Mastercard Pushes Biometrics, Banks Follow

Biometric authentication “will be of great benefit to everyone.”

By Don Quijones, Spain, UK, & Mexico, editor at WOLF STREET.

Mastercard has set a deadline for widespread use of biometric identification for its services across the whole of the EU: April 2019. Mastercard Identity Check, currently available in 37 countries, enables individuals to use biometric identifiers, such as fingerprint, facial, and iris recognition, to verify their identities when using a mobile device for online shopping and banking. The technology is not mandatory for customers, but from next year it will be vigorously promoted throughout the EU and many consumers will welcome it.

The impact will be felt not just by consumers but also by most European banks, since any bank that issues or accepts Mastercard payments will have to support identification mechanisms for remote transactions, alongside existing PIN and password verification. The deadline will also apply to all contactless transactions made at terminals with a mobile device.

Citing research it carried out with Oxford University, Mastercard says that 92% of banking professionals want to introduce biometric ID. This high number shouldn’t come as much of a surprise given the vast untapped value consumer data holds for banks and corporations as well the preference most banks have for electronic transactions. The study also claims that 93% of consumers would prefer biometric security to passwords, which is a surprise given the array of thorny issues biometrics throws up, including the threat it poses to privacy and anonymity and its deceptively public nature.

“A password is inherently private,” says Alvaro Bedoya, Professor of Law at Georgetown University. “The whole point of a password is that you don’t tell anyone about it. A credit card is inherently private in the sense that you only have one credit card.”

Biometrics, on the other hand, are inherently public, he argues. “I do know what your ear looks like, if I meet you, and I can take a high resolution photo of it from afar,” says Bedoya. “I know what your fingerprint looks like if we have a drink and you leave your fingerprints on the pint glass.” And that makes them easy to hack. Or track.

According to Mastercard, such concerns are not nearly as important to its customers as the promise of convenience, speed and ease of use. “[Biometrics] will be of great benefit to everyone: consumers, retailers and banks,” said Mark Barnett, President, Mastercard UK & Ireland. “It will make the purchase much smoother, and instead of having to remember passwords to authenticate, shoppers will have the chance to use a fingerprint or a picture of themselves.”

In other words, consumers will not have to use safer two-factor authentication — biometrics plus a PIN or password — if they don’t want to. Convenience is, as ever, the watchword. Card companies, banks and online retailers have good reason to prioritize speed and convenience. The quicker and easier the payment method, the more likely consumers are to complete the transaction. Compared to other methods, such as one-time SMS passwords, biometric authorization can decrease the “abandoned basket” rates by as much as 70%, according to the study.

VISA and it has just published a similar report claiming that consumers in India are equally keen to use biometrics for authentication. In this case a staggering 99% of the people surveyed said they are personally interested in using at least one biometric method to verify their identity. An equal number of participants — another staggering 99% — said they are interested in using at least one biometric method to make payments. VISA will no doubt be happy to oblige.

The roll-out of biometric-authenticated payments across Europe, in India, and in Mexico, is merely the latest example of the accelerating encroachment of biometrics into everyday life. Most national passports these days include biometric data. Driver licenses in the US (which serve as de facto ID cards) already have them or soon will. Meanwhile, millions — perhaps soon billions — of people have volunteered their digital fingerprints to log into their smartphones and other digital devices. In other words, people are already giving away their most private data to work, communicate, cross borders, or get on planes.

In China, where privacy concerns are given even less importance than in the U.S. or Europe., authorities have been collecting DNA samples, fingerprints, eye scans and blood types of millions of people in the province of Xinjiang, the only Chinese territory apart from Tibet where ethnic Han Chinese are not in the majority.

In Macao Chinese gamblers taking out money from some ATMs have to look into a camera for six seconds so facial-recognition software can confirm their identity. “This is aimed at illicit outflows of capital from China,” Sean Norris, Asia Pacific managing director at Accuity in Singapore, told Bloomberg. “It’s aimed at people drawing out money in Macau, going to the casino, betting very little, getting forex from there and moving it.”

