Samsung and Mastercard are co-developing a safety-focused biometric payment card

Shawn Knight

Posts: 13,011   +130
Staff member
Bottom line: Samsung is partnering with financial services company Mastercard to develop a payment card with an integrated fingerprint scanner. The two companies are billing it as a safety measure to reduce physical contact (with the pandemic and all), but security concerns could keep some potential users at bay.

In announcing the collaboration, the companies said that instead of having to enter in a PIN on a keypad, users would simply verify their identity using the fingerprint reader built into their cards.

The cards will utilize a new security chipset from Samsung’s System LSI Business that packs multiple discrete chips, which should streamline design and development. They’ll be usable at any chip or point-of-sale terminal that currently accepts Mastercard products.

Mastercard has been experimenting with fingerprint readers in payment cards since at least 2017.

The companies further noted that the new tech will add an extra layer of security to currently available cards, but some might not see it that way. With data breaches being so common these days, expecting yet another firm to keep valuable biometric data safe from hackers could be a big ask for some.

Either way, you’ve got time to think about it. The rollout won’t start until later this year and when it does, it’ll be limited to corporate clients located in South Korea. No word yet on how long it’ll take for the tech to trickle down to ordinary consumers worldwide.

Images courtesy koonsiri boonnak, garmoncheg

Permalink to story.

 

Uncle Al

Posts: 8,001   +6,775
The issue not mentioned is that while it may currently add an extra layer of protection, later it will remove that layer and give every hacker out there another key piece of information to further hack your account. Sadly, back in days of a personal signature w/ carbon paper and a couple of independent ID's was a lot more fool proof and while it was slower, it gave the buyer a much higher degree of security.
 

terzaerian

Posts: 662   +926
Not a bad idea, but I wonder how would the fingerprint reader be powered?
My guess is that once it's put into the card reader, the fingerprint reader on the card is powered up.

I'd assume online purchases that are filled in manually would not use that particular security feature.
 

NeoMorpheus

Posts: 362   +651
My guess is that once it's put into the card reader, the fingerprint reader on the card is powered up.

I'd assume online purchases that are filled in manually would not use that particular security feature.

A good point, but then it might not work on contact-less readers.
 

QuantumPhysics

Posts: 4,619   +4,974
Sounds awesome...but if the fingerprint scanner is in the car itself, there's always the possibility someone can hack it.

The key is keeping the point of sale away from the physical access of the hackers.

 

BadThad

Posts: 396   +367
Interesting, but this is certainly not to give the consumer more security - as it is, I'm not responsible for fraudulent charges to my card. Rather than give up another thing that could be hacked/stolen, I'd prefer NOT to have the reader installed.
 

Burty117

Posts: 4,045   +2,028
Hold up here, do people in the comments seriously believe your biometric data (fingerprint) is LESS secure than a 4 digit pin code?
 

duckofdeath

Posts: 252   +350
Because you can change a PIN. You can't change your biometrics. How can anyone not immediately realize that?
In your selective villain universe, the bad guy is fine with taking their time mimicking your fingerprint, but not bothering with getting you to reveal a 4-digit pin code? Sounds like a script for a great Marvel franchise.
 

BSim500

Posts: 779   +1,684
In your selective villain universe, the bad guy is fine with taking their time mimicking your fingerprint, but not bothering with getting you to reveal a 4-digit pin code? Sounds like a script for a great Marvel franchise.
It has far more to do with if your raw biometric data was stored on a server and that server got hacked, you're less able to keep using Biometric authentication elsewhere vs simply changing a password if it got leaked. It's also not outside the realms of impossibility for scammers to create a malware USB device with a fingerprint reader that's designed to look like those 2FA / "Windows Hello Biometric Login" USB keys to be sold on Ebay for $10, etc, whose included software then reads then promptly uploads the raw fingerprint data to a hostile server along with a load of other easily locally discovered data (eg, e-mail address, maybe mailing address / mobile phone no, etc, stored in a .DOCX file, etc...)
 

duckofdeath

Posts: 252   +350
It has far more to do with if your raw biometric data was stored on a server and that server got hacked, you're less able to keep using Biometric authentication elsewhere vs simply changing a password if it got leaked. It's also not outside the realms of impossibility for scammers to create a malware USB device with a fingerprint reader that's designed to look like those 2FA / "Windows Hello Biometric Login" USB keys to be sold on Ebay for $10, etc, that reads then promptly uploads the raw fingerprint data to a hostile server along with a load of other easily locally discovered data (eg, e-mail address, maybe mailing address / mobile phone no, etc, stored in a .DOCX file, etc...)
Sure, everything is possible, if companies did have the habit of doing what no company does. But again, a 4-digit pin code is not security. Just by wild guesses you have a 1:3,333 chance to withdraw money from a card you find. It's super easy to eavesdrop and see what code you have.

If you buy a noname USB-fingerprint reader from someone called "ObscureAccountGuy2021", you have most likely already been tricked by every scam out there.
 

BSim500

Posts: 779   +1,684
Sure, everything is possible, if companies did have the habit of doing what no company does.
In a perfect world stuff like that would never be stored. Back on Planet Earth, most businesses are completely brainless about IT security and even see it as some 'divine right' to harvest as much data as possible, do the Least Legally Required to 'secure' it then hide behind lawyers when things go wrong. Hence why "do not store CV2 codes" regularly get stored by the same "no company does that"...

