Mastercard to add fingerprint sensors to cards, won't follow strict Apple Pay security pol...

2

Comments

  • Reply 21 of 45
    Soli said:
    Scenario: I lose my credit card.
    Action: I have to order a new card, and remove that card from my Watch, iPhone, iPad, and Mac.
    Here's something interesting: my wife "lost" her Discover card shortly after adding it to Apple Pay (I say "lost" because a couple of months later she found it in her driver's door side pocket). She notified Discover who sent a new card with a new number and said it would arrive in 7-10 days. However, the person at Discover also said, "I noticed you have added your card to Apple Pay. That will continue to work for you uninterrupted."

    So, even though her physical card would have a new number on it that didn't affect her ability to use Apple Pay. My wife never had to remove or add another card, Apple Pay just continued to do its thing. 
    edited April 2017 watto_cobra
  • Reply 22 of 45
    linkmanlinkman Posts: 1,035member
    This fingerprint sensor card is being brought to you by the same bunch that decided that the chip + signature is a better idea than the chip + PIN (in the US at least). Yeah, that signature verification works awesomely. /s
    watto_cobra
  • Reply 23 of 45
    dysamoriadysamoria Posts: 3,430member
    sflocal said:
    However, all fingerprint sensors are not alike. Low described Mastercard implementation as involving a trip to "an enrollment center," where a user could store one or two different prints (of their own) on their card.

    The last couple years was horrible for me due to my newly-replaced credit cards being deactivated again because of suspicious activities.  Visa, the bank, whomever is responsible for keeping my cards secure obviously showed me that they do not have the chops to handle the never-ending challenging of secure transactions.  I still recalling having a rather verbal talk to my bank about my newly replaced cards being compromised after a couple months from a 3rd party.  I was frustrated.

    That being said, if Visa thinks I'm going to an "enrollment center" to hand over my fingerprints to imprint on some card, I have three words for them: "NO F#CKING WAY".  The thought of some hacker infiltrating their system and have access to this kind of data certainly brings me pause.  

    I trust Apple to keep my things secure.  They've proven that to me.  The banks and Visa?  Hell no.

    DED... you're doing fine and I enjoy your articles.  This BillyBob character was obviously being a jerk in the beginning.  It would be interesting to go into more detail about this. There seems to be some vague areas, but I think it's more on MasterCard's side than yours.  I enjoy your articles.  Keep it up. 

    Yeah Visa's system which i believe my bank utilizes is crap to me -- every single time i took it to Whole Foods it would suspend my card at the next transaction. Even if using Apple Pay, and even after changing the cards out. My same old, neighborhood store. Every time. This went on for months....I complained and complained and the bank customer service said there was nothing they could do, the system, yada yada... Finally it stopped doing it, tho nobody told me they've fixed it, so i never trust it. 

    Pretty lame stuff. 
    Wow. That's wonderful customer service :-p
    Drop the bank?
  • Reply 24 of 45
    dysamoriadysamoria Posts: 3,430member
    linkman said:
    This fingerprint sensor card is being brought to you by the same bunch that decided that the chip + signature is a better idea than the chip + PIN (in the US at least). Yeah, that signature verification works awesomely. /s
    I know people who's "signature" is nothing more than a scribble. Literally. No one ever gives them trouble for it. If they needed to dispute a charge with a signature, I have no idea how that would work other than saying "see, they wrote my name, I never do that". 

    I dont see signature as a security feature. Just a contractual thing.
  • Reply 25 of 45
    anomeanome Posts: 1,533member

    So this system can't be used with PayWave/Contactless Payment/whatever they call it where you wave your card at a reader? If it needs to be in the reader for the print reader to activate, that's a lot less convenient than ApplePay, or even Google Pay.

    watto_cobra
  • Reply 26 of 45
    neebongneebong Posts: 12member
    Soli said:
    Scenario: I lose my credit card.
    Action: I have to order a new card, and remove that card from my Watch, iPhone, iPad, and Mac.
    Here's something interesting: my wife "lost" her Discover card shortly after adding it to Apple Pay (I say "lost" because a couple of months later she found it in her driver's door side pocket). She notified Discover who sent a new card with a new number and said it would arrive in 7-10 days. However, the person at Discover also said, "I noticed you have added your card to Apple Pay. That will continue to work for you uninterrupted."

    So, even though her physical card would have a new number on it that didn't affect her ability to use Apple Pay. My wife never had to remove or add another card, Apple Pay just continued to do its thing. 
    As far as i can see, when you add a card to Apple Pay, your bank generates another card number for any transaction used within. If i look in my Apple Pay settings, the last 4 digits are different from the actual physical card. So your wife's "lost" card is only the physical one, not the Apple Pay one, i would assume that if you cancel your CC's association with Apple Pay the number would never be used again.

