Banks may refuse to refund disputed transactions, or help customers who are victims of fraud, if the person in question has their fingerprints stored on a phone or tablet that does not belong to them.
According to a new report, several banks in the U.K. are making the decision now that fingerprints are used to authenticate payments within Apple Pay. Lloyds Bank, for instance, features the following line in its terms and conditions: “If Touch ID is available on your device, you must ensure you only register your own fingerprints (and not anyone else’s).”
HSBC bank told Telegraph Money that, “Our customers’ financial safety and security is of the utmost importance to us, as such we advise all our customers to keep their details as secure as possible. This means not sharing their Pin, or in the case of Apple Pay not letting others access their phone.”
Speaking personally, I only have my own fingerprints saved on my Apple devices, although I imagine things may be a bit different for people with kids, who don’t necessarily own their own iPhones. iPhones allow for up to 10 different fingerprints to be saved by the device.
I’d still be interested to know how banks would find this information, however.
Luke Dormehl is a U.K.-based journalist and author, with a background working in documentary film for Channel 4 and the BBC. He is the author of The Apple Revolution and The Formula: How Algorithms Solve All Our Problems … and Create More, both published by Penguin/Random House. His tech writing has also appeared in Wired, Fast Company, Techmeme and other publications.
19 responses to “Sharing your Touch ID is a big no-no, say banks”
if you trust them enough to have there fingerprint stored its on you, they should have been doing this from the start.
Seems perfectly fair enough. Perhaps in iOS 10 Apple could give an option for a select number of digits to be valid only for ApplePay, and let the user have others for other TouchID applications. Of course the bank wouldn’t ever know if the user is responsible. , but at least it gives the user an option.
There is a 5 fingerprint limit. Article says 10.
Apple Pay can work without fingerprint authentication. You can still use a passcode which many parents give their kids and partners.
I have all 10 of my fingerprints on my phone and iPad. If you alternate when it asks you to contine and adjust, you can most definitely get 10 fingers. I work in Apple Retail by the way.
Completely correct that is is possible. There are however only 5 slots which are designed for 1 finger each?
Does that work?! Fascinating. So basically the chip is designed to has a fall back for a ‘second’ rendering of the same finger? Interesting.
and how exactly can the banks know if you had fingerprint that didn’t belong to you? Just erase it from the device before filing the complain
They know that the transaction was done over Apple Pay, and Apple Pay requires a fingerprint. Therefore, the transaction was done with a fingerprint. If the transaction wasn’t done by you, it must have been done by someone else. This leads to two obvious possibilities:
1. Someone else used your fingerprint.
2. Someone else had their fingerprint authenticated on the device.
While the first possibility can’t be ruled out, the second is much more likely.
The weakest part of any security system is the end user. You have to make users care about security. One way to make users care is to make them responsible for fraudulent charges. In this case, if you register someone else’s fingerprint, and they use your phone too make fraudulent charges, you the end user are responsible. It’s your fault, and you bear the costs.
Not really. One can say that they lost their phone and fingerprint was compromised from the device surface…well it’s possible right? And User didn’t know how to remotely wipe the phone. So, banks take the hit.
Possible but unlikely that someone can lift a clean enough print from the phone.
This is more about establishing that fault.
I guess they’ve had customers calling up trying to wriggle out of incurred charges, claiming their kids (for whom they’d been given access to the device to play games) have been racking up bills… It’s not like it’s not happened before with In-App purchases)
They can’t. This is just a pre-emptive warning. Like those ‘no duh’ warning labels on products to keep folks from doing crap like grabbing the sharp end of a knife and suing cause they got cut.
with the warning out there when someone calls and says they let their kid have a fingerprint on dad’s phone and junior used apple pay to buy himself a PS4, the bank can say too bad not our problem
I’m pretty sure the fingerprint data is stored in the “Secure Enclave”; so this data wouldn’t be made available to a third party developer (such as a bank). Authentication is controlled completely by iOS; it essentially says yes/no — leaking fingerprint/biometric data to a developer would be a disaster waiting to happen, which is why it’s not exposed via the SDK. Therefore I find it hard to believe that a bank could ever find out if the device has fingerprints for more than one user.
They wouldn’t. That’s not the point. They aren’t saying that they know whose prints are being used. They’re talking about times when users give up this information. You would be amazed what some folks will admit. Saying you let your brother borrow your phone with your info on it and you told him the passcode and he bought shit with your phone is possibly. And the bank is preemptively telling you that such cases, when found, are not fraud. So don’t tell folks your passcode or put their finger on file if you have a card registered
HSBC, ya we should trust ya – ya big piece of shit
The headline is a hit whore. They never said it was a no no. they said if you allow someone else to put a fingerprint on your device then its on you, not the bank, if they use your cards
So Apple should start using Iris scanning like Microsoft does ( Lumia 950, Surface Pro 4, Surface Book)