MasterCard puts a finger on fraud

by Dave Michels

Most credit card verification systems only verify whether the card is valid and not if the presenter is the authorized cardholder. MasterCard intends to address that with its newly introduced card with a built-in fingerprint sensor.

This new MasterCard gives customers the option of using a single digit rather than a PIN. It’s a very impressive development, particularly since it works with existing chip readers.

+ Also on Network World: Google’s Trust API: Bye-bye passwords, hello biometrics? +

The card gives new meaning to the title “cardholder” as the customer must physically hold the card during the transaction. There’s a fingerprint sensor on the face of the card that syphons enough power from the chip reader to read and validate a fingerprint. If dirt, sweat or other factors prevent validation, the transaction can be completed with a PIN.

So far, the card has been tested with one national bank and one grocery chain in South Africa. Trials are now expected to expand into Europe and Asia Pacific. Currently, there are no plans to bring the solution to the U.S., presumably because we don’t use “chip and PIN” on credit transactions.

Challenges with finger biometrics for credit cards

Using biometrics for credit cards is probably inevitable, but it does open a whole new can of worms (be careful with your fingers). Do biometrics make more sense on a card or on a smartphone? Are fingerprints the right biometric? And who has access to this biometric information?

The card works by comparing the finger on the sensor to an encrypted fingerprint that is stored on the card. Unfortunately, to load that encrypted print requires the customer to “enroll” in person. This limits card issuers to credit card companies that have lots of locations, such as national banks. It also introduces concern and liability with giving the card issuer biometric information.

MasterCard isn’t the first to try biometrics for authentication. The first big, mass-market solution to tread into this concept was the Apple iPhone 5S in 2013. Samsung followed suit with the Galaxy S5. Hacks emerged within hours. However, an improvement to the fraud situation does not require a failsafe solution. Identity theft and credit card fraud cost U.S. consumers $16 billion in 2016 alone.

Switching PINs for prints has broader ramifications than the authentication method. Today, if someone hacks your password or PIN, you can change it. That’s not so easy with biometrics, and make no mistake about it, biometrics get hacked.

There have been some fascinating fingerprint hacks in the past few years that range from surgical alterations to the use of Play-Doh to capture and reproduce fingerprints. Criminals have completely skipped the prints and instead tampered with how biometrics get verified and approved. It is even possible to use biometric data to plant fingerprint “evidence” at a crime scene without the corresponding fingers.

MasterCard’s new card interests me from a technical perspective, but I’m not convinced it’s the right answer. The format is too limiting. For example, the fingerprint feature is not used with online purchases. That just doesn’t make sense considering how ecommerce is eating brick and mortar retailers.

Facial recognition a better biometric

Facial recognition might be the better biometric. The facial recognition market is growing rapidly and is forecasted to be $6 billion by 2021. In part, that’s due to government entities, including the FBI, airports and other surveillance initiatives, that see facial recognition as a powerful way to capture known criminals.

Facial recognition is conceptually similar to fingerprints. Instead of swirls, loops and curves, facial recognition software analyzes visual attributes, including the distance between the eyes, nose shape and thickness of eyebrows to create a unique “print.” The picture becomes even more powerful when accompanied with IR data for 3D information.

Cameras can be installed on point-of-sale systems for in-person purchases, and online validation can be accomplished with the cameras on our tablets, smartphones, laptops and desktop computers.

Facial recognition is no panacea. In addition to requiring reasonable lighting, it may feel a bit obtrusive to pose for a photo with every financial transaction. The important thing is understanding that the current process is problematic, and improvements are necessary. 

MasterCard’s fingerprint sensor on the card really is impressive. It follows several innovations that MasterCard has made to mitigate fraud. Last October, MasterCard revealed a selfie app that required acknowledgement of the amount combined with facial recognition and location information.

MasterCard is also working with Nymi to compare the purchaser’s heart rate against the cardholder’s profile. There are several other biometric approaches under evaluation including gait recognition, iris scans and speech pattern analysis.

This article is published as part of the IDG Contributor Network. Want to Join?

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.