MasterCard To Approve Online Payments Using Your Selfies

An anonymous reader writes: MasterCard is experimenting with a new program: approving online purchases with a facial scan. Once you’re done shopping online, instead of a password, the service will require you to snap a photo of your face, so you won’t have to worry about remembering a password. The Stack reports: "MasterCard will be joining forces with tech leaders Apple, BlackBerry, Google, Samsung and Microsoft as well as two major banks to help make the feature a reality. Currently the international group uses a SecureCode solution which requires a password from its customers at checkout. The system was used across 3 billion transactions last year, the company said. It is now exploring biometric alternatives to protect against unauthorized payment card transactions. Customers trialling the new technologies are required to download the MasterCard app onto their smart device. At checkout two authorization steps will be taken; fingerprint recognition and facial identification using the device's camera. The system will check for blinking to avoid criminals simply holding a photograph up to the lens."

blinking?

[Anonymous Coward]

it would prevent photos, but not videos (real footage or animated picture)

Re:blinking?

[Joce640k]

Cut two slots in the photo where the eyes are. Insert small pink Post-Its from behind. Flick them with your fingers. Blinking!!

Re:

[Anonymous Coward]

I was thinking this also, but in my version you just line up the holes in front of your face so your actual eyes do the blinking!

Idiocy. Anyone have facebook photos?

[Anonymous Coward]

Oh yes, this system is going to be really secure.

Re:

[Anonymous Coward]

What's to stop me jailbreaking the device, downloading and installing the MasterCard selfie payment app and then spoofing the camera while feeding it other people's photos? Side note: My browser correct the capitalisation of MasterCard... THE NEW WORLD ORDER IS HERE!!!!

Re:

[Anonymous Coward]

Assuming that logging in to the app is done securely the first time it is installed, the app can then generate a strong private/public key pair and use that for identifying itself.

Abusing the feature would then require at least:

1) A valid private key, either by the initial setup or somehow stealing it from a device it was generated on, and
2) Photos/video of the user

The second is easy to come by nowadays, the first one is considerably harder.

Re:

[F.Ultra]

And the chance of that being implemented correctly is what, 1%? Now obviously MasterCard probably is better at this than random app-devloper considering that they have to pay the people whose cards are hacked, but since it's a closed app we only can speculate.

Re:

[prefec2]

It is still stupid, as the software can be cracked or you could cheat the sensor with a photo printout or a photo on another phone.

Re:

[ShanghaiBill]

It is still stupid, as the software can be cracked

Yup. It is based on public key cryptography, so all you need is every quark in the universe calculating once per planck time, and you will have it cracked in less than a googol years. Trivial.

you could cheat the sensor with a photo printout or a photo on another phone.

Can you look at a phone and tell it isn't a live person? Why do you think it would be difficult for a computer? Some early naive implementations of facial recognition could be fooled by a photo. Modern state-of-the-art facial recognition can detect the difference.

This technique may not be perfect, but it is a big s

Re:

[prefec2]

I doubt that. I doubt that a facial recognition software can differentiate reliably humans and photos (or videos), as a person could be standing still and then you get a false negative (nobody wants that). I also doubt that it is not possible to feed it recorded information which is from the software's point of view also only a video stream.

Personally, I find a chip + PIN save enough. The your third option is the standard these days (at least in Europe). Maybe they should extend the PIN to 5 or 6 digits. An

Re:

[ShanghaiBill]

I doubt that. I doubt that a facial recognition software can differentiate reliably humans and photos (or videos)

Try this:
1. Show your mom of photo of yourself.
2. See if she can distinguish between you and the photo.
3. Ask her how she did it.
What she will say, is that the photo is 2D and you are 3D. As your mom shifts her head left and right, she sees you from a slightly different perspective.

A cell phone can do the same. It has a 3-Axis motion detector, so it can detect its own movement, and see if the perspective of your head corresponds to that movement. It would be impossible to duplicate that with a photo,

No problems here, no sirree

[Anonymous Coward]

The system will check for blinking to avoid criminals simply holding a photograph up to the lens

Oh well that's great then, no WAY around that, it's not like a simple app could make a photograph appear to blink.

Re:

[K. S. Kyosuke]

You can, sergeant, sir!

Re:

[KGIII]

It should be done with beautiful women and used their breasts. They can call it Tits or GTFO.

App

[Anonymous Coward]

How long until someone makes an app that adds blinking eyes to a photo?

Worst. Idea. Ever

[Anonymous Coward]

Never. Use. Biometrics. For. Authentication

Re:

[TheRealHocusLocus]

Never. Use. Biometrics. For. Authentication.

