MasterCard recently announced that it is trailing credit cards which will authenticate users using their fingerprint. The fingerprint sensor is embedded within the card. The cards can be used with existing chip-and-pin readers, but not with readers that only has magnetic strip. The trial is currently running in South Africa, and due to start in Europe in the near future.
Fingerprint verification for payment is not new, it is used in Apple Pay and Android Pay, and has been in use for few years now. But does it provide a more secure method of payment?
Fingerprint sensors in smartphones and cars are too small to capture the whole fingerprint. So instead it reads and stores multiple partial prints. Authentication is made when users partial print matches one that is stored in the device.
A new study suggests there is enough similarities among different people’s partial prints to create a “MasterPrint”. The MasterPrint concept is similar to a hacker who attempts to crack a PIN-based system using commonly used PIN such as 1234, which will be correct about 4% of the time. They were able to find 92 MasterPrints from 800 partial prints. MasterPrints, for the purpose of the study, was defined as a print that would match other partial print at least 4% of the time.
They were also able to create synthetic Masterprint that would be correctly verify between 26 and 65 percent of users, depending on how the partial prints are stored.
As modern fingerprint sensors get smaller, its definition needs to increase to ensure enough detail is captured. If resolution is not increased the distinctiveness of a user’s fingerprint will be compromised. The greater the size of the partial print, the more secure it is.
Perhaps the biggest drawback to biometric verification is that once someone is able to duplicate it, you will not be able to use it again for any purpose, as they would have unlimited access to anything secured with this biometric data. You cannot change your fingerprint or your iris.
The other drawback is that is the biometric data is stored in the cloud rather than on the device then hackers could potentially steal the data of your fingerprints or your iris. As biometrics become more popular they will likely be targeted more by hackers. With the latest major hacks of Sony and Yahoo, would you feel safe in having your biometric data stored in their servers?