Biometric Credit Cards: More Marketing Spin than Real Security
For nearly 10 years, banks and financial institutions have been attempting to phase out plastic credit cards in favor of lower cost and more secure digital solutions. Cryptocurrencies such as Bitcoin and Ethereum looked like promising cash/credit card replacements, but high volatility and fees have hindered widespread adoption. High-profile, major breaches at companies like TJX, Heartland Payments, Home Depot, and Target exposed major flaws in the modern United States credit card payment system: credit card numbers are static, easily cloned, and there have been no major security innovations over the last few decades. It is also very easy to monetize stolen credit card data.
Google was one of the first companies to introduce a mobile payment system that did not rely on a plastic credit card when they introduced Google Wallet in 2011. Apple followed with Apple Pay in 2014. While these payment methods are more secure and cheaper to operate for merchants, consumers simply do not see a need to move from plastic to digital as evidenced by low adoption rate. Digital payment methods rely on modern cryptography to generate one-time transaction records that are immune to interception and replay attacks. If an attacker were to intercept and decrypt one of these digital transactions, the information would not be useful for fraud purposes. Anecdotally, I have seen less than 1 in 4 merchants support Android/Apple Pay and I have never seen anyone use these methods to pay. It would seem that these modern digital payment methods are a solution in search of a problem.
In an effort to curb bulk credit card number theft and fraud, credit card companies introduced new rules in the US to try and force the adoption of so-called chip-and-PIN credit cards. The new rules included contract language that made the merchant responsible for any fraudulent activity if they did not adopt chip-and-PIN payment systems. Previous to these new rules, the credit card companies were on the hook for almost all fraudulent charges. In almost every case, the consumer would be protected against any fraudulent transactions. Adoption was slow and it even became a mainstream joke that merchants and payment systems were not equipped well enough to handle chip card transactions the same way as magnetic stripe. Another large drawback to chip transactions is that they take significantly longer than magnetic stripe transactions that consumers have grown accustomed to.
A chip card is basically a Type 1 smart card containing an embedded certificate. That certificate is used to generate a one-time transaction code that can never be used again. If an attacker stole the chip information from one transaction, duplicating that information would not work because the stolen transaction number would not be usable again and the transaction would be denied. Most US-based merchants have only adopted the “chip” part of the chip-and-PIN payment system which still allows anyone with physical access to the card the ability to use it (single factor authentication). In most Western European and Southeast Asian countries, merchants have adopted both chip-and-PIN, requiring the holder of the card (something you have) to enter a PIN (something you know) in order to use the chip on the card. Chip-and-PIN has proven to be a success in slowing down credit card fraud, as after its increased adoption in these regions of the world, credit card fraud dramatically dropped and criminals began targeting the United States, who had not yet adopted chip-and-PIN. Target stores (probably due to the massive breach they experienced) has been the only merchant I personally encountered that requires both a chip card and a PIN for every transaction.
Because remembering numbers is hard, MasterCard announced that they would be releasing a fingerprint reader on their new credit card to act as the second factor for authenticating a credit card transaction (something you have and something you are). When a new card is issued, the card owner enrolls their fingerprint with the bank or financial institution and an encrypted digital template of the fingerprint is stored locally on the card. When a card owner attempts to use the card, their fingerprint is read and will allow or disallow the transaction based on whether the fingerprint presented matches the one on file. However, there are two major problems with using biometrics for credit card security.
- A credit card owner cannot turn over the card to a restaurant for payment; the restaurant could bring a mobile card reader to the owner.
- Fingerprints are inherently based on fuzzy matching to prevent a Type 1 error (false rejection)
When a PIN is used to secure a secret such as the private key on a credit card's embedded certificate, there is no ambiguity; either the PIN matches or it does not. The PIN is hashed and used as an exact key to decrypt the secure enclave where the secret is stored. Fingerprints are not exact due to several circumstances: moisture content on the finger, a cut on the finger, skin expansion or shrinkage due to environmental weather or weight gain/loss, positioning of the finger, contaminants on the finger, and the like. Since it takes too long and too much processing power for biometrics to be exact, compromises are made such as reducing the number of data points that need to be matched in order to be accepted.
When I worked with biometric encrypted devices, there was a setting that allowed a user to configure how many data points would have to match before the device could be unlocked. Set the number too low and the wrong person could unlock the drive (Type 2 error/false acceptance). Set the number too high and you could potentially never get a good match if your hands were dirty or sweaty (Type 1 error/false rejection).
Some people could argue that something you are is more secure than something you know. In the US, PINs have very low entropy and are only 4 numbers in length thanks to the ATM inventor’s wife saying she could only remember 4 digits. Fingerprints are viewed as more difficult to copy, but the popular show Mythbusters as well as several Black Hat and DefCon talks have proved otherwise. When the US office of Personnel Management had over 20 million records stolen, fingerprint data was among the stolen information.
The fact that consumers are almost never responsible for fraudulent transactions has slowed the innovation of security controls for credit cards. Exact matches (PIN) are always more secure then fuzzy matches (fingerprints). Time-based one-time password such as Google Authenticator or RSA SecurID are the most secure, but require additional devices to be carried around. It took holding merchants responsible for fraudulent activity to force them to switch to chip-and-PIN readers and even after the new rules took effect, adoption was slow. Biometrics give the cool factor to security, but is just more marketing spin and security theater than actual innovations in security. Adding a second factor such as a fingerprint is better than having single factor, but a PIN is exact and more secure.