Throughout the Chinese mainland consumers hand over personal information to e-commerce, mobile payment and food-delivery apps on their smartphones without giving it a second thought. “They’re not well-educated about how privacy should be important to them,” said Simic Chan, a senior analyst at Fung Global Retail & Technology in Hong Kong. “They feel it’s a norm to have their data collected.”

While China may be leading the way in forcing biometric tracking on consumers, there’s a long trail of countries and companies not that far behind. And as Mastercard’s massive push into biometrics shows, it’s not just governments and technology firms wanting to use it. By Don Quijones.

Enjoy reading WOLF STREET and want to support it? You can donate. I appreciate it immensely. Click on the beer and iced-tea mug to find out how:

Would you like to be notified via email when WOLF STREET publishes a new article? Sign up here.



  50 comments for “Mastercard Pushes Biometrics, Banks Follow

  1. Guido says:

    All is well and good until somebody claims discrimination based on biometrics. If a rumor starts that these companies are doing data mining and using data from the analysis to conclude that people of a certain race — race will manifest itself in certain physical characteristics — are deemed to be of high risk and therefore denying cards or setting lower limits etc., then you are looking at a political issue. It is all optics from that point on. In any case, the defense that they use today of a standard form that does not use your race will not work anymore. I am sure race is a factor in issuing credit cards today but they can at least appear to be unbiased.

    But hey, the credit card giants are asking for it. They should get it, especially since the elected people everywhere now work for the moneyed interests. If I worked in Brussels or DC, I’d be salivating at the prospect of regulating them after this fiasco is over.

    • Wolf Richter says:

      Companies already have all this information. The data file that has been collected over the years on everyone is enormous. And yes, they’re already discriminating in extending credit, job offers, insurance rates, etc. based on things gleaned from around the internet.

      • “things gleaned from around the internet?”

        • William Smith says:

          Idiots spew all their intimate details (photos, financials, relationships) to crapbook et al. Their algorithms are exceptionally good: they know details about you that you don’t even know. All this from data that idiots have willingly up given over the years for “free” services. Doing an internet search of this topic will bring up many scary facts.

      • Tom T says:

        Wolf,

        How can a person find out what might be about them “gleaned from the internet” that a potential employer can see. Are there particular web sites they employ to see this info? Sorry to bother you but if you can, I would appreciate your help.

        Thank you so very much for your hard work in presenting these articles. You are an asset to the world.

        • Kaz Augustin says:

          As an ex-IT Project Manager for a company’s now-defunct Internet Security Division, I try to inculcate in my kids the value of being vvv careful around social media sites. They have no visibility on Crapbook (love that one, @William), Twitter, Google+, etc. But now they’re facing another problem. As they go through their studies, I’m starting to read that graduates who have little-to-no public data available on them are being *turned down* for jobs because “if you’re not on Facebook/Linkedin/etc. you must have something to hide”.

          Heads they win, tails you lose.

          PS I’ve also been told that, to apply for some (teaching) jobs, I *need* a Whatsapp presence! WTFFFFF?!
          “It’s a jungle out there / It makes me wonder how I keep from going under” –Grandmaster Flash

    • Joan of Arc says:

      Biometrics is a bit cumbersome and will be replaced by a biological biometric chip at birth placed in every individual’s right hand as has been predicted in a famous widespread book. Without it no individual will be able to buy, sell, or survive. Some may cynically refer to it as the mark of the beast. It shall be the number of a man, and that number shall be a derivative of 666?

      • Maximus Minimus says:

        I hope, that number will be stored in four computer bytes, i.e. 4 billion, and after that no new births allowed. That will stop the overpopulation problem.

    • Petunia says:

      They can already determine a person’s race or ethnicity based on demographics using just your zip code. This was developed as a response to the legal elimination of redlining in mortgage lending.

      They take a zip code and look for racial markers like streets or public buildings named after famous black people, like MLK. They can tell from the graduation rates, >99% = white upper class, >95% = white working/middle class, <90% = you're screwed. I'm only using black/white but it can be more detailed.

      • IdahoPotato says:

        They’ve become very precise, and it is for a reason. “Indian American” is a new category on forms that didn’t exist before. Earlier it was just “Asian”.

