The Royal Bank of Scotland has announced a trial of biometrically linked bank cards. These cards allow a person to use their fingerprint to authenticate contactless purchases over the usual £30 limit. The trial is set to start in April, and last 3 months.
Technical details of the implementation are limited. The card reportedly features a built-in sensor, which is powered passively by the card reader (as the RFID chips in existing bank cards are).
I have two main issues with this concept. The first is: fingerprints as a sole biometric are pretty crap. The second is: considering the low power implications, are they really doing biometric scans?
First up, fingerprints as a biometric access control method. It’s a movie trope to cut off someone’s finger, pop it in a pocket, and use it to open a door somewhere. This would work only on a poorly implemented system; generally, fingerprint access controls use secondary authentication, or at least something a bit more advanced than the plain fingerprint. A system will generally look at the pulse in a finger (or lack thereof) to check that it is indeed a finger that it is reading, and not just a fingerprint on a bit of plastic. Forgers have defeated this method by wearing a fake fingerprint over their own finger, but it’s likely a moot point. The biometric reader on this device would need to be so low powered that it most likely won’t be doing anything complex beyond the initial read.
These bank cards do not contain a battery. They are passively powered by a read/write device when used, as NFC/RFID chips are. These devices don’t do much- they just beacon some data when they are powered. This device however will take some form of fingerprint image, then locate and quantify the key minutiae of the fingerprint. That sounds a bit complex for a passively powered chip. How does the card accomplish all this? In short, I don’t know. Perhaps it uses some sort of cut down methodology. I’d love to have a play with one!
Where does this leave us? I don’t like the idea. Articles have not stated by how much the contactless limit will be increased when using this technology. Contactless is already not the best security wise. There have been reports of people wandering along tube trains bumping people with a high-power contactless payment system, charging small amounts to everyone as they pass. There’s also the case of the person that lost their card in the bar, where it was found by someone that used it to buy drinks all night (each round being under £30, of course).
It seems like this fingerprint system is likely to be prone to abuse. Due to power limitations, it most likely won’t be doing any sophisticated scanning; the cliché attack of putting a bit of plastic over the latent fingerprints sure to reside on the reader and then using pressure from your own finger to activate it seems viable here. This would enable a person to go on the bar drinks style spending spree, but with a greater (unknown) limit. Buy a bunch of tech then eBay it, perhaps.
Will this lead to an increase in thefts targeting these cards? Maybe, but not for the obvious reasons. Physically stealing someone’s card is already a pretty good attack vector, you can use them for more than just contactless payments. Order some junk on the internet, maybe even use the last 4 digits of the card to authenticate as your victim on various password recovery systems (looking at you, Amazon and Apple Pay). With the likely latent fingerprint residing on this card, you’re gaining access to another piece of data about your target- their fingerprint. As more companies try to crowbar biometrics in to their solutions to keep with the latest tech trends, stealing fingerprints seems like good business. If you could harvest these from cards, you have something that people can’t just call up the bank to shut off.
In conclusion, I don’t think this is a great idea from a security perspective. However, convenience tends to win out over security in devices, so it’ll be interesting to see where this takes us!