Editorial Policy

Can this card with fingerprint ID protect you?

Tina Orem

April 9, 2014

On a summer day in 1933, Oklahoma oil tycoon Charles Urschel and his wife were sitting on the porch at a friend's house when two men drove up and kidnapped him. Urschel was held captive for nine days, until the kidnappers successfully ransomed him for $200,000.

The FBI was on the case, of course (Mrs. Urschel knew J. Edgar Hoover), but once Urschel was freed, there wasn't much to go on. Urschel had been blindfolded, so he didn't see the kidnappers, nor was he sure where he had been held. His memories of sounds he heard while captive gave the FBI an idea of where he had been, though — the clues led them to a farmhouse owned by the father-in-law of a bootlegger named George “Machine Gun” Kelly.

But what nailed the case was one simple thing Urschel made sure he did: He left fingerprints.

Urschel was careful to leave those one-of-a-kind identification markers all over the property, which proved to the FBI that it had found the crime scene. George Kelly was convicted and died in prison in 1954.Click to email me

Using a fingerprint as an “I was here” message is what Houston startup Epic One plans to capitalize on when it launches its line of credit cards. The cards contain fingerprint readers and microprocessors that create a dual-authentication process, which lowers the chances of fraudulent use.

When a person uses a traditional credit card, merchants and credit card processors receive and retain that person's credit card information. That massive trove of data tempts hackers — all they need is the credit card number to make fraudulent purchases.

To use an Epic One card, the customer puts a finger on the card, which generates a one-time-use numerical code and turns on a green light that signals that it's OK to swipe the card. The secure information expires immediately after use.

[Related story: Is paying by fingerprint in the future?]

That's what makes the Epic One concept so tantalizing. If a thief steals the card or card number, he can't use it because his fingerprint won't match. And, if hackers get into the card network, they can see the card number, but can't use it because they can't generate another valid one-time code to use it.

Rather than building a bigger and better wall like competitors, Epic One aims to eliminate the incentive to steal card data altogether, says Epic One cofounder and CEO William Gomez Jr.

“Fraud events like the ones that occurred at Target and Neiman Marcus would yield nothing of value to the hackers,” he says.

The idea of dual authentication — basically a two-step verification process — has been brewing for some time in the credit card industry and elsewhere. But fingerprints are only part of the equation.

“The biometrics on the card is not what makes this secure. Biometrics only serve to stop you from using my card,” says Gomez. The real value, he notes, is that the Epic One card never exposes card information to anyone during a transaction, effectively addressing the root cause of card fraud, which is exposure at the point of sale.

The credit card payment industry's complex infrastructure is hard to change overnight, so new products that work within the existing infrastructure are likely to come to market sooner.

Epic One says it can launch without requiring any infrastructure changes, and it says that its card information is stored in a distributed system that is not connected to the Internet. The company says it already has a working prototype.

The company also has a smartphone app in the works, which is useful for mobile-wallet fans and serves as backup in case customers forget their cards. The app allows users to add rewards cards as well, so that when they use the app to make purchases, they'll maximize rewards associated with the purchase.

[Related story: Is my mobile banking app safe?]

Epic One is still looking for bank partners to issue the cards it says are ready for manufacture, but the company is allowing customers to sign up ahead of time on its website.

Banks seem to be taking a wait-and-see attitude to adopting Epic One's fingerprint authentication, though. One possible reason: They're already making a transition to new Europay, MasterCard, and Visa (EMV) cards, also called chip-and-PIN cards, which offer an extra layer of authentication via a PIN.

In October 2015, new EMV standards take effect that shift the financial liability for fraudulent transactions from card issuers to merchants that don't invest in point-of-sale systems that accept the new chip-based payment cards.

Doug Johnson, VP of risk-management policy for the American Bankers Association, says EMV technology also accomplishes some of the same objectives as biometrics in terms of providing dual authentication. Also, for both EMV and biometric cards, he explains, the safety systems theoretically don't allow you to replicate the card.

But EMVs are not a game-ender, Gomez says. “I'll simply point out that the CEO of Paypal used his EMV card in Europe and it was compromised and used fraudulently,” he says.