      • alex in san jose AKA digital Detroit says:

        Petunia – one census they were bound and determined to put me down as Hispanic. Because I lived in a heavily Hispanic neighborhood and thanks to some interesting genetics I can get fairly brown. Helloooo…. that ‘hood had its share of working-class whites too. But, I appeared to be X, was in a neighborhood with lots of X, therefore I was X.

  2. RM says:

    I would rather use iris scanning to buy goods than card numbers and PINs which get hacked or harvested by skimmers. I think the use of iris scans in transactions might provide welcome relief against identity thieves. (I realize identity thieves have already figured out how to copy fingerprints, and facial recognition seems flawed.)
    We can’t go on using the social security number as a national identity number. Identity theft is ruining people’s lives. The IRS and Social Security Administration are complicit — they are surely aware that, say, 25 people are all using the same SSN; they just don’t care about the person being victimized.
    So I am not against using biometrics to confirm identity. There has to be a better way than SSNs, driver license numbers, DOB, etc.

    • Petunia says:

      I heard on tv, just yesterday, reporters complaining that the new iphone is a bust because the facial recognition doesn’t work.

      It has also been reported on numerous occasions that people have had their fingers cut off and eyeballs removed to hack biometric systems. This will take muggings to a whole new level.

      • Rates says:

        Facial recognition only works reliably in TV shows/movies.

        The bigger story is that facial recognition fail == Neural Networks (Artificial Intelligence Hot Area) fail.

        • LessonIsNeverTry says:

          It isn’t fail… just a bit early. Look at almost any area of machine learning and the pace of improvement in the last five years is exponential. There is no reason to believe that will not continue for another five, at which point it will be so good everyone will take it for granted.

    • California Bob says:

      Does iris scanning work similar to retina scanning? Retina scanning was going to be the end-all in biometrics a couple decades ago, until the HIV scare made people really leery of swapping precious bodily fluids from eye contact with the scanner. Also, cue horror stories of people having their eyes gouged out to spoof the scanners.

      Biometrics was ‘the next big thing’ when I got into the computer/technology business over 35 years ago, and it appears to still be on the launch pad. Merchants seem comfortable with whatever losses they incur from fraudulent credit card usage; I almost never even get asked for ID when I use mine. I smell a hidden agenda on the part of the credit card companies. Big government is probably salivating over the idea, though. Even though the 9/11 hijackers, for example, didn’t use fake IDs (AFAIK), it’s just their ID cards didn’t say WHAT they were, just WHO they were (and the FBI wouldn’t listen to the flight instructors who reported their suspicious training requests).

      • California Bob says:

        Continuing …

        Biometrics would, theoretically, validate your identity in the checkout line, but I believe most identity theft is accomplished in more mundane ways (someone sifting through your garbage for that tax form or pre-filled out credit card application you neglected to shred, or the waiter or cashier scanning your card under the table, or weak passwords, for instances).

        What’s most needed, IMO, is better online validation. I think the best solution is two-factor; i.e. if someone tries to hack into your bank account from a computer not known to the server–by MAC address, I believe, which is theoretically unique but can be hacked–then you get the text to your phone with a validation number. The hacker needs not only your account–which is often WAY too obvious–and your password, but access to your mobile phone and some way to log on. I suppose retina scanning using your computer’s camera would work, but I’m inclined to keep my computer’s camera turned off or covered anyway.

        The people who really need to batten down the hatches are the aggregators of data; are you listening Equifax, et al?

        • ZeroBrain says:

          Remote computers behind routers don’t know one another’s MAC address – they know the IP and the gateway takes care of routing to the proper MACs behind their respective firewalls. And in any case, MAC address is easily spoofed.

    • d says:

      Iris scans for ID a great if I need your iris to mask or commit a crime.

      I just pop out 1 of your eyes.

    • RepubAnon says:

      I talked about this with a programmer a while back. He noted that biometrics aren’t very good for establishing identity because they can’t be changed: passwords you can change… once someone gets your physical characteristics (fingerprint, face, iris, retina, etc.), and makes a copy on a 3D printer – how do you change them?

      • Dave Roberts says:

        Won’t work with palm vein scanning. Cut your hand off and the scan will fail because it’s based on the flow of blood into and out of the hand. Fujitsu has this cornered for the moment. Being tested big time in South Korea. In US hospitals and clinics about 7.5% are already on a palm vein scanning system; Imprivata, Palm Secure, M2SYS etc.

