Slashdot Mirror
MasterCard To Approve Online Payments Using Your Selfies
An anonymous reader writes: MasterCard is experimenting with a new program: approving online purchases with a facial scan. Once you’re done shopping online, instead of a password, the service will require you to snap a photo of your face, so you won’t have to worry about remembering a password. The Stack reports: "MasterCard will be joining forces with tech leaders Apple, BlackBerry, Google, Samsung and Microsoft as well as two major banks to help make the feature a reality. Currently the international group uses a SecureCode solution which requires a password from its customers at checkout. The system was used across 3 billion transactions last year, the company said. It is now exploring biometric alternatives to protect against unauthorized payment card transactions. Customers trialling the new technologies are required to download the MasterCard app onto their smart device. At checkout two authorization steps will be taken; fingerprint recognition and facial identification using the device's camera. The system will check for blinking to avoid criminals simply holding a photograph up to the lens."
Oh yes, this system is going to be really secure.
Never. Use. Biometrics. For. Authentication
Obviously this has ridiculously low security, but the way chargebacks work if there is a fraudulent purchase with it, the merchant wears the cost. Not Mastercard. So there's no downside for Mastercard, and the upside is the novelty value will have narcissists using it... and spending more. "Once approved, the chargeback cancels the financial transaction, and the consumer receives a refund of the money they spent. When a chargeback occurs, the merchant is accountable, regardless of whatever measures they took to verify the transaction. In 2013, LexisNexis reported that merchants pay up to US$2.79 for every $1 lost in fraudulent transactions." https://en.wikipedia.org/wiki/...
The system will check for blinking to avoid criminals simply holding a photograph up to the lens.
So a video will work just fine then? This is a STUPID idea.
Sounds pretty solid to me. What could go wrong? Industry giants like Google are involved. Except maybe. . .
If it acquires resources on instantiation like a duck, then its a shared_ptr<Duck>
Once again a company decides to use something that should be equivalent to a user-id as a password and gets it wrong.
This is the same deal as it is with using fingerprints as 'passwords.': http://blog.dustinkirkland.com.....
http://harridanic.com
Cut two slots in the photo where the eyes are. Insert small pink Post-Its from behind. Flick them with your fingers. Blinking!!
No sig today...
It's almost as if you didn't read the last line of the summary.
Or any of the posts that were before yours.
No sig today...
Assuming that logging in to the app is done securely the first time it is installed, the app can then generate a strong private/public key pair and use that for identifying itself.
Abusing the feature would then require at least:
1) A valid private key, either by the initial setup or somehow stealing it from a device it was generated on, and
2) Photos/video of the user
The second is easy to come by nowadays, the first one is considerably harder.
It's almost as if I don't understand what the phrase "the system will check for blinking" means. So does it check to make sure the selfie IS blinking or IS NOT blinking? I fail to come up with any situation in which the last line of the summary makes any sense or bolsters the lack of security in this process. The article goes no further in any attempt to explain it.
How does Mastercard get any original photo of my face in the first place? What if I don't want them to have one? What if I don't want to spend megabytes of my data plan every time I make a purchase instead of putting the onus on the merchant to put 300 bytes of information across the network in a traditional swipe transaction. What if the long line of customers behind me beats my face to a bloody pulp for spending 5 minutes trying to do a transaction instead of just doing a card swipe and entering a password?
Giant leap backward from every angle I look at it. 1000 times increase in bandwidth. 1000 times increase in time. Decrease in security. Decrease in convenience. Can't think of any positives at all.
If you are not allowed to question your government then the government has answered your question.
It is still stupid, as the software can be cracked
Yup. It is based on public key cryptography, so all you need is every quark in the universe calculating once per planck time, and you will have it cracked in less than a googol years. Trivial.
you could cheat the sensor with a photo printout or a photo on another phone.
Can you look at a phone and tell it isn't a live person? Why do you think it would be difficult for a computer? Some early naive implementations of facial recognition could be fooled by a photo. Modern state-of-the-art facial recognition can detect the difference.
This technique may not be perfect, but it is a big security improvement over the current system. It will require two factors: biometric and physical possession of a registered device. For transactions over a set size, it could require a PIN as well, as a third factor.
Pass a law making banks and credit card companies financially responsible for fraud in the use of their products, rather than being able to pass the cost off entirely onto merchants like they currently do. Then you'll see money-bound companies take security seriously. (Those absurdly high credit card interest rates pay for people who default on their credit card bills, not for fraud.)
Both of you are wrong and so is Dustin Kirkland (whoever he is). The core of your error is in this statement:
Only secrets can be used as token for authentication.
That sentence is true, as stated, but only because it includes the word "token". Yes if you're using secret tokens for authentication, then the tokens must be secret. But exchanging secrets (or proof of possession of secrets, which is what most cryptographic authentication protocols do) is not the only way to do authentication. Not by a long shot. In fact, humans hardly ever use secrets for authentication.
How do you identify and authenticate your mom? Do you ask her for a secret password? Of course not. You use the same tools for both identifying and authenticating her, and those tools are a set of biometric markers. The same set of tools are also used in high security situations. Back when I was a security guard in the Air Force, I was trained that personal recognition is the very best form of authentication. Not only is it not necessary to check the badge of an individual you know personally, badge-checking is inferior to personal recognition for authentication (note that badge-checking may still be important for authorization, verifying that the person who has been identified and authenticated actually has permission to enter. Thus I was trained to always check the access control list before allowing someone near nuclear weapons).
With respect to user authentication in electronic contexts we generally use secrets because computers don't (or at least haven't) had the ability to use the sorts of biometric authentication that humans use quite effectively. But, when we equip them with biometric sensors, they can.
HOWEVER, this does not mean that biometrics are useful for authentication in all circumstances.
Secret-based authentication has the advantage that -- assuming the secret has sufficient entropy and can be assumed not to have leaked nor been intercepted and cannot be rerouted (note that that's a pretty long list of criteria, some of which are hard to establish) -- you don't have to worry about the possibility that the authentication could be spoofed. An attacker who doesn't know the secret can't fake knowing the secret.
Biometrics, though, are not secrets. They are public knowledge. This means that an attacker must be expected to have access to copies of our fingerprints or faces. The biometric authentication process is different, though. It does not rely on secrecy of the authenticator, but instead on non-replayability. If we can be certain that (for example) the fingerprint placed on the scanner belongs to the person we wish to authenticate, and that the stored template we match against belongs to the person we wish to authenticate, then we can perform a good authentication. The fact that the fingerprint is not secret does not matter.
Where biometrics fail is if (a) we can't be certain that the livescan data acquired from the sensor belongs to the person trying to authenticate or (b) the stored template belongs to the person we wish to authenticate. Part (a) is particularly difficult to validate in many contexts because faking the input isn't necessarily hard to do, and in some cases an attacker can even bypass the sensor entirely and simply inject a digital copy.
This doesn't mean biometrics are worthless, it just means they're only useful in certain contexts. And, again, their utility for authentication has nothing to do with their secrecy. And rotation is likewise irrelevant and silly to discuss. You need to rotate secrets because you can't be certain they have stayed secret and because if they have low-ish entropy they may have been brute forced. None of that applies to biometrics because they're not secrets and their utility as authenticators does not depend on secrecy.
Can we please kill this incorrect meme about biometrics as identifiers, not authenticators? They can be either, o
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.