[LINK] City launches fingerprint payment program

Rick Welykochy rick at praxis.com.au
Mon Oct 15 21:33:53 AEST 2007 

Andy Farkas wrote:

> It begins.....
> 
> <http://www.shanghaidaily.com/sp/article/2007/200710/20071012/article_334241.htm>
> 
> "SHOPPERS in Shanghai now have a safer way to pay money as thousands
> of retailers have launched an electronic payment terminal that can
> match consumers' fingerprints with their bank accounts, Jiefang Daily
> reported today.

[SNIP]

> Live By Touch Holdings Ltd, operator of the system, said paying by
> fingerprint is safer than credit cards because no one can imitate the
> fingerprint."

The above assertion sounds suspiciously like hubris before security
crack.

There are many ways that one can imitate the fingerprint.

1. Presumably the fingerprint is digitised at the retailer's EFTPOS
    terminal and the digital version sent for verification. Unless Live
    in Touch can guarantee a 100% secure channel between the EFTPOS
    terminal and the authenticating server, all bets are off. A digital
    copy of the fingerprint could be snaffled and used fraudulently.
    Man-in-the-middle is but one way to do this. IANAB (I am not a banker)
    so how secure these transmissions are remains to be revealed.

2. The classic example is a 20c piece of gelatine used to make a
    fingertip sized glove that bears an exact impression of a fingerprint
    of intended victim lifted from some other source. This has already been
    demonstrated.

3. Cut off target finger and proceed with step 2.

This facility raises the spectre of personal bioinformatic data
being placed into the trust of the financial sector. It is not a great
leap to that information being demanded by law enforcement and
ultimately government-run databases.

Coincidentally I picked up my chip-enabled credit card today from
my bank.

I asked numerous questions of the staff about security and privacy
regarding the data stored on the chip, but no real answers were
forthcoming. They just didn't seem to know.

The new credit card provides two modes of authentication:

1. my PIN is encoded on the magnetic strip, as always

2. my PIN and other data are encrypted in the chip.

Option 1 is required during the transition period (many years)
to using chip-only mode.

Option 2 is required in Europe and will eventually be in common
use in Australia.

Ironically, there are now two vectors of attack available on my credit
card: crack the data on the mag strip or crack the chip.

I am curious what encryption method is used on the chip. My guess is
AES. Where is the key stored? And what is it? Perhaps the PIN itself?
No ... the PIN on the mag strip is too easy to fetch.

More research required.


cheers
rickw





-- 
_________________________________
Rick Welykochy || Praxis Services

Americans can always be counted on to do the right thing ...
after they have exhausted all other possibilities.
      -- Winston Churchill

More information about the Link mailing list