On the 20th of April MasterCard announced the release of its new biometric debit cards in South Africa. The card issuer wants to use the country as a testing ground to make adjustments and mature the technology before it is extended to other countries.
Despite the generally positive reception from people who presumably would enjoy the prospect of making their payments more quickly than ever, one must ask whether fingerprints are necessarily more secure than old-fashioned PIN numbers. After all, it’s not a given that authentication methods that are more convenient and futuristic provide more effective security.
Biometric Authentication Is a Strong Trend
The method of using a password to gain access to privileged information has been around since back when ancient sentries would challenge trespassers to repeat a phrase to determine whether or not to allow them through. In the digital era they were a cheap and easy way to maintain the safety of user accounts. Authentication via fingerprinting was usually only of interest to large corporations and state institutions.
All of this was turned on its head after Apple and Samsung began one-upping each other with fingerprint scanners on their phones. Since then it’s been a trend to include biometric authentication on various high-end products. Samsung’s latest Galaxy S8 even includes an iris scanner.
People tend to trust this form of authentication because it is unique. It’s safe to assume that a would-be hacker will not have the same fingerprint or iris pattern that you do. There’s a certain feeling of assurance knowing that you’re “biologically tied” to your devices and accounts, which is probably one of the reasons why MasterCard decided to use this trust and implement a fingerprint scanner right on its cards to make secure, PIN-less payments possible.
Why There’s Reason to Be Concerned
MasterCard’s latest move also raises a few questions on whether something as intimate as your bank account should be tied to a fingerprint rather than a PIN number. At first it seems like a sound strategy. What could possibly be safer than your fingerprint? The traditional four-digit PIN number has 10,000 possible variations (0000 – 9999), whereas a fingerprint has several billion possible permutations. You’d have a harder time guessing the latter.
There’s one little problem with that logic: Thieves and hackers rarely try and guess the authentication details of a card they just stole. It takes too much energy, and a lot of cards get locked out after a certain number of unsuccessful tries. Stealing the credentials eliminates the guesswork. It turns out that you can just get a person’s PIN number through a variety of clever methods such as installing a fake keypad on an ATM or just watching the victim type it from over their shoulder.
From the outset, it would appear that PIN numbers are markedly less secure than biometrics. Fingerprints can’t be stolen, right?
In fact, stealing a fingerprint is actually quite easy. A well-known hacker named Jan Kissler managed to extract fingerprint data from high-resolution photos of Germany’s defense minister Ursula von der Leyen and reproduce it well enough to gain access to any of her biometrically-locked data.
Attempts to make fingerprint scanners more robust by mapping vein patterns inside fingers were also made useless after Swiss researchers used special imaging techniques to bypass this method. And, of course, we cannot forget the breach of the U.S. Office of Personnel Management in July 2015 when hackers stole 21.5 million social security numbers. Along with that data they also stole the fingerprints of 5.6 million people.
And Here’s Why It Matters
When a massive database like the one I just mentioned is breached and hackers manage to steal passwords, the effects are rather severe, but you can prevent the damage from spreading by quickly changing your password. But what if your fingerprint is stolen? How do you change that?
Here’s the crux of the issue: Your fingerprint is an irrevocable piece of data. You’re born with it, and that’s what you have for the rest of your life. The same goes for your iris or any other biometric identifier. The best you can do is switch fingers, but you only have ten of them. If you’re a high-profile target or have many high-resolution photos published on the Web, you really can’t escape the reality that this presents.
As it turns out, biometric authentication is most effective when it is used in a highly sensitive and secure environment by people who don’t have very public lives (e.g. government agents). As a part of consumer technology, it is a convenience that potentially sacrifices security. Ironically, your fingerprint becomes less secure as you become a more public person.
As it stands today, putting all of your faith in biometrics may prove to be a ticking time bomb that will reach a state of entropy in a few years’ time when hackers will be looking to gain access to large fingerprint/iris databases.
Do you think there are ways to make biometric authentication safer for use in consumer technology? Tell us all about it in a comment!