How biometrics alleviate smart card security issues
13 February, 2019
category: Biometrics, Smart Cards
Biometrics, in simple terms, involves the recording of body measurements and details such as fingerprints, facial recognition, and iris scans. Fingerprints and facial scans unlock our phones and various biometrics secure our access to buildings and facilities. But where else can biometrics help? Can they alleviate the security issues associated with smart cards?
The use of biometrics also helps to reduce the problem of data breaches. When a biometric is required for card-based transactions, someone can’t simply lift and replicate card information and use it for purchases that require the biometric authentication.
Smart cards use an embedded microprocessor that allow users to make payments or initiate other identity transactions. This microprocessor sits under a gold contact pad through which it is accessed. To use a smart card, the card is inserted into a terminal which accesses information on the microprocessor through the contact pad.
Smart cards are more secure than their traditional magnetic stripe counterparts, but this doesn’t mean they are foolproof. Many smart card implementations depend on a PIN number to serve as a second layer of protection for card users, but as with computers, PINs and passwords are not infallible. If someone figures out a PIN number, they can use the smart card for transactions or can gain access to the data stored in the card.
PIN number are less complicated than computer passwords because the combination is limited to a short series of digits between 0 and 9. This is much more simplistic than longer passwords created from all the available options on a full keyboard.
The problem is further exacerbated by the fact that most people don’t go out of their way to make their PIN complicated. The Guardian reported that the most commonly used PIN numbers included 1234 with nearly 11% of 3.4 million of the PIN numbers analyzed, followed closely by repeating numbers (ex. 1111, 2222), important dates and years, and pop culture references such as 0070 in reference to James Bond.
This is one place where biometrics can come into play. While individuals can take shortcuts or throw security to the wind when they create a PIN number, they can’t do the same with body measurements. A card that requires a user’s fingerprint, for example, doesn’t allow for someone to lift the secondary authentication information in a ready fashion.
The use of biometrics also helps to reduce the problem of data breaches. When a biometric is required for card-based transactions, someone can’t simply lift and replicate card information and use it for purchases that require the biometric authentication.
The use of biometrics can help protect smart card users from potential threats. Like anything else, though, biometrics aren’t perfect. Biometrics help when a card is being physically used in a terminal, but in today’s world, this isn’t the way we always shop. By some statistics, online shopping takes up about 11% of all retail sales alone with that number only expected to climb.
When you make a purchase online, you only need three things: the card number, the expiration date, and the security code on the back. With online sales there typically isn’t a secondary form of authentication, so biometrics won’t help to protect these transactions.
Biometrics are extremely helpful in protecting users. Unfortunately, this protection comes with a cost. The probability that terminals at every retail or grocery store will be rapidly outfitted to read biometrics is unlikely. The switch will take time and, as such, biometric precautions would take time to take effect.
It is clear biometrics alleviate smart card security issues. They aren’t perfect but they do hold great promise.
About the author: About the author: David Smith is a cryptographer with 12 years of experience in both the public and private sectors. David specializes in the study of contactless payments and microtransactions, primarily in the Chinese market. He is currently working on his second startup (currently in stealth mode) that will track and interpret the use of contactless payments in the Greater China region. David provides smart card technology consultancy for Cardzgroup.