MasterCard Rolls Out 'Selfie' Verification For Mobile Payments

An anonymous reader writes: MasterCard has announced plans to invest in facial recognition technology in the UK, in a push to reduce false decline transactions and increase security for mobile payments. Following trials in countries including the U.S. and the Netherlands, 'Selfie Pay' will be introduced in Britain this summer as part of the financial services company's identity validation process. Users will be able to choose between finger scanning and face recognition for verification, instead of traditional passwords or PIN numbers. Consumers will be asked to upload their pictures to be stored on MasterCard servers [paywalled]. These registered images will then be used as a reference every time a user opts for facial verification during a transaction.

I'm going to upload a dick pic

Which will make things really awkward at the store.

Re:I'm going to upload a dick pic

[xxxJonBoyxxx]

Nah, I've been doing this at my farmer's market for years. Four mushroom stamps = fifth one free.

Re:I'm going to upload a dick pic

Australia is way ahead of you.

Re:I'm going to upload a dick pic

Wouldn't you find it annoying to always have a macro lens attached to your phone?

Re:I'm going to upload a dick pic

[PopeRatzo]

Dear Mastercard,

Here is my selfie:

http://i.dailymail.co.uk/i/pix...

I would like to order a case of beer, an Alfa Romeo 4C in black on red, and a bikini wax for the old lady.

Re: I'm going to upload a dick pic

His head looks a bit phallic too so I can see why he's trying so hard to insert his signature

Re:I'm going to upload a dick pic

[rwise2112]

Australia is way ahead of you.

Man! What a dick!

Why not two factor?

I buy something.
The transaction simply stays on hold (for like 5 to 10 seconds), my phone receives a code via txt message, I enter the code to complete the transaction. What's the big deal? My banker friend tells me "no no no, consumers don't want the hassle of entering codes." . . .why not?

Re:Why not two factor?

[JcMorin]

Why not just an app on your phone that you click accept or denied? No need to enter a pin...

Re:Why not two factor?

The extra 5-10 seconds the new chip cards take over the old mag stripes is getting really annoying, especially having to wait til everything is finished being scanned to even start the process. As fast as computers have got, we're STILL waiting on them.

Re:Why not two factor?

[Ravaldy]

I've been saying this for years but the major challenge is allowing the transaction to go forward when that is not available like travelling to another country with roaming off or simply in the middle of nowhere with no access to data all together.

I think there's a way to make this work and considering the big CC companies have plenty of resources at hand I'm surprised things are moving quicker.

Re:Why not two factor?

[montrealdakar]

The good old SMS works pretty much everywhere

Re:Why not two factor?

Yeah, because I want to be standing behind your two-factor ass, waiting around for 10 seconds for you to complete your transaction.

You may as well whip your personal checkbook for all my time that you are going to waste.

Besides, what do people who don't have smartphones, on mobile data plans do for two factor? Now I have to have a phone and a mobile data plan to use my credit card?

You can see how retarded a suggestion this was now, right?

Re:Why not two factor?

[hawguy]

I've been saying this for years but the major challenge is allowing the transaction to go forward when that is not available like travelling to another country with roaming off or simply in the middle of nowhere with no access to data all together.

I think there's a way to make this work and considering the big CC companies have plenty of resources at hand I'm surprised things are moving quicker.

The app can keep a set of one-time-use codes for times when your phone is off the network. Use of such codes could trigger more stringent fraud protection for those transactions.

Re:Why not two factor?

[hawguy]

I've been saying this for years but the major challenge is allowing the transaction to go forward when that is not available like travelling to another country with roaming off or simply in the middle of nowhere with no access to data all together.

I think there's a way to make this work and considering the big CC companies have plenty of resources at hand I'm surprised things are moving quicker.

The app can keep a set of one-time-use codes for times when your phone is off the network. Use of such codes could trigger more stringent fraud protection for those transactions.

Or it can just keep a private key for each user and generate codes with that private key on its own when it's off network -- the bank can validate those offline codes against their copy of the public key. They can rekey periodically so even if someone compromises the app, the key has a limited lifetime.