        By 2020 you’ll have had your palm vein scanned at your local clinic or hospital, or sooner perhaps. It’s proven to be 1 in a million fail. Well over 99% accuracy.

        Read Revelation 13 and put it together yourself. All UPC codes have the number 666 in them, and when they store your data in cards or chips it’s in UPC format because that’s how all the installed scanner base recognizes the beginning/middle/end of a scannable item.

        Don’t believe me? Get an item out and look at the UPC code. The first mark is two thin lines. The middle mark is the same two thin lines. The end mark is two thin lines. The two thin lines are also the code used for a 6. I know, I was in IT for 25 years and setup these systems for companies.

        • d says:

          Even mopre useless than may other BIO Id’s

          Hands are regularly serious injured in Industry.

          When this happens the Vein structure in the palm changes then you aren’t you any more. Says the machine.

          You need to run into a machine, over something important, that says you arent you, Or have the Stae tell you your ID proves you did X Y and Z when you didnt. Then you might see how useless and controlling bio-metrics are .

          Bio-metrics are about controlling the population, not consumer convenience and security.

  3. Robert says:

    WORST-CASE SCENARIO

    Removal of the body part that is being used for authentication WILL HAPPEN ! For criminal enterprise.

    There is a new movie about J P Getty´s grandson being promoted. If I remember the news correctly they sent his grandfather his ear to lubricate the settlement negotiation.

    I may have seen a few too many Quentin Tarantino films, but still I gotta ask this, ¨How many people losing an eye — so that a criminal can steal using their ATM — card will be too many?¨ FOR ME, the answer is this : ¨One person losing an eye ( or even a finger ) to a criminal is too many.¨

    I am being totally serious here. Even if the amputation cannot or will not work, we cannot count on most criminals having an above average IQ — and understanding that their plan might not work.

    To me, this is scary. And no thanks, I will not accept an implanted chip, either. It is fine for a pet, but not for me.

    https://it.slashdot.org/story/16/07/23/199214/can-iris-scanning-id-systems-tell-the-difference-between-a-live-and-dead-eye

    • tom says:

      What about high resolution photos of someone’s fingerprints or eye/iris? They could be used as well without cutting off fingers or removing eyes.

      I won’t do it. People need to contact MC, Visa , Amex and tell them they will cancel their cards/accounts. People should also contact their members of Congress regarding this as well

      • Wolf Richter says:

        No need to be so barbaric as to cut of fingers. Children’s Play-Doh will do to make a copy of a fingerprint and use it to hack into your device…

        https://www.theverge.com/2016/5/2/11540962/iphone-samsung-fingerprint-duplicate-hack-security

        • Ed says:

          Also, the Feds can force you to put your finger on your device. They cannot force you to cough up your password, though of course they can hold you at the airport and inconvenience you if you refuse.

          That’s both practically true and the law, if I recall correctly.

        • jCandlish says:

          Biometric imaging is not what many perceive it to be, not only because they have been misled by entertainment tropes, but also because the kind of imaging used is beyond human perception.

          The images (and infrared heat maps) fall well outside the spectral response of the human eye. The spacial maps are alien to our cognition.

          Vein scanning (detecting minute the heat differences) in the network of veins in the hand, face or retina is becoming increasingly popular, and is a strong defense against amputation.

          Expect vein scanning to become more popular as MEMS bolometers become commodity priced. https://en.letsgodigital.org/uploads/2017/11/palm-vein-sensor.jpg

      • California Bob says:

        I’ll bet you can 3-D print a fingerprint.

    • alex in san jose AKA digital Detroit says:

      I see a scenario where, instead of a CC “skimmer” at your ATM etc., there’s a really good camera hidden in there, get a photo of your eye(s) then 3-d print a fake eye good enough to fool the eye-scanning software. There’s a whole lot less killing and gouging-out of eyes that way.

      • d says:

        There are a LOT of Neanderthal level criminals out there.

        You are thinking at the tech level.

    • Silly Me says:

      However, the risk of losing an eye could become a leverage in the next move of this strategy game in order to corner people into getting chipped. Also, chipped pets can be used to track the owner most of the time.

