Skip to content
Selfie. Image courtesy of Shutterstock.
Naked Security Naked Security

MasterCard to trial pay-by-face for online purchasing

Stare at the phone and blink to prove you're alive, the company's security researchers decided. But didn't other researchers already foil that one...?

Selfie. Image courtesy of Shutterstock.“Passwords are a pain,” said MasterCard Chief Product Security Officer Ajay Bhalla.

Then he delineated the terrible things we do to strip them of their security dignity: by forgetting them, writing them down, and of course a few he neglected to mention, like cooking up passcodes that are limp and easy-to-guess or by just giving them away to TV reporters.

Then, after those raggedy little beggars get into the hands of crooks, password reuse multiplies the misery, he said:

They get very surprised when a hacker gets into a particular website and then knows the passwords to all the websites.

So here’s MasterCard’s plan to kill passwords: pay-by-face for online transactions.

As CNNMoney reports, MasterCard will start experimenting with a program to approve online purchases with a facial scan starting this autumn.

It also plans to enable customers to use another biometric authentication factor – fingerprints – via a downloadable app.

As well, MasterCard told Computer Business Review, it’s looking at introducing voice recognition and is already working with Nymi to use a person’s heartbeat in a future version of the app.

The credit card company will recruit 500 UK customers to trial the new pay-by-face or -fingerprint approval method.

MasterCard is reportedly partnering with Apple, BlackBerry, Google, Microsoft and Samsung to use their devices in the trials.

It’s still finalizing deals with two major banks, so it’s not ready to say which banks’ customers will first get to use pay-by-face.

This is how it will work:

  1. Download the MasterCard phone app.
  2. After you pay for something, a pop-up will ask for authorization.
  3. If you opt to use a fingerprint, you just have to touch the screen. If you instead choose to use facial recognition, you stare at the phone and then blink once.

CNNMoney says that MasterCard’s security researchers decided blinking is the best way to prevent a thief from just holding up a picture of you to fool the system.

Is it? Hmmm!

There’s a distinct aura of deja vu with this facial recognition technology.

For one thing, Chinese e-commerce megabrand Alibaba announced in March that it wants to use selfies for payment processing.

Authentication-by-face goes back further still, of course, as do the efforts of security researchers to foil it.

Google, for example, in June 2013 filed a patent for a technique to unlock your computing devices by grimacing to prove you’re alive, as opposed to being a photo being held up by, say, a phone thief.

Or by a little brother. Or, well, by anyone.

The patent was one of Google’s multiple attempts to remedy the easily tricked Face Unlock feature introduced in the Ice Cream Sandwich version of Android, which was initially tricked by holding up a photo to the phone.

But researchers found it a snap to fool Liveness Check with just a few minutes of editing, animating photos to make them look like subjects were fluttering their eyelashes.

That was back in 2012.

One would imagine that MasterCard’s security researchers are aware of the ways that Liveness Check was duped, and that advances in facial recognition/liveness checks have been put to good use to make MasterCard’s pay-by-face technology more secure, but time – and other curious security researchers – will tell.

As far as MasterCard amassing massive databases of people’s faces or fingerprints goes, the credit card company said that its fingerprint scans will create a code that stays on the device.

The facial recognition scan will map out a user’s face, convert it, and then send that data to MasterCard.

In short, Bhalla told CNNMoney, MasterCard won’t be able to reconstruct your face.

The data will be transmitted securely, he said (no details about encryption or the like were mentioned), and the company will stash the information securely on its servers (again, no details of how exactly the information will be kept secure were forthcoming).

Who cares about the details? <–teensy bit of sarcasm!

Pay-by-face is cool! Or so says Bhalla:

The new generation, which is into selfies ... I think they'll find it cool. They'll embrace it.

Maybe they will. Or maybe they’ll embrace paying friends peer-to-peer (P2P) on Facebook Messenger.

Or maybe they’ll think Apple Pay or Google Wallet, both of which use tap-and-pay fueled by Near Field Communication (NFC), is cool.

Or maybe all of the above!

Image of selfie courtesy of Shutterstock.

10 Comments

Everybody can see your face, so using it as a password is almost the same as writing your password in your forehead…

So given that these devices are effectively telephones with added functionality for “apps for advertisers and data aggregators” built in, how long will it take a hacker to hack the device so that a video file of you blinking can be inserted between the physical selfie camera and the devices processing unit (a sort of video logger in reverse)?

I don’t want “cool”, I want secure private authentication.

Who will pay for the new interface and hardware technology with existing card readers? How much added bandwidth will this require, and will data capture and verification incur added costs from ISPs or service plan upgrades from your ‘friendly’ phone company? What percent of a card issuers database has a smartphone? What is the minimum camera resolution needed? How does this fit in with the newer chip that is replacing the mag strip. Will this technology be restricted to Mastercard? Lots of other things to consider.

Lots of things to consider… the blink-sensitive verification has been shown to be easily bypassed by waving something over the photo. Something that *might* help is if the photos used in authentication also keep their geolocation data. MasterCard has long used payment location as one of its security checks on card payment; in this case, if the phone location and the photo location match, and are both somewhere the customer is expected to be, then that likely meets their minimum level of security (after all, it’s a lot more secure than a 16-digit number with a hash check and a 3-digit verification code).

So the photo is used more to replace the signature than to replace a password, and location data is used to replace “Card Present” in transactions.

Add to that…of those 16 digits (what the merchants call “the long number on the front of your card” :-), the first four are determined the issuing bank, which is rarely a secret because the banks brand their cards to serve a visible marketing purpose so they are recognisable across the room, and the last four are printed as xxxx-xxxx-xxxx-9999 on pretty much every payment slip :-)

I just designing the interface to hijack the finger prints or photo image now should be relatively simply to get users to give it up given they are expected to – really who are the idiots running these companies?

And, since Big Brother can access your financial records, among other things thru the (Un) Patriot Act, how long before he starts collecting your finger prints and mug shots from Master Card and others for his records ?

Beautiful.

Too late, Don. Mastercard, et al., doesn’t need to provide Big Brother with anything.

If you have ever applied for a U.S. passport, you must send the passport agency a candid shot of your face, your signature, your personal details, and possibly more.

If you have ever applied for a driver’s license, the DMV will take a candid shot of your face, make an electronic impression of your thumb print, record your personal details (height, weight, contact details), and more.

If you ever accept a paid or an unpaid volunteer civil service job in the county in which I live, your local government agency will take a candid shot of your face, make an electronic record of all your fingerprints, record your personal details (height, weight, hair and eye color, etc.), make an electronic copy of your signature, and more.

As you can see, Big Brother knows all this … and probably more.

* * *

Big Brother not only has your personal data; sometimes, Big Brother intentionally leaks a lot of it to private third parties that are not accountable to the public.

Some 10 years ago, the state of California sold the names, personal details, and contact details of every ordinary citizen living in said state to data brokers for US$1 per name. In this context, ordinary citizens excluded politicians, judges, those who work in law enforcement, super wealthy individuals, and select others. The state sold the data without the prior consent or knowledge of those whose data was sold.

I have absolutely no confidence that the U.S. federal government or any of the 50 state governments do anything substantial to protect the data of ordinary U.S. citizens from malicious non-U.S. government parties.

Why not just do live transactions with a person. Live video chat. Remove the tech hurdles all together and create jobs at the same time. Internet Cashier. A little small talk and face to face will keep Janes’s card safe from Mr. Wouldhavebeen A Cardtheif.

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?