Re:Why not two factor?

[Ravaldy]

That's a great idea!

Re:Why not two factor?

[Ravaldy]

That's hackable. The other solution has codes generated by the servers. I think it's safer.

Re:Why not two factor?

[Ravaldy]

Trust me when I say it DOES NOT!

Just travelling up north between towns you lose signal for kilometers.

Re:Why not two factor?

[hawguy]

That's hackable. The other solution has codes generated by the servers. I think it's safer.

Both solutions are hackable. If someone can hack the app to get to the private key, they can hack the app to get to the set of pre-generated codes. I'm assuming that you're not suggesting that public key cryptography itself is hackable.

But the nice thing about PKI is that the app doesn't have to set an upper bound on how many transactions can be completed offline, while if a static set of single-use codes is downloaded, that puts a hard cap on how many transactions can be completed offline.

Anything that can protect the list of single-use codes (i.e. only generated when I request it, expired and replaced daily, etc) can also be used to protect the private key.

The bank can chose to put their own cap on the number of offline PKI transactions, but it doesn't have to be baked into the app based on how many codes it downloaded, and if I call the bank from Bagladesh and say that I'm stranded there and I *have* to use my card, they can lift the cap for me.

Re:Why not two factor?

[Ravaldy]

I think your solution works good as long as the key is re-generated on a regular basis. The problem with a static keys stored locally on a device is that a copy of the device = ability to generate transactions at will. Obviously we can keep finding loop holes until we lose the will to live but what you and the other fellow suggested makes it such as smaller problem than it currently is.

So now, lets get coding and push this. Sounds like we have enough brain power and ideas to go make tones of money and become one of these evil corps /. users love to rant about. :)

What prevents the bad guys ..

What prevents the bad guys from taking a selfie of your picture?

Re:What prevents the bad guys ..

[Flavianoep]

WHAT? How can someone take a selfie of someone else's picture? It is not how selfies work!

Re:What prevents the bad guys ..

Ask Nick Papagiorgio.

Secure? or Convenient?

[QuietLagoon]

Is this really more secure? Or is it just more convenient?

Re:Secure? or Convenient?

You could get around this kind of "security" just by holding up a photo.

Re:Secure? or Convenient?

Probably not -- they could ask you to smile and verify facial motion.

Re:Secure? or Convenient?

No, most of these applications are designed to mitigate that by asking for the person to blink or smile or something. Now: an emulated video feed might work once, but they should also be doing comparisons to previous logins to avoid the same video loop from being used multiple times. Simple crop/distort/stretch and additive noise to create variation should confound naive image hashing so they would do well to use image features to do that analysis but the false positive rate will go up the more sensitive they make the system.

What level of false positive rate is tolerable and what is the desired added difficulty to attackers?

Re:Secure? or Convenient?

For MC it's a pretty convenient method of acquiring everybody's face data. Paving the way for licit and ilicit use of face matching databases.

Re:Secure? or Convenient?

[pr0fessor]

Well, I have a brother that is not a twin but even my sisters used to have trouble telling us apart, not so much now he has a beard and short hair I keep a clean shave and long hair. I imagine if we had the same hair and facial hair style we could fool the facial recognition software fairly easy.

Re:Secure? or Convenient?

[The-Ixian]

I was thinking about this.

A picture of yourself is hardly private information and so there must be something more to this than a simple image verification.

I am thinking infrared or motion are going to be integral elements to this.

Re:Secure? or Convenient?

This isn't convenient for me, for I have neither smartphone nor the urge to make selfies. So it's only convenient for some definitions of same. The security story likewise. This is lots more "secure" because it increases their "due diligence" defence. It isn't in any way or form more secure for you, paying customer. You just end up with less leeway if some crook successfully does convince the card processor to authorize payment.

For real security you'd have to do away with the oh-so-convenient credit card in its current form, where a string of numbers is all you need for payment. But this isn't what the credit card companies want since if they had a better system there'd be no excuse to do all sorts of tracking and identifying and correlating and big data and other gimmickery in the name of "security". We could make a payment system that is actually secure and even anonymous, and certainly doesn't need all sorts of "identifying the customer". We could actually do that, the math is known and the technology feasible. But the very fact that no bank or credit card company is even contemplating such is entirely too telling.

