Mastercard to add fingerprint sensors to cards, won't follow strict Apple Pay security policy
Mastercard is reportedly testing cards that integrate a fingerprint sensor, intended to offer a more convenient alternative to entering a PIN. Unlike Apple Pay, however, the cards would lack a series of important security features.
A report by Cherlynn Low for Engadget noted that the new biometric cards are currently being tested in South Africa, and that MasterCard hopes to roll them out globally by the end of 2017.
Low claimed that "our fingerprints are quickly replacing PINs and passwords as our primary means of unlocking our phones, doors and safes," saying, "they're convenient, unique, and ultimately more secure than easily guessed or forged passwords and signatures. So it makes sense that fingerprint sensors are coming to protect our credit and debit cards."
However, all fingerprint sensors are not alike. Low described Mastercard implementation as involving a trip to "an enrollment center," where a user could store one or two different prints (of their own) on their card.
"An encrypted digital template of your fingerprint is stored on the card's EMV chip," Low noted. The new cards authenticate when a matching fingerprint is supplied by the user after inserting the card into a Chip and Pin terminal (not swiped). The card sensor would also not work when used in an ATM that ingests the card.
Not like Apple Pay
The most obvious difference between a credit card with sensor and Apple Pay is the convenience advantage of Apple Pay over "Chip and Pin" cards: nothing needs to be inserted. The transaction time is nearly instant, compared to (particularly in the United States) a lengthy period of inserting a card and waiting for the transaction to complete.
However, Mastercard's reported implementation is also radically different in its security policy compared to Touch ID and Apple Pay on iPhones and iPads and the new MacBook Pro. In Apple's implementation, fingerprints are not stored on the device at all.
Instead, representative information that can verify a user's fingerprint is copied in one direction to a Secure Enclave within the Application Processor. When a user touches the Touch ID sensor, print data is sent to the Secure Enclave and compared to determine if it matches. If it does, it approves the transaction as a separate computer system.
If a false print is supplied too many times, Apple Pay and the Touch ID authentication is disabled, and the user must unlock the device manually with a passcode. If Touch ID isn't used within 48 hours, authentication is also reset, requiring a passcode again.
Additionally, if the device loses power, the authentication system is also turned off until a passcode is used to unlock the device. All of these precautionary steps are taken to protect the user from repeated false attempts on a stolen device.
Fingerprint sensors are not all the same
Unlike an iPhone, the card-embedded Mastercard EMV chip is always powered off. There is no battery in the card. Instead, it is powered up only when it is inserted into a card reader, which provides power during the transaction.
This obviously means the print data isn't disabled when power is lost (because it's lost all the time when it's not in use), meaning that a lost card could be attacked with a false print at any point between being lost and discovered and reported stolen. It never resets.
Additionally, it's less clear how the chip stores the data. Fingerprint readers used on devices running Google's Android or Microsoft Windows— and built by leading, ostensibly tech savvy hardware makers including Samsung, HTC, Toshiba and Lenovo— don't follow the same security policy Apple created for Touch ID and Apple Pay.
Android fingerprint sensors have been a security mess
Initially, Android phones with fingerprint sensors (including the HTC One Max and Samsung Galaxy S5) stored fingerprint data irresponsibly in a way that allowed an attacker to extract fingerprint data from device storage.
Security firm ElcomSoft noted that HTC stored fingerprints in an "uncompressed, unencrypted and unprotected bitmap at /data/dbgraw.bmp. Developers didn't bother assigning this files permissions other than 0666 (world readable), meaning that any process, even without root privileges, could easily read and extract fingerprints."
With Android 6, Google began implementing some minimum standards on fingerprint policy when it introduced "Nexus Imprint" as an answer to Touch ID. However, while Google appears to follow its own standards, security experts at ElcomSoft described other Android fingerprint security as "widely inconsistent."
Among the issues: Android hardware makers can build phones that enable fingerprint unlock after a reboot; they don't have a mandated 48-hour expiration time like Apple's Touch ID.
While modern Android 6 or later devices are mandated to use Trusted Execution Environment for storing fingerprint information, any attacker that can compromise the OS kernel can unlock the device and decrypt the entire phone. That isn't possible on iOS.
Replacing the Touch ID sensor and replacing it with an unauthorized sensor renders an iOS device unable to use Touch ID or Apple Pay. That isn't the case on Android, where a compromised sensor can be installed.
Additionally, only 36 percent of the Android installed base is currently even using a fairly modern version of Android (since 6.0) designed to coach hardware makers into building more secure fingerprint systems. And Google's Full Disk Encryption implementation is so slow (and bad) that it is generally turned off, rendering all the security of the fingerprint sensor worthless.
Windows PCs similarly slopped out worthless fingerprint sensors
Several years before Apple made Touch ID popular on iPhones starting in 2013— backed by a strong security policy— a series of PC makers issued Windows laptops with UPEK fingerprint sensors billed as offering strong alternative security: Acer, Amoi, ASUS, Clevo, Compal, Dell, Gateway, IBM/Lenovo, Itronix, MPC, MSI, NEC, Sager, Samsung, Sony and Toshiba.
However, security researcher Olga Koksharova reported that the sensor "stores Windows account passwords in the registry 'almost in plain text, barely scrambled but not encrypted,'" resulting in "nothing but a big, glowing security hole compromising (and effectively destroying) the entire security model of Windows accounts."
Hopefully, the brains behind the incredibly slow and clumsy EMV Chip and Pin cards are more careful with security than the likes of Samsung and Lenovo. In any case, there's no way they can implement the same kind of security policy that Apple developed for Touch ID and Apple Pay, simply because credit cards aren't self-powered smartphones.