: I lose my credit card.
    Action: I have to order a new card, and remove that card from my Watch, iPhone, iPad, and Mac.

    Scenario: I lose my iPad.
    Action: I can hopefully find my iPad via Find my iPhone, but if not I can report it Lost, have it ping me if/when it comes online, and have all cards associated with Apple Pay removed, without having it affect my other devices or require me to replace a single physical card.

    I'll take the second scenario any day.
    waverboydysamoria
  • Reply 14 of 45
    sflocalsflocal Posts: 3,656member
    However, all fingerprint sensors are not alike. Low described Mastercard implementation as involving a trip to "an enrollment center," where a user could store one or two different prints (of their own) on their card.

    The last couple years was horrible for me due to my newly-replaced credit cards being deactivated again because of suspicious activities.  Visa, the bank, whomever is responsible for keeping my cards secure obviously showed me that they do not have the chops to handle the never-ending challenging of secure transactions.  I still recalling having a rather verbal talk to my bank about my newly replaced cards being compromised after a couple months from a 3rd party.  I was frustrated.

    That being said, if Visa thinks I'm going to an "enrollment center" to hand over my fingerprints to imprint on some card, I have three words for them: "NO F#CKING WAY".  The thought of some hacker infiltrating their system and have access to this kind of data certainly brings me pause.  

    I trust Apple to keep my things secure.  They've proven that to me.  The banks and Visa?  Hell no.

    DED... you're doing fine and I enjoy your articles.  This BillyBob character was obviously being a jerk in the beginning.  It would be interesting to go into more detail about this. There seems to be some vague areas, but I think it's more on MasterCard's side than yours.  I enjoy your articles.  Keep it up. 

    SoliroundaboutnowStrangeDayswatto_cobra
  • Reply 15 of 45
    As long as thi is only convenience option it is good. Otherwise you cannot make purchases when fingerr prints are damaged. Ask car mechanic how many times he has cut or oil etched finger tips. Not everybody is in this world is geek sitting at computer typing some fancy content of electronic information era. Most people are actually not.
  • Reply 16 of 45
    SoliSoli Posts: 2,897member
    As long as thi is only convenience option it is good. Otherwise you cannot make purchases when fingerr prints are damaged. Ask car mechanic how many times he has cut or oil etched finger tips. Not everybody is in this world is geek sitting at computer typing some fancy content of electronic information era. Most people are actually not.
    Even then I don't trust a biometric to be more secure than a code submitted to memory. I also don't like that you need to include a bank, some transmission, and MasterCard to code the card with your print algorithm. With Touch ID it's all local, and after 5 failed attempts, or a restart you need to input your passcode. Since this card will almost always be without power there can be no such chain of security every time it powers on.
  • Reply 17 of 45
    I think that like many industries trying to keep the status quo, MasterCard is trying to keep people using physical cards longer.  I find that physical cards are limiting as they take up physical space; and like the many other cards which you have to carry, like it or not, this becomes very tiresome.  I stopped carrying physical cards for many things with the advent of Apple's digital wallet and ApplePay.  I am sure that many people enjoy the ease of use of ApplePay and the freedom from their wallets which take up space in their pockets.  Yep.  I will enjoy just taking my phone with me on trips.  A wallet is just a little annoying.
    stompydysamoriawatto_cobra
  • Reply 18 of 45
    gatorguygatorguy Posts: 15,963member
    I think the takeaway should be a fingerprint enabled CC should be more secure than a chip-only card. Tap and pay with a mobile phone is a different animal. Both types of secure payment are complementary since there are times your smart device may not be usable for whatever reason thus requiring you to pull out a wallet and use an actual CC card. I would probably prefer one with a fingerprint chip if I need it. 
  • Reply 19 of 45
    SoliSoli Posts: 2,897member
    gatorguy said:
    I think the takeaway should be a fingerprint enabled CC should be more secure than a chip-only card. Tap and pay with a mobile phone is a different animal. Both types of secure payment are complementary since there are times your smart device may not be usable for whatever reason thus requiring you to pull out a wallet and use an actual CC card. I would probably prefer one with a fingerprint chip if I need it. 
    But how is it secure if there's no passcode to verify your biometric between power cycles or too many failed attempts? How is it secure when you're sending your fingerprint data through countless hands and computers over just keeping it local. I trust Samsung Pay more than this setup.
  • Reply 20 of 45
    gatorguygatorguy Posts: 15,963member
    Soli said:
    gatorguy said:
    I think the takeaway should be a fingerprint enabled CC should be more secure than a chip-only card. Tap and pay with a mobile phone is a different animal. Both types of secure payment are complementary since there are times your smart device may not be usable for whatever reason thus requiring you to pull out a wallet and use an actual CC card. I would probably prefer one with a fingerprint chip if I need it. 
    But how is it secure if there's no passcode to verify your biometric between power cycles or too many failed attempts? How is it secure when you're sending your fingerprint data through countless hands and computers over just keeping it local. I trust Samsung Pay more than this setup.
    MORE secure than a simple chip card. Not more secure than Apple Pay/AndroidPay/SamsungPay
Sign In or Register to comment.