While we're contemplating, notice that credit cards are not a form of payment. They are a way to request some other party pay on your behalf, with settlement later. One consequence of this is that now that other party has an interest in deciding whether to "authorize payment" for you. It is no longer your own decision. You may not have realised how dependent this makes you on big corporate third parties for your payments, which in the case of groceries directly impacts the contents of your stomach this evening.

You may not want to realise this because it isn't pretty or comfy or safe. Or you may want to face up to the scary reality and take appropriate measures. You'll want to do that sharpish, mind, for at some point "everyone" will be card dependent and then we'll just do away with cash because only criminals use that, and you wouldn't want to look like a criminal, now would you?

Re:Secure? or Convenient?

[tlhIngan]

Is this really more secure? Or is it just more convenient?

Neither. It's for vanity. It's to appeal to the millennials to give them one more selfie opportunity, so they can charge their card AND post about their new purchase on social media at the same time.

If's to encourage sales, which means more revenue for MasterCard in the end. If they had a doubt whether they wanted to buy something, well, the ability to take a selfie of it will hopefully convince them to buy.

Re:Secure? or Convenient?

Don't be silly. Fingerprints are hardly private information seeing how you leave them bloody everywhere, yet they get used for "authentication" too.

Besides, apple already introduced this and of course someone held up another mobile playing a face, and it worked fine. So no, don't expect "mitigation". This isn't about security in any common sense. It's about them covering their asses, so they can say "must've been you, for piccies don't lie."

Re:Secure? or Convenient?

[gweilo8888]

In which case you hold up your iPad to the camera and play a short video. This is an idiotic idea, and there's no way on god's green earth I'd participate in something so easily circumvented. You'd need dedicated hardware incorporating more than just a regular still / video webcam for this to provide even remotely-meaningful security.

Re:Secure? or Convenient?

Well, presumably the cashier will notice that you're photographing a photo rather than yourself and call you on it.

Re:Secure? or Convenient?

[thegarbz]

This is how it is done in commercial units. However the key problem here is: are they going to be using commercial units? Nope. So now you're stuck with whatever technology is most common in a cell phone.

Re:Secure? or Convenient?

Is this really more secure? Or is it just more convenient?

Neither.

It's just more data for them to feed on and associate with you.

Credit-giving companies already search for you by name on the internet... lets just go ahead and give them a facial-rec compatible photo, too; so they can find all the pictures you, your "friends", or even complete strangers, post online of you even when your real name isn't (yet) associated with them.

Re:Secure? or Convenient?

You assume the cashier's not in on it.

Re:Secure? or Convenient?

[TheRaven64]

Fingerprints work fine for authentication if there is a human checking that it's actually your finger going on the reader (and not, for example, a jelly baby) and if the value of the thing that it's protecting is low enough that it's not worth printing custom finger coverings that mimic someone else's print. They're most useful for deterring casual attempts. Using them to unlock a phone means that some random stranger who picks up your phone can't instantly unlock it. An adversary that wants to invest time and effort can do so, but that's not the threat model that it's intended for.

whose face verifies our wmd on credit holycost?

some guy who looks like a mr. potato head outline with a hat? cease fire stand down all life matters in all of our towns... truth+mercy=justice.. in the moms we trust..

Re:whose face verifies our wmd on credit holycost?

What does holyfield have to do with this?

Re:whose face verifies our wmd on credit holycost?

[alphatel]

Now that they got your features, they are likely to mint a currency in your honor, aka facecoin.

Re:whose face verifies our wmd on credit holycost?

[slashping]

But what if you're really a doge ?

App appers app apps with selfie apps!

Modern app appers know that ONLY apps can app apps, so any app apper can take a selfie of you and app your apps using your AppsterCard!

Apps!

Re:App appers app apps with selfie apps!