If you buy a noname USB-fingerprint reader from someone called "ObscureAccountGuy2021"
Nice strawman but there are thousands of highly convincing fake GPU's that have fooled even Amazon themselves. Anyone who thinks fake authentication USB keys don't exist is way behind the IT security curve and again seemingly relying on humans being magically infallibly perfect. I don't know what world you're describing there but it sure isn't Earth...
 

duckofdeath

Posts: 252   +350
In a perfect world stuff like that would never be stored. Back on Planet Earth, most businesses are completely brainless about IT security and even see it as some 'divine right' to harvest as much data as possible, do the Least Legally Required to 'secure' it then hide behind lawyers when things go wrong. Hence why "do not store CV2 codes" regularly get stored by the same "no company does that"...


Nice strawman but there are thousands of highly convincing fake GPU's that have fooled even Amazon themselves. Anyone who thinks fake authentication USB keys don't exist is way behind the IT security curve and again seemingly relying on humans being magically infallibly perfect. I don't know what world you're describing there but it sure isn't Earth...
It's not strawman to point out that you're arguing fingerprints are less safe because random, low volume made up scams is a thing, while comparing faked (and spotted) large volume frauds for quick and dirty money. There is no goldrush for USB fingerprint readers. If someone tries to put compromised dittos of those out there, they will be found after a few customers have fallen victims, hence, it's a loss affair that virtually no one would waste their time one. Especially when they realize how easy it is to get a person's money by eavesdropping a pin code and then steal the card. Something that literally happens to thousands and thousands of people every year.
 

Burty117

Posts: 4,045   +2,028
Because you can change a PIN. You can't change your biometrics. How can anyone not immediately realize that?
As I said, what a painful comment section. A 4 digit pin is barely secure. A fingerprint is stored as a highly encrypted token, they need your fingerprint to actually use your card. And if you're going to go with the strawman arguement of "they can re-create your fingerprint to use the card" that's not a quick thing to pull off, before they even get the card somewhere they can do that, you'd have cancelled the card and ordered a new one anyway.

4 digit pin or contactless meanwhile...
 

kiwigraeme

Posts: 271   +229
AI software can have over 75% chance - knowing what you typed by looking at your upper body - shoulders etc - eyes if you look down.
I can do a pretty reasonable guess of someones pin code from 5m away by hand/finger movement - add in overhead cameras - heat sensors reading keypad , prepared keypads ( just wiped clean might be enough ) .

Use a bank that allows you to control your cards - eg amount, no atm machines, can turn on and off .
Treat your card like cash - scrape of- then black out CVV number .
Visa has always had the ability to have higher security - took a long time for Americans to get Chip cards - to counter programmable magnetic strip cards - like old phone cards .
My first Visa card 40 odd years ago had a photo - they now haven't for over 30 years .
I think their strategy of cost of security to cost of fraud is wrong - they seem to base it on yearly returns - however if they when hard early the savings in the long run would be better.

but then American banknotes always amazed me - treated like the declaration of independence, or constitution ( can't be changed too much ) - are they still all the same size mostly green and black? - still some cotton fiber paper ?- yeah I get that it has high tech for machines to counter - but what about the man in the street - hell the same size - folks used to erase ink of $1 and print $100- ( think some tourists got fooled just the 1 to 100 - and the one dollar to one hundred - Still even before I got to the USA in 1988 I knew the Benny F ones were the best . Just checked latest - got some blue, yellow , orange and a number of greens
 

DrSuess

Posts: 72   +39
Not a bad idea, but I wonder how would the fingerprint reader be powered?
NFC can power it. I have a NFC FOB that I use to authenticate certain things on my phone. The FOB has no power source but when I hold FOB to the back of my phone and press the authentication button on the FOB it allows me to access certain protected applications on my phone.

So I am assume this new card will work similarly.
 

NeoMorpheus

Posts: 362   +651
maybe you will recharge wirelessly your credit card as you do your phone

Lord, please no, not another device to charge!

NFC can power it. I have a NFC FOB that I use to authenticate certain things on my phone. The FOB has no power source but when I hold FOB to the back of my phone and press the authentication button on the FOB it allows me to access certain protected applications on my phone.

So I am assume this new card will work similarly.

Never heard of that option, but is interesting.
 

misor

Posts: 1,415   +319
My guess is that once it's put into the card reader, the fingerprint reader on the card is powered up.

I'd assume online purchases that are filled in manually would not use that particular security feature.
why not cut the 'middleman' and place the fingerprint reader on the card reader itself? ;)
 

theruck

Posts: 285   +132
Lord, please no, not another device to charge!



Never heard of that option, but is interesting.
For inductive power transfer, access, control, and information exchange to a 1-Wire®network, you can take advantage of a near-field communications (NFC) system. With harvested power from the NFC link, temperature sensing, authentication, and memory storage can be accomplished via a single node for 1-Wire communication. You can also analyze available harvested voltage, current, and 1-Wire timing constraints by modeling the transponder’s radio frequency (RF) power converter and 1-Wire network as an equivalent RC circuit.
 

Tantor

Posts: 111   +148
As I said, what a painful comment section. A 4 digit pin is barely secure. A fingerprint is stored as a highly encrypted token, they need your fingerprint to actually use your card. And if you're going to go with the strawman arguement of "they can re-create your fingerprint to use the card" that's not a quick thing to pull off, before they even get the card somewhere they can do that, you'd have cancelled the card and ordered a new one anyway.

4 digit pin or contactless meanwhile...

Your fingerprint can be harvested from the card surface itself. Or your car window, glasses, personal items. Think about it...

Unlike a PIN, you can't change your fingerprint. Once compromised, forever compromised.