    I can remember a few years back, i got a statement from my bank for my new CC. It diddnt have the same number as my physical card, contacted the bank, and they were like...err.. your physical card actually has another number that we use "internally" for the likes of adjustments or refunds. 
    watto_cobra
  • Reply 27 of 45
    SoliSoli Posts: 10,035member
    Soli said:
    Scenario: I lose my credit card.
    Action: I have to order a new card, and remove that card from my Watch, iPhone, iPad, and Mac.
    Here's something interesting: my wife "lost" her Discover card shortly after adding it to Apple Pay (I say "lost" because a couple of months later she found it in her driver's door side pocket). She notified Discover who sent a new card with a new number and said it would arrive in 7-10 days. However, the person at Discover also said, "I noticed you have added your card to Apple Pay. That will continue to work for you uninterrupted."

    So, even though her physical card would have a new number on it that didn't affect her ability to use Apple Pay. My wife never had to remove or add another card, Apple Pay just continued to do its thing. 
    I've never seen that set up. On the two occasions I've had to replace a card since using Apple Pay, the removal of that card by the bank would also remove itself from my Apple Pay as soon I killed that physical card number on my account. I'm guessing that the card numbers generated for those devices acted as aliases or sub-card to the physical card number on their system, but there's no reason it has to work that way, and if Apple Pay was setup long before it was lost/stolen and you can verify your last purchase there's no reason to kill everything associated with it to the inconvenience of the customer.

    This open up a possible future where you are given a card number with a very narrow window to use with your Apple Pay set up before it expires, but I think we're a very long time away before that paradigm shift occurs so we'll be dependent on the physical card for set up even after *Pay becomes the most common method for digital payments.
    edited April 2017
  • Reply 28 of 45
    iushnt1iushnt1 Posts: 12member
    Where is Cali with his 'iknockoff' comment??
  • Reply 29 of 45
    SoliSoli Posts: 10,035member

    dysamoria said:
    linkman said:
    This fingerprint sensor card is being brought to you by the same bunch that decided that the chip + signature is a better idea than the chip + PIN (in the US at least). Yeah, that signature verification works awesomely. /s
    I know people who's "signature" is nothing more than a scribble. Literally. No one ever gives them trouble for it. If they needed to dispute a charge with a signature, I have no idea how that would work other than saying "see, they wrote my name, I never do that". 

    I dont see signature as a security feature. Just a contractual thing.
    The signature as security was been debunked a long time ago. Same goes for the clerk that wants to see your idea to match the signature. It's always with really low-cost stuff, too. You buy something expensive and no one even asks for ID, much less has some untrained sales clerk pretend they're handwriting experts.
  • Reply 30 of 45
    sflocalsflocal Posts: 6,092member
    Soli said:
    Scenario: I lose my credit card.
    Action: I have to order a new card, and remove that card from my Watch, iPhone, iPad, and Mac.
    Here's something interesting: my wife "lost" her Discover card shortly after adding it to Apple Pay (I say "lost" because a couple of months later she found it in her driver's door side pocket). She notified Discover who sent a new card with a new number and said it would arrive in 7-10 days. However, the person at Discover also said, "I noticed you have added your card to Apple Pay. That will continue to work for you uninterrupted."

    So, even though her physical card would have a new number on it that didn't affect her ability to use Apple Pay. My wife never had to remove or add another card, Apple Pay just continued to do its thing. 
    I had a similar experience.  I added my Visa card to ApplePay, a couple months later the card was suspended due to fraud, and they sent me a new card.  Never had to touch Apple Pay.  The new card was reflected in it without my having to do anything which was really nice.  I don't recall exactly what happened, but I think I remembered getting a message on my iPhone that my credit card in Apple Pay was updated.  
    Soliwatto_cobra
  • Reply 31 of 45
    SoliSoli Posts: 10,035member
    sflocal said:
    Soli said:
    Scenario: I lose my credit card.
    Action: I have to order a new card, and remove that card from my Watch, iPhone, iPad, and Mac.
    Here's something interesting: my wife "lost" her Discover card shortly after adding it to Apple Pay (I say "lost" because a couple of months later she found it in her driver's door side pocket). She notified Discover who sent a new card with a new number and said it would arrive in 7-10 days. However, the person at Discover also said, "I noticed you have added your card to Apple Pay. That will continue to work for you uninterrupted."