[NEDHead]

Per apps, per apps not

What a creepy way...

for those corporations to demand pictures of us. They must have a plan for making a lot of money off of them considering the huge rise in fraud this will cause. I know at the bank where I work, we often do things that screw customers and merchants just because there's a little profit in it for us. Security just isn't important to us.

Re:What a creepy way...

I don't know where you work, but the bank where I work takes security ridiculously seriously. It's annoying as a developer, but I have no complaints as a customer.

Revoke?

Suppose it's as secure as a password.

A password can be changed/revoked when you think it's insecure.
Suppose we also had this kind of protection from photos. I wonder what it would look like.

"He's smiling but didn't shave but looks bored" therefor it's authorized? "Wait, he revoked that as well" "umm, let's go with unshaven, fluffy bunny hat, asymmetric smile..."

I know it's easier but it is not a password.

Awsome

This is awesome - can they tie to my passport? - then I just need one document to live my life!!! :)

Re:Awsome

[cayenne8]

This is awesome - can they tie to my passport?

Yeah, but what if you don't have a passport?

I'd dare say most US citizens do not have a passport, and never have had one....so, not really a common denominator.

This should be fun...

[__aaclcg7560]

Every time my friend tries to use Apple Pay with his iPhone, his bank automatically deactivates his debit card and he has to call in explain what the fraudulent activity he was trying to commit.

All you are doing

...is to help the leftist statists spy on all of your activities and outlaw cash.

Easily Hacked

Just got to go all silence of the lambs on the guy whose credit card you stole.

Payments only?

[drew_kime]

Will this also replace PIN numbers at ATM machines? /grammar

Re:Payments only?

[dogvomit]

Will this also replace PIN numbers at ATM machines? /grammar

I've often wondered if FET transistors are involved when you type your PIN number at an ATM machine that uses LCD displays.

—George

Re:Payments only?

[fisted]

There's probably one or two in the RAID array.

So It Begins... Total Awareness... We Got You Now

[Apoklypse]

Captain, Obviously this was predicted. here is the complete surrender of your last vestige of privacy. your images are stored on THEIR servers and tied to EVERY video camera on the planet to follow the dissenters and dissidents ... hope you enjoy this Brave New World Order that you brought upon us by sheeping up and giving away my Rights and Freedoms.

So let me get this straight...

[Ghostworks]

...Mastercard is going to consider a selfie run through facial recognition to be as good as a fingerprint. So in order to be able to steal, say, Jessica's money, you need to have her card number and a large photo of her face you can hold up in front of your own face. Or if the transaction is monitored by a clerk who might be marginally competent, you can be more subtle and wear the the photo on a tee-shirt, taking a photo of your chest to pay. Maybe the phone itself is the ID, and the selfie just supposed to be proof that you are in possession of the phone? And all of this assumes that you have to upload the photo through an app and can't just text a saved image. If that's not true it's yet another point of failure.

I supposed possessing a card and a photo (or card and phone?) is marginally better security than just card. But my PIN isn't on Facebook, or in my phone's camera folder, so this is worse than just entering a PIN on your phone. The only value of the scheme is in using the phone as a side channel (harder to snoop on than a public keypad), or a as form of ID all it's own. So why not just put the existing identifier (the PIN) on the side channel, and not introduce novel way to fail?

This feels like when banks started letting you check your account over twitter because they just "didn't get it."

Re:So let me get this straight...

[slashping]

...Mastercard is going to consider a selfie run through facial recognition to be as good as a fingerprint

Could be correct. Fingerprints aren't very secure either.

Re:So let me get this straight...

At least you can't download most people's fingerprints from Facebook.

Re:So let me get this straight...

Yes, this is applying the "something you have" (phone), and the "something your are" (biometrics) to avoid needing "something you know" (a password).

The problem is that while "something you are" sounds like it'd be the hardest one to fake, in reality it's the easiest.

Re:So let me get this straight...

They should skip straight to full handprints instead so they can call the new service FacePalm.

Re:So let me get this straight...

[davew666]

You have to blink whilst doing the selfie, to make sure it isn't a photo http://www.bbc.co.uk/news/tech...