Said Pepe the Peg-Leg Pirate.
Said Frodo of the Nine Fingers.
Said the Headless Horseman.
Said One-Eye Pete.
Said Greasy-Grimy-Finger Gus (based on a true story)
Said Sam Beckett the Quantum Leper

We need to all send biometrics patent holders and hardware manufacturers money every month so they can "make money as they sleep" right now, today. Then we'll be able to sleep at night knowing that when we wake the world will not have turned to some shitty 'Orwell' or 'Brazil' nightmare than never ends.

I'm starting to

Re:

[justthinkit]

Microchip under the skin it is then.

Implant with a 666-bit keypair

[tepples]

You could implant a cryptographic radio transponder with a 666-bit keypair in people's forehead or right hand. The plus side is that it'd combine the positive aspects of a "something you have" transponder with biometrics' resistance to loss or theft. The minus side is protests from Christians who think it's the mark of the Beast mentioned in the revelation to John of Patmos.

* Actual theft, not copying.

The downside

[Anonymous Coward]

They've partnered with Google so darkies can look forward to gorillas emptying their account [slashdot.org].

Gorillaz

[tepples]

Gorillaz? I thought keeping the snack counter at Feel Good Inc. [wikipedia.org] supplied with Milk Duds [ytmnd.com] took an American Express business card.

Great for Mastercard. Not so great for Merchant!

[BringMyShuttle]

Obviously this has ridiculously low security, but the way chargebacks work if there is a fraudulent purchase with it, the merchant wears the cost. Not Mastercard. So there's no downside for Mastercard, and the upside is the novelty value will have narcissists using it... and spending more. "Once approved, the chargeback cancels the financial transaction, and the consumer receives a refund of the money they spent. When a chargeback occurs, the merchant is accountable, regardless of whatever measures they took to verify the transaction. In 2013, LexisNexis reported that merchants pay up to US$2.79 for every $1 lost in fraudulent transactions." https://en.wikipedia.org/wiki/... [wikipedia.org]

Re:

[jblues]

The system will check for blinking to avoid criminals simply holding a photograph up to the lens.

So a video will work just fine then? This is a STUPID idea.

Sounds pretty solid to me. What could go wrong? Industry giants like Google are involved. Except maybe. . .

• Just recently, Google released an image detection / sorting feature that tagged people as the incorrect species [petapixel.com]. Jacky Alciné tweeted "Google, y'all fucked up. My friend's not a gorilla'.
• In 2010, Nikon were accused of releasing a racist camera, as the blink detection feature, upon photographing Asians, would ask: "Did someone just blnk!?"
• And don't foget to enable all the required features. [metro.co.uk].

Re:

[Joce640k]

It's almost as if you didn't read the last line of the summary.

Or any of the posts that were before yours.

Re:

[tompaulco]

It's almost as if I don't understand what the phrase "the system will check for blinking" means. So does it check to make sure the selfie IS blinking or IS NOT blinking? I fail to come up with any situation in which the last line of the summary makes any sense or bolsters the lack of security in this process. The article goes no further in any attempt to explain it.
How does Mastercard get any original photo of my face in the first place? What if I don't want them to have one? What if I don't want to spend

Stop using "user-ids" as "passwords"

[shabble]

Once again a company decides to use something that should be equivalent to a user-id as a password and gets it wrong.

This is the same deal as it is with using fingerprints as 'passwords.': http://blog.dustinkirkland.com... [dustinkirkland.com]..

But biometrics cannot, and absolutely must not, be used to authenticate an identity. For authentication, you need a password or passphrase. Something that can be independently chosen, changed, and rotated.

Re:

[prefec2]

They get confused about id and authentication all the time. Biometric information is not a secret. Only secrets can be used as token for authentication. It does not necessarily be rotated, but is must be a secret to the rest of the world and only known to the two parties communicating with each other. Rotation is only a subtype of changing. And you only need to change if, and only if, it is no longer a secret or becoming to be known. However, passwords are not the best form of authentication mechanism. As t

Passwords are not the only way to authenticate

[swillden]

Both of you are wrong and so is Dustin Kirkland (whoever he is). The core of your error is in this statement:

Only secrets can be used as token for authentication.

That sentence is true, as stated, but only because it includes the word "token". Yes if you're using secret tokens for authentication, then the tokens must be secret. But exchanging secrets (or proof of possession of secrets, which is what most cryptographic authentication protocols do) is not the only way to do authentication. Not by a long shot. In fact, humans hardly ever use secrets for authent

Re: Passwords are not the only way to authenticate

[prefec2]

I would give this +1 if I could. Very good discussion of the subject.

