On Thursday, MasterCard announced a “next generation biometric card” which embeds fingerprint recognition into debit cards. That may not be good news.
The card requires customers to place their thumb on an embedded chip while it’s placed in card readers. Customers will still have to enter their PIN, but the transaction won’t be approved unless both the number and the thumbprint match. So even if you lose a debit card with the PIN 1234, thieves wouldn’t be able to use the card.
MasterCard is piloting the feature across Europe, Asia, and South Africa, and expects to have a full rollout by the end of the year. This may seem like a small step forward for security, but it could lead to a radical shift in banks and their relationship with law enforcement.
From TechCrunch’s write-up, emphasis added:
One relatively large drawback for the convenience of the biometric card is that the spokeswoman confirmed users are currently required to go to a bank branch in order to register and enroll their fingerprint. (Which is then converted into an encrypted digital template that is stored on the card.)
The greater issue, however, isn’t the inconvenience of having to go to a bank to register fingerprints. It’s potentially turning banks—already privy to an immense amount of personal data—into storehouses filled with customers’ biometric information. MasterCard assured Gizmodo that the fingerprints are converted into encrypted data before being stored on the EMV chip. This data, they said, can’t be retrieved once it’s placed on the card.
But banks getting involved with biometrics sets a very troubling precedent.
The Trump administration is fervent about deregulating the financial sector and walking back from police reform efforts, all while consumer biometrics are proliferating on a massive scale. Alabama wants taxpayers to use selfies to file their taxes, conveniently omitting that the corresponding app is designed by the makers of the FBI’s highly contested face database. US airports are following in the footsteps of Paris and Australia, implementing face recognition scans for visa holders leaving the country. And, of course, face and fingerprint recognition is becoming standard on smartphones, with both currently available on Samsung phones and the former expected to be a feature of Apple’s next iPhone.
These days, we’re trusting wholly discordant industries across the private sector to keep our biometric data secure. But there’s little regulation regarding how the data should be handled compared to how much of it is currently being collected, giving consumers a false sense of security. Troublingly, the FBI and local authorities have more options than ever if they want someone’s biometric data. Apple may say no to a subpoena for a fingerprint, but would Bank of America?
Mastercard’s fingerprint feature is little more than a novelty at this point, but it could be the beginning of a major transition in the role banks play in privacy. Without regulation, what’s stopping banks from storing retrievable biometric data on EMV chips with their own version of this feature? As we’ve already seen with drones and body cameras, we can expect the technology to advance much, much faster than the law or public knowledge. Consumers are expected to give up a lot for a seemingly small amount of added security. Banks are getting much more out of the deal.
Update: 4/20/17 2pm ET: Mastercard reached out to confirm the data is irretrievably stored on the EMV chip. We updated the post with this clarification.