    So, even though her physical card would have a new number on it that didn't affect her ability to use Apple Pay. My wife never had to remove or add another card, Apple Pay just continued to do its thing. 
    I had a similar experience.  I added my Visa card to ApplePay, a couple months later the card was suspended due to fraud, and they sent me a new card.  Never had to touch Apple Pay.  The new card was reflected in it without my having to do anything which was really nice.  I don't recall exactly what happened, but I think I remembered getting a message on my iPhone that my credit card in Apple Pay was updated.  
    In Apple Pay, in the Info for the card, the last 4 digits of the physical card number changed to reflect the new card? That's awesome!
    watto_cobra
  • Reply 32 of 45
    avon b7avon b7 Posts: 7,622member
    linkman said:
    This fingerprint sensor card is being brought to you by the same bunch that decided that the chip + signature is a better idea than the chip + PIN (in the US at least). Yeah, that signature verification works awesomely. /s
    The signature feature is an archaic feature that was included along with a PIN option for historical reasons. It is your bank that actually decides which modules to load onto the chip and under which conditions.

    Often, signature  based transactions have to  be supported by valid ID but the option itself is largely turned off by banks anyway.

    In some cases it can aactually be more secure than a PIN as a result of social engineering.

    After a cursory reading I was surprised that no mention was made of the EMV protocol flaw that meant the system would accept any PIN provided you had the knowledge and simple tools on hand to trick the system.

    I wonder if they somehow fixed that in the end?


  • Reply 33 of 45
    also "In any case, there's no way they can implement the same kind of security policy that Apple developed for Touch ID and Apple Pay"

    Here's a tip DED - Apple Pay is just VSTS - Visa Token Services https://usa.visa.com/partner-with-us/payment-technology/visa-digital-solutions.html and guess what, it's just as secure as the other systems. 


    The issue isn't tokenization. it's how the hardware can be attacked. If you read the article that jumps out rather clearly. 

    Also, you don't hand your phone to random merchants. You do frequently do this with cards, particularly in the US. That give anyone access to a card with your prints already all over it for a long enough time to capture your print data while in possession of the card. 

    So all around, having a sensor on the card is radically worse in terms of real world security than having an expensive phone that you don't hand around to others. 

    Your criticism is welcome, but if you keep posting abusive comments your account will be terminated. Forums are provided for intelligent discourse on articles. 
    Steady on, I didn't see anything "abusive" in that post. If anything, his follow up posts contributed "intelligent discourse" as requested. Don't go all power mad on us.
  • Reply 34 of 45
    croprcropr Posts: 1,122member
    also "In any case, there's no way they can implement the same kind of security policy that Apple developed for Touch ID and Apple Pay"

    Here's a tip DED - Apple Pay is just VSTS - Visa Token Services https://usa.visa.com/partner-with-us/payment-technology/visa-digital-solutions.html and guess what, it's just as secure as the other systems. 


    The issue isn't tokenization. it's how the hardware can be attacked. If you read the article that jumps out rather clearly. 

    Also, you don't hand your phone to random merchants. You do frequently do this with cards, particularly in the US. That give anyone access to a card with your prints already all over it for a long enough time to capture your print data while in possession of the card. 

    So all around, having a sensor on the card is radically worse in terms of real world security than having an expensive phone that you don't hand around to others. 

    Your criticism is welcome, but if you keep posting abusive comments your account will be terminated. Forums are provided for intelligent discourse on articles. 
    The article does not mention that an EMV chip card has an encrypted storage mechanism (one could ask why?).  Data in that encrypted store cannot be read or copied as such.  The has been no known security breach of this data store since the creation of EMV cards in the nineties.  If the fingerprint information is indeed stored in that secured storage, and I have no reason to assume something else, then we can only say that this solution of Mastercard is a secure solution.

    The fact that iOS is not bugfree and the professional hackers have made use of the existing holes, just proves the opposite of you claim.  In the real world, an expensive iPhone does not reach the same level of security as EMV cards. (although the difference is small)

    gatorguysingularityavon b7
  • Reply 35 of 45
    adm1 said:
    also "In any case, there's no way they can implement the same kind of security policy that Apple developed for Touch ID and Apple Pay"

    Here's a tip DED - Apple Pay is just VSTS - Visa Token Services https://usa.visa.com/partner-with-us/payment-technology/visa-digital-solutions.html and guess what, it's just as secure as the other systems. 


    The issue isn't tokenization. it's how the hardware can be attacked. If you read the article that jumps out rather clearly. 

