3

India recently launched a payment system where merchants install an app on an Android phone, and connects a fingerprint reader it.

Clients provide their Aadhaar number (like a national identity number), and scan their finger to authorize transactions which debit money from their account.

Is this a relatively secure system, compared to say chip and PIN cards?

I believe it would be possible to capture the users fingerprint using something to intercept the communication between the fingerprint reader and phone, and then replay the recorded fingerprint along with the Aadhaar number (which may be captured with a keylogger or even memorized by the merchant).

Is this fear justified?

Jedi
  • 3,906
  • 2
  • 24
  • 42

2 Answers2

1

I had this exact same doubt a few days back. But it's not possible to hack it in the way you've described. Since biometric data is encrypted, a man-in-the-middle attack is not practically possible.

But the problem is with manipulated biometric scanners. Aadhaar fingerprint scanners encrypt the fingerprint data before sending it over or even processing it. What can be done is, have a engineered scanner which does not encrypt the data by default. So one can store of the data .

It is up to the device which connects to the Aadhaar API to verify the validity of the fingerprint (By checking finger temperature, contour, etc. to prevent masquerading with fake prints). So if the POS device is manipulated, it can send perform as many transactions as it wants with the saved fingerprint data.

Jedi
  • 3,906
  • 2
  • 24
  • 42
Zend Mastiff
  • 79
  • 1
  • 3
  • 1
    Hmm.. how would simply encrypting the fingerprint prevent a MITM from capturing and replaying the encrypted traffic? –  Jan 03 '17 at 06:40
  • Using a simple session key would be sufficient. There are several other textbook mechanisms to prevent replay attacks. – Zend Mastiff Jan 06 '17 at 05:11
0

" Is this a relatively secure system, compared to say chip and PIN cards? "

Technically, no. I mean both system are two-factor authentication methods

A PIN card used : something you have and something you know

Biometric authentication uses : someone you are and something you have

So the new method only guarantee that it's actually YOU who made the payment.

So even though technically, there is only 2 layers of security, the new method only guarantees that "physically", the customer was really present at the time of the purchase...

And yes, your fear is almost justified...Why ?

  1. Even if the users apps are not malicious, they sometimes require special permissions to access the device resources (e.g : access to phone location capability).... So yes, an app (malicious or not) can capture the traffic and replay it at free will...

  2. Almost yes because the reader may have a sensor to detect a finger....if the "sensor test " is not passed, then no action coming / going to the phone will allowed.

Jedi
  • 3,906
  • 2
  • 24
  • 42
Jason Krs
  • 359
  • 2
  • 3
  • 12