  4. cdr says:

    Mostly useless. Las Vegas requires a drivers license if you use a credit card. Better and cheaper.

    Buying over the internet makes biometrics a joke.

    Recently, somebody got my CC number and opened an Amazon account with it. Amazon closed it after it set off a few alarms and they notified me about it. I contacted my CC provider and sent them the email Amazon sent me and the charges were promptly removed. Amazon lost maybe $800 over it. Biometrics would not have made a difference.

    Amazon could have saved $800 if they had a means to validate the use of a CC number on multiple accounts like that before it was used by the thief. Well, that’s their problem not mine.

    I pity the CC provider. If biometrics could help I bless their use.

  5. Kent says:

    A couple of thoughts:

    1. People don’t “abandon their baskets” online because the checkout process is too hard. They abandon the basket because at checkout is when they find out the shipping charge is stuffed with all the profit.

    2. I have no problem with biometrics in a public setting. If I buy something at a store I frequent, I’m rarely carded because the cashiers see me regularly and know I’m trustworthy. They’re using human biometrics (my face) already.

    The problem is online purchases. Folks aren’t going to have high quality biometric scanning equipment at home. And biometric data is hackable. It is not done regularly today because it is not used today. But when it is, people will be downloading databases of fingerprints, faces and eyeballs and creating physical objects that mimic them. Maybe that’s what will eventually cause 3-D printers to finally take off.

    What will be interesting is the currently unknown uses of that technology. What happens when anyone can mimic you in public? What happens when someone puts on your face and murders someone else in public?

    • Mel says:

      “creating physical objects that mimic them”

      and even that probably wouldn’t be required. It’s the bitstream representing the object that gets sent to the bank. If you’ve already got that from the database, just send it.

  6. Biometrics could open up the global flow of capital, which means one world, one wage, one standard of living. Or it could become a tool of repression, such as arresting gamblers in China trying to convert their money into dollars.

  7. Steve says:

    Fine, as long as it works. Coming through Heathrow the other week about 1 in 2 failed on the face check gates, and they made them fail it 3 times before redirecting to a human.

  8. Hirsute says:

    Researchers from Oxford University, huh? I in no way would participate in transactions requiring biometrics for identity validation. Seriously, tin foils hats seem to be more necessary with each passing day. In the article, Alvaro Bedoya succinctly explained how biometrics is actually a less effective security feature than passwords or, even better, two factor authentication. Makes one wonder if these bankers don’t have another agenda….

  9. walter map says:

    On a related note:

    “Show Me Your Papers!” Roundups, Checkpoints and National ID Card

    https://www.counterpunch.org/2018/01/25/show-me-your-papers-roundups-checkpoints-and-national-id-card/

    It was a bright cold day in April, and the clocks were striking thirteen.

  10. Gershon says:

    Biometrics is Big Brother’s wet dream. Yet the sheeple will fall over themselves to comply.

  11. Dan says:

    There are two reasons biometrics are a bad idea :
    1) invasion of the user’s privacy
    2) if it is hacked/defeated, you can’t change the credential (note that whatever biometric method is used, it still gets translated into 1s and 0s and transmitted, so there will always be an attack surface)

  12. MCH says:

    For all of this, we have to thank our wonderful technology providers such as Apple, Google, Facebook, and so on. It all sounds harmless until it isn’t. No surprise that these things are catch on faster in authoritarian regimes, but I’m glad democracies are not far behind in surrendering our privacy.

    After all, it would be a travesty if the banks can’t earn their money, and oh, before I forget, DEATH to cash. There I think India actually has a bit of a lead right?

    Thank goodness we have the option of crypto currency to help us maintain a semblance of privacy… oh what? You say most of those are scams… dammit.

  13. Gershon says:

    Orwell’s “1984” wasn’t meant to be an instruction manual.

  14. joanrn says:

    Biometrics become difficult to use as we get older. I work in an industry that uses fingerprint technology in sensitive areas. Fingerprints fade as we age, faces change, and we get cataracts, or other medical conditions. I have had to go back to a password, (not that I have aged that far). It will become difficult to age in the workforce. How will it work if you travel where biometric data is used and your credit card is not associated with these markers?