    Also, you don't hand your phone to random merchants. You do frequently do this with cards, particularly in the US. That give anyone access to a card with your prints already all over it for a long enough time to capture your print data while in possession of the card. 

    So all around, having a sensor on the card is radically worse in terms of real world security than having an expensive phone that you don't hand around to others. 

    Your criticism is welcome, but if you keep posting abusive comments your account will be terminated. Forums are provided for intelligent discourse on articles. 
    Steady on, I didn't see anything "abusive" in that post. If anything, his follow up posts contributed "intelligent discourse" as requested. Don't go all power mad on us.

    @Adm1:

           Actually DED was referring to the below post which was probably deleted by moderators, which we are unable to view now but Soli got a chance to read and reply to.


    Soli said:
    "Mastercard's reported implementation is also radically different in its security policy compared to Touch ID and Apple Pay"
    "Additionally, it's less clear how the chip stores the data."

    Why the hell does AI keep this idiot around with his articles? What a disgrace.
    What issue are taking with those sentences?


    Question to moderators: There are other forums which I read where abusive comments are deleted like AI. But the difference is - when others have already replied to that before the comment was deleted, the actual deleted content won't appear as such post deletion. It would just show "Deleted post" once the original comment is deleted for the entire thread. Can that not be implemented in this forum as well? Also an option to "Report" abusive comments like we have the "Like", "Informative" options?

    edited April 2017 watto_cobra
  • Reply 36 of 45
    plovellplovell Posts: 824member
    Soli said:
    Scenario: I lose my credit card.
    Action: I have to order a new card, and remove that card from my Watch, iPhone, iPad, and Mac.


    My experience is that if you report a card lost then it's automatically disabled for Apple Pay. You don't have to do it yourself. Only a sample size of "one" though.
    watto_cobra
  • Reply 37 of 45
    StrangeDaysStrangeDays Posts: 12,834member
    dysamoria said:
    sflocal said:
    However, all fingerprint sensors are not alike. Low described Mastercard implementation as involving a trip to "an enrollment center," where a user could store one or two different prints (of their own) on their card.

    The last couple years was horrible for me due to my newly-replaced credit cards being deactivated again because of suspicious activities.  Visa, the bank, whomever is responsible for keeping my cards secure obviously showed me that they do not have the chops to handle the never-ending challenging of secure transactions.  I still recalling having a rather verbal talk to my bank about my newly replaced cards being compromised after a couple months from a 3rd party.  I was frustrated.

    That being said, if Visa thinks I'm going to an "enrollment center" to hand over my fingerprints to imprint on some card, I have three words for them: "NO F#CKING WAY".  The thought of some hacker infiltrating their system and have access to this kind of data certainly brings me pause.  

    I trust Apple to keep my things secure.  They've proven that to me.  The banks and Visa?  Hell no.

    DED... you're doing fine and I enjoy your articles.  This BillyBob character was obviously being a jerk in the beginning.  It would be interesting to go into more detail about this. There seems to be some vague areas, but I think it's more on MasterCard's side than yours.  I enjoy your articles.  Keep it up. 

    Yeah Visa's system which i believe my bank utilizes is crap to me -- every single time i took it to Whole Foods it would suspend my card at the next transaction. Even if using Apple Pay, and even after changing the cards out. My same old, neighborhood store. Every time. This went on for months....I complained and complained and the bank customer service said there was nothing they could do, the system, yada yada... Finally it stopped doing it, tho nobody told me they've fixed it, so i never trust it. 

    Pretty lame stuff. 
    Wow. That's wonderful customer service :-p
    Drop the bank?
    I have a lot of business tied to it so that's a last resort. Crossing fingers... 
    watto_cobra
  • Reply 38 of 45
    StrangeDaysStrangeDays Posts: 12,834member
    adm1 said:
    also "In any case, there's no way they can implement the same kind of security policy that Apple developed for Touch ID and Apple Pay"

    Here's a tip DED - Apple Pay is just VSTS - Visa Token Services https://usa.visa.com/partner-with-us/payment-technology/visa-digital-solutions.html and guess what, it's just as secure as the other systems. 


    The issue isn't tokenization. it's how the hardware can be attacked. If you read the article that jumps out rather clearly. 

    Also, you don't hand your phone to random merchants. You do frequently do this with cards, particularly in the US. That give anyone access to a card with your prints already all over it for a long enough time to capture your print data while in possession of the card. 

    So all around, having a sensor on the card is radically worse in terms of real world security than having an expensive phone that you don't hand around to others. 