Re:So let me get this straight...

[psithurism]

You're mastercard requires a fingerprint? All my master card requires from me, after a number, is a "signature." I frequently spend several hundred dollars on my card and leave a small squiggle, assuming the touchscreen worked that day, to confirm it was definitely me who made the purchase.

Instead of having just a number (which has been taken from me at least twice before), this person needs to spoof my phone and have acquired pictures of me. It's not perfectly secure, but this is orders of security above the security systems that are currently in place around my cards.

I even better liked the suggestion of using a dick pick, very few people have my dick pick on file. You can't pull that off of my facebook profile either (like mugshots and my phone number if you're a friend.

I'm now convinced...

The future is stupid.

Re:I'm now convinced...

That feeling gets stronger the older you get. This is true of most people, including you, apparently. It's one reason why it is important for people to die...true immortality would result in way too much political power in the hands of people who are hopelessly trapped in the past.

(Note, it is still true that political power is in the hands of people who are trapped in the past, but if you zoom out just a bit it is clear that they are trapped in the relatively-recent past....which wouldn't be true if people didn't die of old age).

Re:I'm now convinced...

[Ravaldy]

It's one reason why it is important for people to die...true immortality would result in way too much political power in the hands of people who are hopelessly trapped in the past.

That's only true because the ideas that come out are ridiculous and lack wisdom. If anything, the work force holds on to older talent because they avoid or minimize non sense.

Age DOES NOT equal lack of wanting to move forward but youth does equal thinking outside the box because of lack of wisdom. This thinking outside the box is usually well paired with wisdom as crazy ideas can be tamed to idea with large potential.

There are always people that refuse to accept change no matter what age. Every single person I know that owns an electric car is his 50s or 60s. I myself am in my 30s. I don't know one person under the age of 50 with an electric car. Call it coincidence if you want.

Most people want convenience.

Convenience, convenience, convenience. That is what sells to the majority.

Re:Most people want convenience.

[cayenne8]

I am NOT going to give my credit card companies, nor bank my picture or fingerprints.

They don't need it and I don't want them to have them.

Fuck it, if they try to force this in the US, I'll cancel my cards and just do all cash...which I try to do more and more every day anyway.

Re:Most people want convenience.

[Ravaldy]

Fuck it, if they try to force this in the US, I'll cancel my cards and just do all cash...which I try to do more and more every day anyway.

You being a little drastic. You've already given them far more than your fingerprint and picture so I'm not sure why that's your biggest concern.

As for cancelling the cards. I wish you good luck with dealing everything in cash. Last I checked most online stores require a credit card. You could proceed with a prepaid card but the inconvenience will eventually make you go back.

Re:Most people want convenience.

[theprophetof+sarcasm]

I am NOT going to give my credit card companies, nor bank my picture or fingerprints.

They don't need it and I don't want them to have them.

Fuck it, if they try to force this in the US, I'll cancel my cards and just do all cash...which I try to do more and more every day anyway.

You did read the article right? It clearly says for Mobile payments. You know from like your phone. It will be housed on the phone, I how most use your fingerprint to unlock it. Why the sudden jumping of the grid conspiracy theory. Calm down man it's going to be on something you already use that has that information, no more no less.

Re:Most people want convenience.

[innocent_white_lamb]

I use my credit cards (American Express and Mastercard) to pay for everything that I possibly can because I get a cash refund by doing it that way. I get 1.25% refund from American Express and 1% refund from Mastercard for most things and 2% from Mastercard for charges made at grocery stores.

Therefore, when I pay by credit card I am getting a discount on everything that I buy, up to and including things like my municipal water bill.

I'm aware of no other way that I can get those kinds of discounts on just about everything. If they're giving away free money why shouldn't I take it?

Re:Most people want convenience.

It will be housed on the phone, I how most use your fingerprint to unlock it. Why the sudden jumping of the grid conspiracy theory. Calm down man it's going to be on something you already use that has that information, no more no less.