Re:

[swillden]

First, my comment was not a "defense" of anything.

Second, you seem to have missed the sentence "It's not quite as good if the smartphone is also providing the fingerprint scanner and camera, because in the event of an attempted fraudulent transaction that means the attacker is in control of those components."

Also, you seem to have missed the last paragraph. In fairness, I suppose I wasn't quite clear enough. When I said that the security is in the same ballpark as a four-digit PIN, I was comparing to a

So this is going to fail like face unlock...

[cloud.pt]

I can't even start to wonder why a critical, money-bound company would even think of facial recognition for secure payments...

Simple hack comes to mind the first 2 seconds after reading this headline:

1. take a photo of the card holder
2. use it to pass the face check system
3. ??????
4. PROFIT!

Re:

[cloud.pt]

And before anyone starts going "you should have read the article!": blinking can be faked quite easily with the photograph method. Just youtube attempts made at face unlock...

Re:

[TyFoN]

My boss (who looks not too different from me) can unlock my phone with his face.

Using it for banking seems insane

Re:

[Solandri]

I can't even start to wonder why a critical, money-bound company would even think of facial recognition for secure payments...

Pass a law making banks and credit card companies financially responsible for fraud in the use of their products, rather than being able to pass the cost off entirely onto merchants like they currently do. Then you'll see money-bound companies take security seriously. (Those absurdly high credit card interest rates pay for people who default on their credit card bills, not for fr

WHAT! COULD! GO! WRONG!

[fraxinus-tree]

And can I opt-out before the "payment method" is launched?

Why Both?

[Anonymous Coward]

Why bother forcing the user to take a picture? The fingerprinting is far more secure. Until all phones have depth cameras, it sounds like you could use a gif or video of the person to pass the face check. That's too easy to create. Since this system already requires the user to have a phone, why not have them keep the password on the phone so they don't have to remember it? If the phone gets stolen, it's likely to have fingerprints of it's owner on the case and the owner will likely have self-portraits

Re:

[fahrbot-bot]

The fingerprinting is far more secure.

But also problematic, from a usability standpoint. As people that actually work with their hands know, the ability to take a reliable fingerprint can be impeded by blisters, etc. For example, a (long) while ago I had to delay getting my fingerprints taken at NASA because my finger tips were beaten up from recently working around the house and on my car.

Card Declined...

[Anonymous Coward]

"Gorillas are not authorized to use this credit card."

Sorry, after seeing Google was one of the partners working on this face recognition thing, I couldn't help myself. :p

Would you let the Government?

[Anonymous Coward]

I'm not sure many citizens would willingly let their Government build a handy database of every persons; photo, finger print, location, and finances all in one place.

Yet that appears to be what this payment gateway will allow. Sure, its a private enterprise, but since when did that stop a Government demanding or just taking the data?

With access to this source, they can mine for facial recognition & finger print hits. With the phone tracking they can then map people to location to their face.
Attend a d

Facebook

[Anonymous Coward]

Will be first port of call then for many fraudsters.

Google name, city, of mark to find their (normally) public Facebook profile, and save their profile pics to use for facial recognition.

Easy peasy.

Tim

And use what for mail order?

[tepples]

STOP USING CREDIT CARDS! Use cash whenever possible.

Sometimes it isn't possible. What should someone use to buy goods that aren't sold in any store within his home town, such as electronic parts in the post-RadioShack era?

Re:

[tepples]

How is a debit card linked to a checking account any less "monitored and tracked nearly all the time" and "selling your freedom in the name of convenience" than a credit card set to auto-pay in full each month from the same checking account?

What do identical twins do?

[fluffernutter]

Honest question... Identical twins had better really trust one another if they get a card with this feature.

Government photo database

[kheldan]

Says it all. This is just a way to get 100% of everyone into a photo database so we can be tracked everywhere more effectively. Guess what, assholes? I don't have and don't want a smartphone, I'm not going to cooperate with this bullshit, and I think I'm far from alone in that sentiment.

Shame Shocard didn't get a look in :-(

[m1bxd]

Looks like http://www.shocard.com/ [shocard.com] lost the pitch completely :-(

Sweet!

[wardrich86]

Just need to make a fun novelty "What does your fingerprint say about you?" quiz - have users log in with Facebook, upload a high-quality pic of their fingerprint, then give them some silly fortune cookie blurb. Then it's just a case of replicating their fingerprint and stealing a selfie off of their Facebook page. SHOPPING SPREEEEEE