As a consequence of the COVID-19 pandemic, consumer interest in contactless payments has been boosted by a general aversion to touching shared surfaces. Although the security of EMV cards is high thanks to their E2E encryption code, the security of the cards must not be neglected. This is why biometric cards are steadily gaining ground in society.


Biometric payment cards start 2021 with a bang after their progress was closely watched in the industry over the past year. Companies such as Thales, Fingerprints Card, Idex Biometrics and CardLab have found that the best biometric method to employ on cards is a fingerprint sensor on the card body. Thus, paying with an EMV card could become the simplest and most secure method ever.

It is simple and straightforward to use, with the user holding the card as they do at present and performing the biometric verification with their enrolled finger, as well as continuing to use the PIN code as a back-up solution whenever the cardholder’s fingerprint cannot be used.

The main benefit is that the fingerprint reference data captured by the biometric sensor is stored securely on the card chip, so it would not have to be kept on the Bank’s servers. The fingerprint engraving process must be very rigorous and secure. The joint use of EMV cards and biometrics complement each other and compensate for the shortcomings of the individual systems. Ultimately, the privacy issue when using a biometric identification solution can be solved by storing the biometric data on the smart card chip so that it always remains with the user, thus increasing the overall privacy and portability of the smart card.

Advantages and disadvantages

It should be noted that for the customer paying with a biometric EMV card is easier than ever; payment can be made with a simple touch, there is no need to enter a PIN at the POS to make the payment transaction, there is no limit to the contactless payment method because the user authentication is done securely with their fingerprint and the big breakthrough is that no update is required at the POS, as the biometric verification is done directly on the biometric EMV card.

From a more technical point of view, it is difficult to reverse engineer a smart card and access the information stored on it. Thus, the combination with biometrics makes these new cards feature full privacy protection, a unique biometric user ID and enhanced cyber security. The user ID is not hackable as the verification is done offline because it takes place on the card itself according to the so-called Match-on-Card technology.

The negative aspects involved in the use of biometrics are few but existent. First of all, we should mention the cost of these cards as a more advanced security system requires more investment to be implemented. ABI Research forecasts 2.5 million biometric payment cards issued by 2021, and with increased market adoption, a reduction in the current cost, which is between $20 and $30. Cost is one of the most important inhibiting factors keeping the biometric payment card form factor firmly within the testing and evaluation phase. Depending on volumes, unit costs of the card are expected to fall to between $13 and $20 by 2021.

Finally, although unlikely, false positives, biases and inaccuracies may occur. A biometric device analyses a complete fingerprint during the enrolment process, but during everyday use it will only use parts of the print to verify identity, so it is a fast process. If the user is injured in the area of the fingertip used, for example, the card may not recognise the fingerprint and give an error. In case of such bias problems, the use of the EMV card PIN can always be used.

Knowing the weakness will bring security

Biometric authentication is just one more target for cybercriminals. Devices are currently sold on the black market that are designed to intercept biometric data through data transfer. Criminals would use these devices to intercept card data and biometric data. Fingerprints are stored in a bank database. There are two possible scenarios:

  • The use of the same finger for all clients, an easier situation for the attacker because he only needs to know one finger of the client.
  • Fingers are chosen randomly, a more difficult situation for the attacker because he must obtain all the fingerprints of each client for a successful attack.

The main properties of biometric data are uniqueness, invariance and non-repudiability. These properties allow their owner to be uniquely and unambiguously identified. However, the more these data are used, the more likely they are to be stolen. It is therefore important to keep this data secure and to transmit it in encrypted form.

In addition, biometric data readers are very new, so they are still in the testing phase, which provides an excellent opportunity for attackers to explore and assess future vulnerabilities of the devices.

For example, an attacker can prepare a specially designed NFC tracker to track biometric data from a customer’s bank card containing an NFC chip. The attacker uses the NFC tracker in crowded places such as the underground. The moment he establishes close contact, the attacker collects data from the card chip that would contain the fingerprint information. Cards without NFC are by design protected against such attacks, while NFC-enabled cards are only protected if clients use physical protection against wireless communication (e.g. a Faraday cage). After collecting the information, the attacker only needs to use a fake fingerprint reader to make use of the information on the card.

However, the possibility to fake fingerprints is very difficult and costly, but not impossible. This could be done by making a mould if the victim is unconscious or indisposed, by scanning or by acquiring them on the darknet as not all companies that handle biometric data store them reliably. The difficulty is that the two-dimensional image has to be converted into a three-dimensional model and printed on a 3D printer.

There are also vulnerabilities related to databases, the way to protect this biometric data is to keep it centrally, with secure transmission and storage. This aspect is of great importance as it is expected to create a significant volume of biometric data that needs to be specially protected.

Products on the market

The leading manufacturer of biometric cards is CardLab together with Quardlock, who have created a biometric card with a backend authentication system for the protection of critical infrastructures. CardLab has integrated its biometric card solution with Quardlock’s backend authentication system to secure payment cards against fraud and identity theft. CardLab uses on-card system authentication with Fingerprint Cards’ FPC1080A swipe scanner and the FPC1300 series T-Shape touch sensor.

Thales Group also participates in this adventure: its biometric card was announced as the first contactless fingerprint payment card certified by Mastercard. The certification covers fingerprint performance based on successful verification and very low false acceptance and false rejection rates (FAR and FRR, respectively), along with speed and distance performance during transactions and security of implementation. This certification has allowed to go beyond the pilot phase and to meet the demands of the first banks to join the use of biometric cards.

Conclusions

The combination of EMV cards and biometrics complement each other, resulting in enhanced privacy because the biometric information is secure on the card, which acts as a personal database, firewall and authentication terminal. There is also enhanced security as it accurately identifies individuals with minimal ambiguity and ensures that the card is in the possession of its rightful owner. Unlike the use of PIN code, which is an authentication method, biometrics is an identification method because biometric data cannot be shared.

It is still a card payment model that is not yet globally or massively established, so it is important to anticipate possible attacks in the future to protect its integrity and make it one of the most secure payment methods by combining EMV cards with E2E encryption, together with the PIN and the fingerprint provided by biometrics.

A growing number of companies such as Fingerprint Cards, G+D, Idemia, Idex Biometrics, Infineon, Linxens, NXP, STM and Thales are joining this new market of biometric cards ready to be deployed in banks.