No, it won't, otherwise it would be (even more) useless. You'll have an app on the phone, which will upload the photo to Mastercard's servers for verification with a previously uploaded photo. And I don't know who are "the most" who allegedly use their fingerprints on their phones: did you count them one by one? I use a password, I have no intention to switch to fingerprint, and "the most" of those I know do the same.

Re:Most people want convenience.

[theprophetof+sarcasm]

No, it won't, otherwise it would be (even more) useless. You'll have an app on the phone, which will upload the photo to Mastercard's servers for verification with a previously uploaded photo. And I don't know who are "the most" who allegedly use their fingerprints on their phones: did you count them one by one? I use a password, I have no intention to switch to fingerprint, and "the most" of those I know do the same.

There could easily be a generational gap here. Most people I know use their fingerprints to unlock their mobile phones. I myself use Samsung pay for most of my transactions. It has my fingerprint registered on the phone and uses the record from the phone to authenticate that it me. What's wrong with that? it works just well and is more secure than a pin... So "the most" people that you know are they to crazy off the grid conspiracists or an older generation?

Re:Most people want convenience.

Why was this intelligent post modded as "offtopic"? It is absolutely ON topic, insightful, and I entirely agree that this move has serious privacy implications. I'm ok with passwords and PINs and I do not intend to upload my photos, fingerprints or any other biometric infos to anyone.

Not to mention that "Ajay Bhalla", the Mastercard exec who is desperately marketing this crap, has released a series of desperate interviews with delirious statements like: "This thing is good 'cuz people canâ(TM)t remember passwords", (!) "Selfies are good 'cuz millennials like them" or, even worse: "One third of people don't do e-commerce 'cuz they can't remember passwords". Just google for all of his desperate marketing efforts to push this crap to consumers, he sounds more like a kitchen appliances' seller rather than an IT expert.

Re:Most people want convenience.

You've already given them far more than your fingerprint and picture

Such as? My bank has my address, phone number and, of course, money. None of those things are as valuable as my identity and privacy.

Re:Most people want convenience.

[ShaunC]

My objection to using my fingerprints as a means of authentication is that they're permanent and irrevocable. If someone gets ahold of my passwords, I can change them. My fingerprints, not so much.

Re:Most people want convenience.

> If they're giving away free money why shouldn't I take it?

If it's worth a few bucks to have your every purchase monitored and profiled then, by all means.

Re:Most people want convenience.

[ShanghaiBill]

Two factor is a user selectable option. You get to pick if you want face-id, thumbprint, and/or PIN. You can also set thresholds, so that, say, any transaction for less than $20 goes through automatically, but a thumbprint is required for $20 to $100, and a thumbprint plus a PIN is needed for anything over $100.

Re:Most people want convenience.

Have you been in the branch? Did they have cameras? Did you identify yourself while on camera? Did you touch anything? Agreed... drastic.

Re:Most people want convenience.

[cayenne8]

It will be housed on the phone, I how most use your fingerprint to unlock it.

I don't give my phone my fingerprint either....I have complex passcodes. You can't be forced by the authorities to give those up, but they can make you press your thumb/finger on the sensor to open it up.

Re:Most people want convenience.

just do all cash... as long as it's not in $100 bills.

Re:Most people want convenience.

Have you been in the branch?

What branch? My bank doesn't have a physical location.

Did they have cameras?

Nope. You kind of need a physical location to place cameras, which as already stated does not exist.

Did you identify yourself while on camera?

Nope. Again, you kind of need a camera and a physical location in which to place said camera in order to identify yourself while on camera.

Did you touch anything?

Nope. You need physical objects in a physical location in order to touch them.

Agreed... drastic.

You can take off the tinfoil hat now.

'Privacy' agreement

[kheldan]

I'm sure part of the 'privacy' agreement that will go along with this, is the 'sharing' of the exemplar photo and/or fingerprints with their 'partner' companies, which no doubt will also include the government. For safety purposes, of course. Really, the government only wants to know where you are at all times and everything you're purchasing for your own safety, really they do!

Bollocks.

Re:'Privacy' agreement

[Actually,+I+do+RTFA]

which no doubt will also include the government.