  15. Steve says:

    Here’s another aspect that people might be interested in. Needed to contact my internet/phone service provider yesterday and after a few minutes of discussion with a representative I was informed that I would no longer have to provide answers to specific security questions because they had recorded the conversation and now had a ‘voice print’ that would be used for verification purposes. I was dumbfounded and could only respond, “Well, that’s great I suppose you can file that one along with copies that the NSA and CSIS hold”, to which the person chuckled.

    We truly have entered an era of total surveillance and its only a matter of time, I suppose, before this type of ‘mission creep’ turns on us in a very negative fashion.

    • Wolf Richter says:

      When I make a wire transfer by phone, my bank uses a two-factor authentication system of pass code and voice verification. You have to sign up for it beforehand, and during that process, they record two sentences that you have to say. I’m always worried that when I have a cold, it won’t recognize me, but so far, even during my worst cold, it worked.

    • RM says:

      Re voice recognition, I was once in a restaurant and 2 women at a nearby table kept turning around to stare at me until one of them got up and came over to me and said my voice sounded exactly like the voice of a person they knew. It bothers me to think that voices can be similar and I suppose this poses an issue with voice recognition technology.

  16. Citizen AllenM says:

    I find it really funny that everyone is worried about privacy, when online, it is truly the global commons and free for all. As I said to the credit card company who called me about a fake account opened in my name- “It ain’t my problem, it is your problem.”

    And they are getting much better about figuring out who is actually sitting in front of them when it comes to credit. On the other hand, actual arrests would be a much better idea to punish the smurfs going into retail with fake id and credit card sets.

    Technology is actually pretty neutral, for every advantage, there are some disadvantages. It is all evening out in the end.

    On the other hand, there are some new ways to be evil that are pretty bad. I am surprised that some countries encourage ripoff industries (India, Russia, China), and don’t expect some blowback from it.

    Globalization is crazy, like the ability to order pure pharma from China and have it shipped through Europe and then right to your door. And our feeble idiot level congress critters complain the USPS does nothing- well, commerce rulz, baby.

    What it really should tell people is that the end of regulation is approaching in a lot of ways, because there will always be a place that does not follow our laws.

    After all, what is to stop those Chinese chemists from cooking in a slum in Tanzania?

    Or in a warehouse in Rotterdam, with international shipment available anywhere. Drug cartels are about to implode.

    Vat chemistry is the revolution that is really changing the world.

  17. NoOneOfConsequence says:

    I am a CIO for a security integration company. We deal in many different types of biometric readers, facial recognition, etc.

    I had a good laugh at most of the posts. Too much Hollywood and youTube conspiracy videos being watched!

    People’s fears of being tracked and monitored with biometrics are unfounded. It’s too difficult and expensive to do so at this time.

    If you want to avoid being tracked…put your cell phone on airplane mode, all the time. At the very least turn WIFI OFF.

    Do you realize that your phone is always scanning for wifi connections? Did you know that it will scan multiple connections to find the best signal strength? Did you know that when it does, it sends it’s mac address – even if it doesn’t connect?

    Many, many malls and facilities have deployed sensing nets that capture your phone’s mac address, and link it to the facial shot on the CCTV camera when you entered. The security system back traces your steps to your car and gets your license plate. Newer security camera analytics profile your vehicle type, color and year. They also profile your approximate age, race, and can detect nuances in gait and posture. This is all captured and databased through the video management system.
    These systems track you through the mall. The sensing nets monitor where you stop, spend time, and where you don’t go. Simple triangulation.

    If you have ever gone to the mall, with your wifi turned on, chances are you are already in the database.

    Apple is dealing with this issue, which is a relief, but the latest iOS update hasn’t solved the issue.

    If you have an android or google, well…you already gave google the rights to all your information, and contents of your devices. So – whatever. Just forget about it, nothing you can do.

    Sorry, but true.

  18. raxadian says:

    Biometrics have been proved again and again that they are weaker than even a twenty characters password.

    I expect lawsuits since at least when it comes to finger prints is quite easy to cheat the scanner. And the rest aren’t too far away.

Comments are closed.