Biometrics aren't 'unhackable,' so safe integration is vital
With two further commercial rollouts recently announced by major French banks BNP Paribas and Crédit Agricole, biometric payment cards are the next big tech to hit consumer wallets.
The business case is clear. With a fingerprint sensor on the card, banks can add strong customer authentication to contactless, removing the hassle of PINs and the need for contactless payment caps. Billed as "the biggest development in card technology in recent years," the promised boost to contactless’ experience is hard to ignore. But just how secure are these cards?
The payments ecosystem is complex. Before bringing biometrics to any new payment form factor, careful consideration is needed to ensure the technology can be seamlessly integrated into the existing infrastructure, while maintaining the highest levels of security.
Nothing is ever "unhackable." The key principle in security is to ensure attacks are either too expensive or too complex to be feasible at scale. While biometrics addresses some of PIN’s most important fraud challenges, such as “shoulder surfing” and shared PINs, the security of biometric payment cards also must be considered carefully before launch.
In a biometric system on card (BSoC), the on-card data flow during authentication can be divided into several key steps. First, the image of the fingerprint is captured by the sensor. Next, it's processed and the feature, or relevant part of the image, is extracted to be matched against the biometric template stored securely on the card’s secure element (SE). If there is a match, authentication has been successful.
Several risk points emerge in this data flow: in the initial image capture at the sensor, during processing, and in the matching process. From this, there are essentially three main types of attack to mitigate: spoofing (aka presentation attack); injection and replay; and finally, manipulation of processing and template storage. Let’s have a look at each in more detail.
Biometric spoofing is where something other than the user’s fingerprint is placed on the sensor to try and trick the matching operation into a false acceptance, called presentation attacks. The “spoof” might be an artificial fingerprint, or perhaps a latent fingerprint reactivated on the sensor.
Thankfully, the move to active capacitive sensors has significantly mitigated the threat posed by spoofing. These require three-dimensional, conductive prints which closely resemble the texture of a real finger — spoofing such prints is now a considerable - and expensive — challenge that's nearly impossible to achieve at scale.
Would-be spoofers also have to contend with ever-increasing sensor image quality and algorithmic sophistication, the results of continual R&D investment. A sophisticated biometric algorithm paired with a state-of-the-art sensor for payment cards can now ensure a better than 1 in 20,000 False Acceptance Rate (FAR), daunting odds for any hacker. By comparison, the FAR of PIN codes are far higher at 1 in 10,000.
The next area of fraud to consider is injection and image replay defence. This is where the sensor itself is replaced by a fraudulent device, which provides a falsified image. The image provided might be an image of the user’s finger captured during an earlier transaction, which is “replayed” to trigger more payments.
A sensor-image authentication process provides robust security against such attacks. This process verifies that the image originates from the sensor alone, as well as the time it was captured, preventing any attempt at image replay.
More generally, the inherent privacy of on-device biometric systems means the risk of information leakage and subsequent replay attacks is minimal. All biometric data is stored and processed on the device and, in personal authentication, entirely unique to that device. This means that even if a hack is successful, no other device with biometric authentication tied to that user is compromised.
Data-conscious consumers can feel reassured. Attacks are far harder to achieve, especially at any scale that would be valuable to hackers, and their sensitive data remains encrypted and stored securely on their device at all times.
This final type of attack targets the execution of the biometric software itself, either through fault injection or by monitoring for what is known as “side channel leakage" — variations in time, power consumption or electromagnetic fields. This data is then used to optimize fraudulent input.
Once again, sophisticated algorithms form the main point of defence. The trend is heading toward the latest sensors becoming capable of conducting the entire feature extraction and matching process within the secure element (SE) itself, without the need for an additional processor. This progression is a major technical advancement. SEs remain one of the most robust hardware security solutions available, providing exceptional protection. Meanwhile, consolidating the process into the SE eliminates many points of risk in the data flow.
The security of biometric payment cards already far exceeds PIN authentication and traditional contactless. Ensuring robust security and privacy protections are in place is still fundamental to the launch and successful mass adoption of any new technology —
especially when it comes to payments. For biometric solutions, this protection lies in both the quality of biometric processing itself and the protection and storage of assets such as the sensor image and templates.
With extensive R&D work already done and invaluable feedback from 20-plus global trials and commercial launches, the next generation of biometric payment card sensors delivers just that —
high-quality software and algorithms and even more robust protection of sensitive biometric data. And, as always, efforts endure to ensure each future generation is even smarter.