Fuck the government, it will no doubt include Facebook.

The government just wants power over me. Advertisers want to target my psychological weaknesses to take everything I own and put me in debt forever. (Not that I think they'll succeed to that extent, but private companies will probably have worse consequences for me.)

Re:'Privacy' agreement

The private company can not (by itself) take away your freedom nor do they have a monopoly on force. I'm not sure that the private company would be worse consequences - certainly not potentially worse consequences.

Re:'Privacy' agreement

[Actually,+I+do+RTFA]

I'll grant you that the potentially worse result belongs in the governmental column. But the expected worse results is definitely in the corporate one.

For one, the delta for the government power is less. The government really doesn't need Mastercard, they already have my Photo ID pictures.

For another, they can show up at my house tomorrow and march me off for no reason (other than, you know, my rights.) Already have that power.

The government however is restrained by various reasons. Whereas, I've never seen a corporation exercise any form of self-restraint.

Re:'Privacy' agreement

The government already has all that info. You have to get your picture taken to get a drivers license. Who under the age of 16 doesn't have one of those in the USA*? As for location data, your phone already automatically provides that and the government does access that information.

What this does is increase the availability for advertisers, hackers, and MasterCard marketing. I'd bet money MasterCard will start using some of these images in their advertising. They'll also sell the image database to companies so their security cameras can better determine who is walking around their store. Retailers have already been doing that, backtracking from you identify yourself during checkout, but data miners are data hoarders and can never get too much data.

I minored in computer vision and graduated last year. Computer vision algorithms aren't advanced enough for this be to secure and consistent. You can have it sort-of secure and force the users to take 50 pictures to get one identified, or it will be completely insecure but only one picture is needed. The video feed helps, but it's still not good enough. It'll be easy to video other people and replay them to fake this verification.

*I know this article is for UK, but it says they're already testing it in USA.

Re:'Privacy' agreement

data miners are data hoarders and can never get too much data
That reminds me of Aquarium by V. Suvorov in which the GRU never had enough information. Unless your information turned out to be inaccurate.

Deja Vu

Didn't some credit used to photo printed right on the credit card? I never understood why that went away.

They could have easily verify the photo hash to check the photo integrity and retail clerk can easily check if photo match the person

At least it

[goombah99]

Will work on Halloween unlike face recognition. But you'll have to stop using chat roulette or your bank account will be drained. I

Here's hoping

[ThatsNotPudding]

Here's hoping the algorithm is good enough to pick up the fear in someone's eyes that have a knife held up against to them out of camera view.

workaround to thwart hackers

[nimbius]

This technology is certainly meaningful, but could easily be bypassed by twins or worse, casual photographers. My solution is both elegant and simple.

whenever asked for photo confirmation, unfold my patented visual verification sheet. The sheet, which is a visual depiction of george W bush and the words, "War Criminal," will quickly identify your presence for a transaction. For those wondering about the security of this system I can assure you, each VV sheet is unique. For example, one may contain a depiction of Hillary Clinton and the words "Corporate Citizen" to help distinguish unique transactions for a customer.

Re:workaround to thwart hackers

[pr0fessor]

I have a brother that's not a twin but even my sisters had trouble telling us apart until we started wearing different hair and facial hair styles. His friends would often stop me in stores because they thought I was him and sometimes still do if they haven't seen him recently. Aside from the obvious difference in cameras, hair, and clothing styles of the era we both also look just like pictures of our father at around the same age.

Re:workaround to thwart hackers

Did you ever use this to trick his girlfriend into sleeping with you?

If not then you can safely assume that he is the evil twin, and that at least one of your kids isn't actually yours.

Chip cards a step back

[goombah99]

Yeah you noticed this too? What were they thinking? It's not an eternity but it really slows down what used to be a quick transaction when you buy a cup of coffee or something quick and easy. For you an extra thirty seconds might not matter but for the vendor it will add up. If they were doing 30 transactions an hour it will have an impact. Drive throughout aim for twice that.

