Biometric bank cards coming to SA - TechCentral

Biometric bank cards coming to SA

Mastercard will work with South African partners to bring biometric cards to local consumers by the end of the year.

The development follows two separate trials conducted recently with Pick n Pay and Absa. South Africa is the first market in the world to test the technology.

The cards combine EMV-based chip technology with fingerprint recognition technology to verify cardholders’ integrity for in-store purchases.

The new card builds on fingerprint scanning technology used for mobile payments and can be used at EMV terminals worldwide, Mastercard said.

Here’s how it will work. A cardholder will enrol their card by registering with their financial institution. Upon registration, their fingerprint will be converted into an encrypted digital template that is stored on the card. The card will then be ready to be used at any EMV-compatible card terminal globally.

When shopping and paying in-store, the biometric card will work like any other chip card, Mastercard said. The cardholder will simply “dip” the card into a retailer’s terminal while placing their thumb over the embedded sensor.

The fingerprint will then be verified against the template and – if the biometrics match – the cardholder will be successfully authenticated and the transaction can then be approved with the card never leaving the consumer’s hand.

Mastercard biometric card: how it works (image: Mastercard)

“Authenticating a payment transaction biometrically — in this instance via a fingerprint — confirms in a very unique way that the person using the card is the genuine cardholder,” Mastercard said. The card will work with existing EMV card terminal infrastructure and does not require any new hardware or software upgrades.

“For issuers, the technology helps detect and prevent fraud, increase approval rates, reduce operational costs and foster customer loyalty. Additionally, a future version of the card will feature contactless technology, adding to the simplicity and convenience at checkout,” the company said.

For the South African trials, employees of both Pick n Pay and Absa tested the technology. In the coming months, additional trials will be conducted with the biometric card before a full roll-out takes place late this year.

Additional trials are being planned in Europe and Asia Pacific in the coming months.  — (c) 2017 NewsCentral Media

  • mccdyl001

    What a time to be alive! Jokes aside, this thing called “the future” seems to be arriving faster and faster these days. Some basic assumptions: they’re fitting a digital sensor, an image processor, a security sub-system for encrypting/decrypting the stored fingerprint and matching it to the one presented and a battery that lasts multiple years into a plastic credit card?

  • Greg Mahlknecht

    I don’t see this ending well. Fingerprints are a terrible thing to use for authentication – researchers have only just started to look in to the robustness of the security, and on the last Security Now podcast, Steve Gibson goes through some research from 2 universities that show you can make a “master fingerprint” set that defeats the system up to 65% of the time. Like any security, if the good guys have it, you have to err on the side of caution and assume the bad guys do too.

    I’m guessing this fingerprint sensor will be of incredibly low resolution/quality due to its form factor and cost, so can see that 65% going up even more. If this tech ever becomes widespread enough for it to make it a viable attack vector for the hackers, it will become useless. The whole idea is dead in the water.

    Fingerprints are a terrible idea for long-term authentication because they can’t be changed. If you ever suspect your fingerprint data was compromised, you basically have to never use it again in your lifetime as a form of authentication.

  • Paul Gertzen

    Rubbish. your finger has to be present in order to verify so having your fingerprint data (i.e. template/minutia information) compromised does not matter as the card is extracting the template from the presented finger and comparing it against the fingerprint(s) stored on the card and then deciding if the authentication is successful (all within the confines of the secure chip). The “crook” cannot present your compromised fingerprint data to the card as there is no entry point for it besides the embedded scanner, having your severed finger (s) would be the only way. Way safer than a PIN and the best way forward. I’ve also heard of people saying biometric scanners on ATM’s would be unhygienic which makes no sense as putting your finger on one scanner vs. 5-6 keys is a lot cleaner

  • Greg Mahlknecht

    >Not true. Your finger has to be present in order to verify so having your fingerprint data

    Many tests by even amateurs have shown this not to be true, or extremely ineffective. The “severed finger” line is so tired and old, and really just a joke now – search for “fake fingerprint” on youtube to the many ways you can defeat the fingerprint scanners. It would be easy for a large crime organization to implement one of those methods on an industrial scale – it’s just not worth it yet as fingerprint authentication isn’t widespread enough.

    Fingerprints are not comparable to PINs. Anyone who is familiar with security knows that a fingerprint is the “something you are” part of the authentication, while PIN is “something you know”. I really hope you don’t do this for a living!

    I suggest you read the report that Steve Gibson went over and educate yourself. It demonstrates how the process by which fingerprints are authenticated go from a massively high entropy entity and get stripped away right down and used a fairly low entropy entity, and is summed up by “Think of this as being like having a ultra-secure 20-digit PIN, but only needing to provide any three successive digits within that PIN.” Google “Smartphone fingerprint readers really not that secure” to find the piece in question.

  • Paul Gertzen

    So tell me if it is easier to get hold of my 4-5 digit pin or to get hold of my fingerprint data and create a latex version of it to present to the card/scanner which hopefully doesn’t require a pulse? I would also consider smartphone fingerprint readers to not be that secure due to the fact that the surface area is so small it reduces the number of minutiae to be compared. I’m not comparing fingerprints to pins from a “something you are” to a “something you know”, I’m saying it’s a more secure form of authentication which the world is adopting or already has whether you or your buddy Steve like it or not. I sure hope you don’t work with security for a living!.

  • Greg Mahlknecht

    >So tell me if it is easier to get hold of my 4-5 digit pin or to get hold of my fingerprint data

    Think of it long term. Is it easier to harvest fingerprints that don’t and can’t change for 50+ years, or easier to harvest PIN numbers that expire a few minutes after the owner discovers his card is lost? I’m going with easier to get that fingerprint database.

    You can change your PIN. You can’t change your fingerprint. That’s the fundamental flaw with fingerprints as authentication.

    No – smartphone fingerprint readers aren’t massively secure, and the manufacturers recognize this, which is why they require your PIN periodically to make sure it’s still you on the other side of the fingerprint reader.

    Just because it’s being adopted en masse doesn’t make it right or better. It’s blatantly obvious that over the long term, it’s a less secure form of authentication than a dynamic PIN.