MasterCard Joining Push For Fingerprint ID Standard

schwit1 writes with this selection from a story at USA Today: "MasterCard is joining the FIDO Alliance, signaling that the payment network is getting interested in using fingerprints and other biometric data to identify people for online payments. MasterCard will be the first major payment network to join FIDO. The Alliance is developing an open industry standard for biometric data such as fingerprints to be used for identification online. The goal is to replace clunky passwords and take friction out of logging on and purchasing using mobile devices. FIDO is trying to standardize lots of different ways of identifying people online, not just through biometric methods."

Re:How about NO

[phantomfive]

The worst part is once your fingerprint is compromised, you can't change it easily. You can't ever use it again.

At least if you have a bad password, you can change it.

Re:How about NO

[0123456]

What exactly can they do with your fingerprints that's dastardly and evil? I think I'm missing something.

Break into your account on any other service that's retarded enough to think fingerprints are passwords?

Hand them to the NSA so they can link your online activities to your fingerprints?

Just two that come to mind in about ten seconds.

Fingerprint == user_name

[Anonymous Coward]

Fingerprints should be treated as user names, not as a substitute for passwords.

There are better ways.

[Anonymous Coward]

The system of telling someone a secret to identify your self and thus authorize something is inherently stupid. I con't care if its a credit card number, security code, or finger print.

We have public key cryptography, there is no reason to tell every vender you make a purchase from enough information to allow them to make arbitrary purchases. They should provide you with a request, which you can sign/authorize with your private key. This signed transation request goes to the payment processor (mastercard in this case). Then they can, if you dispute the validity of it. provide the signed request as proof that someone with your private key (which they don't have, and you never give out) authorized it. Thus they are more resistant to false fraud claims, you are more resistant to identity theft/fraudulent purchases.

Its clearly a Win/Win, but requires you to have a "smart card" of some kind thats capable of displaying some minimal information, lets you select to authorize or not. The transfer of data to and from the card, and the powering of it would be easy to do over NFC, and it just needs enough of a display to show the amount. It should be possible to make such a device for ~5$ in large quantities, but you could also just use a smart phone.

You obviously would want a system where you could contact the payment processor and update your public key incase your card is stolen (generally, changing your key frequently isn't a bad idea, assuming you have some nice way to authenticate to change it, like using a key you don't carry around with you).

Also, its trivial to allow such a system to transfer money in either direction, and extend it to multiple payment processors and currencies (open the standards for the interface, so you can make a single card that works with mastercard, bitcoin, visa, etc).

Do to the reduced rates of fraud, liability and thus fees can be reduced, and even the potential for privacy is added (unique keys for each transaction + third party payment processors which work as proxies and protect the content of your purchase from the actual payment processor+credit card company, and protect your identity from the store). Even things like bitcoins and cham tokens could be used if you really wanted to go privacy crazy.

So, why arn't stores using such a lower risk, lower fee, more secure and more user friend system? Because the payment processors have a monopoly and like it this way. Don't buy into their stupid schemes like finger print id; they just want to keep their monopoly, and access to all that valuable data you provide, and all those fees the venders provide. Better security (and privacy) is trivial, and this is not how to get it. Privacy is impossible with the finger print system, and the security isn't good either.

Re:Fingerprint != user authentication

[phantomfive]

It's worth mentioning that fingerprints CAN be used for authentication IF you can verify that the person is right there, and you can see that it is actually his fingerprint.

But that's not what's happening here. What's happening here is they are just creating a binary pattern. The binary pattern can be stolen and used by anyone. It's a lot harder to use someone else's actual finger.

Re:Boy do feel safer

[savuporo]

You lose your fingerprint data every time you step out of your private quarters, unless you wear latex gloves every all day. Copying and faking your fingerprints costs about $10 Fingerprints are the most easily collected biometric information on you - using them for any sort of authentication is stupid.

Re:Boy do feel safer

[failedlogic]

Mastercard surely employs security experts who should know better. I would think most of them would come up with the same counter-arguments we'll be reading on Slashdot in the next few hours.

So the question is, who came up with this idea and why authorize to release it to the media?

Re:How about NO

[Opportunist]

You think I can't do anything evil when I have access to your fingerprints?

Need an email address to mail them to? A set of prints that ain't mine could be handy at times...

User authentication != being present

[Anonymous Coward]

That person may be forced to use his finger, and there is the opposite case, using a card on the internet for shopping should not require anyone being anywhere specific.

Industry Not Known For Intelligence

[Anonymous Coward]

The Chaos Computer Club put it nicely: "It is plain stupid to use something that you cant change and that you leave everywhere every day as a security token."