Fingerprint Cards (FPC) is once again highlighting the security benefits of biometric payment cards, and fingerprint-scanning cards in particular. In doing so, it identifies the three main strategies that a fraudster could use to attack a biometric card, and explains why the latest generation of cards will be resistant to those efforts.
The first point of attack is the fingerprint scan itself. A hacker could attempt to spoof a genuine fingerprint with a latent print or a false print designed to mimic the real thing. Thankfully, doing so is extremely difficult with the latest fingerprint sensors. An active capacitive sensor requires a 3D and conductive print to generate a match, offering liveness detection that returns a false positive rate better than one in 20,000. The comparable figure for PIN codes is only one in 10,000.
If a fraudster cannot beat the fingerprint scan, they could attempt an injection or replay attack, which seeks to compromise the sensor itself. To do so, they essentially need to insert a false image into the authentication process, and convince the card to accept that fake instead of a new fingerprint scan.
In many cases, the image used in the attack will be an image of the user’s finger that was captured legitimately and then replayed to trick the card. However, modern sensors will check to make sure that the image comes from the sensor, and not some other source. They will also check the time that the scan was made to confirm that it is not being replayed.
Of course, the latest cards store the user’s biometric data on a Secure Element built into the card itself. That makes it far more difficult for hackers to get their hands on the template that a hacker would need to attempt a replay attack.
The Secure Element also helps protect the third potential vulnerability, which is processing and template storage. For example, a hacker could try to monitor factors like power consumption or electromagnetic fields to get around card security. More sophisticated algorithms should be able to spot those efforts, while the next generation of cards will not have a separate processor and will instead process prints on the Secure Element itself to mitigate any chance of exposure.
FPC noted that while no system is invulnerable, it is extremely difficult (and expensive) to hack modern fingerprint cards. That makes such hacks virtually impossible to execute at scale, which further reduces the appeal for cybercriminals. As a result, fingerprint-scanning cards offer a much higher level of security, in a way that can support safe and convenient contactless transactions.
(Originally posted on Mobile ID World)