Re:Chip cards a step back

[slashping]

I've noticed many ATMs are poorly designed, and do the operations such as scanning the card, entering PIN, printing the receipt, counting the money, and cueing the user to take back the card in slow sequential order, instead of combining as many actions as possible.

Re:Chip cards a step back

[jratcliffe]

Me too. My usual breakfast place had to add a second terminal (still just one checkout) because the credit card cycle time slowed down so much.

Re:Chip cards a step back

[vux984]

That's not poor design, that's deliberate design.

Too many people left things behind when it happened at once. So now the card doesn't come out until AFTER you take the money.

(At least if you forget the card, its probably not that big of a deal); since it's useless without the pin.)

Plus doing multiple things at once leads to much more difficult to handle error conditions; which is something you don't want to do when dealing with money. So each step is an atomic transaction. Don't do X until we know that Y was actually successful.

Re:Chip cards a step back

[slashping]

That's not poor design, that's deliberate design.

It's deliberately poor, yes. With a bit more thought, you can do multiple things at once and still do them correctly. It's not like it's controlling a nuclear reactor or a jumbo jet. There's only a handful of things going on at the same time.

Re:Chip cards a step back

[TheRaven64]

Too many people left things behind when it happened at once. So now the card doesn't come out until AFTER you take the money.

Are you sure? That's a regression if it's really the case. The normal design is to not release the money until after the user has taken their card because the user's attention is on the goal (getting the money) and once that's achieved they are very likely to forget anything else associated with the task (including getting the card). In the UK, instances of people leaving cards in machines dropped hugely in the '80s when they switched the order from release-money-then-card to release-card-then-money.

But that's still no excuse to not start counting the money until after the user has decided if they want a receipt and the card has been taken. The machine doesn't have to release the money (open the cash slot) until after the card is gone, but it could still have the money ready. There's already an error recovery path if the user forgets to take the money (it drops into a bin and the transaction is cancelled - this was exploited last year by some thieves who asked for large amounts of money and then took the notes from the middle of the pile, triggering the machine to take back the ones it still could detect were there and refund the withdrawal).

Heh...

I wrote that code..
It's pretty decent and it does work towards the new specs coming in the next few years, which is to rid all banking online from usernames and passwords.

Also, the idea is 2-factor, not Just a picture. You won't even get to the picture part without the first step.

Some delirious statements by a Mastercard exec...

The name of the Mastercard guy who is desperately trying to push this crap is "Ajay Bhalla". He has released a series of desperate interviews with delirious statements like:

- "This thing is good 'cuz people canâ(TM)t remember passwords" (I can, IDIOT)

- "Selfies are good 'cuz millennials like them" (I'm a millennial, and I don't like selfies, IDIOT)

- And, dulcis in fundo, some self-sourced "statistics": "One third of people don't do e-commerce 'cuz they can't remember passwords" (probably that third that you come from, the IDIOTS)

Just google for all of his desperate marketing efforts to push this crap to consumers, he sounds more like a kitchen appliances' seller rather than an IT expert. Would you trust a guy like that...?

Wow

[drew_kime]

"RAID array" is ... redundant.

Mind. Blown.

Re:Wow

"RAID array" is ... redundant.

Mind. Blown.

As is "PIN number"...

Revoke credentials

[manu0601]

How are they going to cope with the problem that biometric credentials cannot be revoked once they have been compromised?

Foolproof

[garryknight]

I've always used a simple, foolproof method of my own invention.

"Can you identify yourself, sir?"

*Pulls out small pocket mirror*

"Yep, that's me all right."





I think "foolproof" is the right word...

Re:So It Begins... Total Awareness... We Got You N

It's the Mark of the Beast!
Which actually, I'm looking forward to. All they need is a narrator with dulcet tones to assure us, "This technology will protect your family from Global Terrorism, High Gas Prices, Internet Pedophiles, and Gay Marriage."
Then the Bible-thumpers will be the first ones to get it.

Samsungs face detection...

[TheCastro1689]

was beatable by a photo on my iPhone of the same person. I doubt that these "facial recognition" banking apps will be any more secure.