    Your criticism is welcome, but if you keep posting abusive comments your account will be terminated. Forums are provided for intelligent discourse on articles. 
    Steady on, I didn't see anything "abusive" in that post. If anything, his follow up posts contributed "intelligent discourse" as requested. Don't go all power mad on us.
    Calling the writer an idiot is absolutely an abuse and violation of the rules. as is calling other users names. google ad hominem. 
    watto_cobra
  • Reply 39 of 45
    StrangeDaysStrangeDays Posts: 12,834member
    adm1 said:
    also "In any case, there's no way they can implement the same kind of security policy that Apple developed for Touch ID and Apple Pay"

    Here's a tip DED - Apple Pay is just VSTS - Visa Token Services https://usa.visa.com/partner-with-us/payment-technology/visa-digital-solutions.html and guess what, it's just as secure as the other systems. 


    The issue isn't tokenization. it's how the hardware can be attacked. If you read the article that jumps out rather clearly. 

    Also, you don't hand your phone to random merchants. You do frequently do this with cards, particularly in the US. That give anyone access to a card with your prints already all over it for a long enough time to capture your print data while in possession of the card. 

    So all around, having a sensor on the card is radically worse in terms of real world security than having an expensive phone that you don't hand around to others. 

    Your criticism is welcome, but if you keep posting abusive comments your account will be terminated. Forums are provided for intelligent discourse on articles. 
    Steady on, I didn't see anything "abusive" in that post. If anything, his follow up posts contributed "intelligent discourse" as requested. Don't go all power mad on us.

    @Adm1:

           Actually DED was referring to the below post which was probably deleted by moderators, which we are unable to view now but Soli got a chance to read and reply to.


    Soli said:
    "Mastercard's reported implementation is also radically different in its security policy compared to Touch ID and Apple Pay"
    "Additionally, it's less clear how the chip stores the data."

    Why the hell does AI keep this idiot around with his articles? What a disgrace.
    What issue are taking with those sentences?
    Question to moderators: There are other forums which I read where abusive comments are deleted like AI. But the difference is - when others have already replied to that before the comment was deleted, the actual deleted content won't appear as such post deletion. It would just show "Deleted post" once the original comment is deleted for the entire thread. Can that not be implemented in this forum as well? Also an option to "Report" abusive comments like we have the "Like", "Informative" options?

    I believe the quoted comment is merely a string of characters in the reply post, so i don't think they can expunge it. 

    yes you can report absusive comments -- use the Flag link near the post's time stamp. i know i did.
    edited April 2017 watto_cobra
  • Reply 40 of 45
    adm1 said:
    also "In any case, there's no way they can implement the same kind of security policy that Apple developed for Touch ID and Apple Pay"

    Here's a tip DED - Apple Pay is just VSTS - Visa Token Services https://usa.visa.com/partner-with-us/payment-technology/visa-digital-solutions.html and guess what, it's just as secure as the other systems. 


    The issue isn't tokenization. it's how the hardware can be attacked. If you read the article that jumps out rather clearly. 

    Also, you don't hand your phone to random merchants. You do frequently do this with cards, particularly in the US. That give anyone access to a card with your prints already all over it for a long enough time to capture your print data while in possession of the card. 

    So all around, having a sensor on the card is radically worse in terms of real world security than having an expensive phone that you don't hand around to others. 

    Your criticism is welcome, but if you keep posting abusive comments your account will be terminated. Forums are provided for intelligent discourse on articles. 
    Steady on, I didn't see anything "abusive" in that post. If anything, his follow up posts contributed "intelligent discourse" as requested. Don't go all power mad on us.

    @Adm1:

           Actually DED was referring to the below post which was probably deleted by moderators, which we are unable to view now but Soli got a chance to read and reply to.


    Soli said:
    "Mastercard's reported implementation is also radically different in its security policy compared to Touch ID and Apple Pay"
    "Additionally, it's less clear how the chip stores the data."

    Why the hell does AI keep this idiot around with his articles? What a disgrace.
    What issue are taking with those sentences?
    Question to moderators: There are other forums which I read where abusive comments are deleted like AI. But the difference is - when others have already replied to that before the comment was deleted, the actual deleted content won't appear as such post deletion. It would just show "Deleted post" once the original comment is deleted for the entire thread. Can that not be implemented in this forum as well? Also an option to "Report" abusive comments like we have the "Like", "Informative" options?

    I believe the quoted comment is merely a string of characters in the reply post, so i don't think they can expunge it. 

    yes you can report absusive comments -- use the Flag link near the post's time stamp. i know i did.
    Ah, thanks for the information. I did not notice it earlier.
    watto_cobra
Sign In or Register to comment.