Payments network MasterCard has launched a biometric card in South Africa which will authenticate payments at terminals with a customer’s fingerprints. The company has partnered with Pick n Pay, a leading supermarket retailer, and Absa Bank, a subsidiary of Barclays Africa. It added that additional trials will be conducted and a full roll-out is expected later this year. Trials are being planned in Europe and Asia Pacific in the coming months as well.
A cardholder needs to enrol their card by registering with their financial institution. Their fingerprint will be captured and converted into an encrypted digital template that will be stored on the card. The cardholder will have to dip the card into a terminal while placing their finger on the embedded sensor. “The fingerprint is verified against the template and – if the biometrics match – the cardholder is successfully authenticated and the transaction can then be approved with the card never leaving the consumer’s hand,” the company added.
Fingerprint biometrics are not secure
It needs to be pointed out MasterCard claims that fingerprints can’t be “taken or replicated”. This is wrong. There are multiple instances where fingerprint biometrics have failed.
Earlier this week, a couple of college students in Mumbai tricked a biometric attendance system by using small layers of a resin adhesive and pressed their thumbs against them. These films were used by their friends to mark their attendance when they were absent.
The Verge pointed out that fingerprint scanners on iPhones and Samsung smartphones could be tricked by a simple dental mould and playdough to copy fingerprints. In 2014, hackers demonstrated that faked fingerprints using a few high-definition photographs German defence minister Ursula von der Leyen, as indicated by this Guardian report.
There also have been several instances of fingerprint authentication failing on the Aadhaar, as Scroll.in notes. Fingers get damaged and worn and will not match with data captured originally.
Note that there is no recourse if fingerprint credentials are compromised (fingerprints can’t be changed as easily as a PIN or a password). This is something that MasterCard needs to look into.
Meanwhile the government of India is rolling out Aadhaar Pay, a payments system where users can link their bank accounts to their Aadhaar credentials. To make a payment, the customers will need to provide their Aadhaar number to the merchant and authorise payment using their fingerprints. The merchant app will come with a biometric device, which will be linked to the merchant’s the mobile phone for payment authentication. Currently, 14 banks have signed up for Aadhaar Pay and IDFC Bank was first off the mark to launch the new payments system.