Slashdot Mirror
MasterCard Rolls Out 'Selfie' Verification For Mobile Payments (thestack.com)
An anonymous reader writes: MasterCard has announced plans to invest in facial recognition technology in the UK, in a push to reduce false decline transactions and increase security for mobile payments. Following trials in countries including the U.S. and the Netherlands, 'Selfie Pay' will be introduced in Britain this summer as part of the financial services company's identity validation process. Users will be able to choose between finger scanning and face recognition for verification, instead of traditional passwords or PIN numbers. Consumers will be asked to upload their pictures to be stored on MasterCard servers [paywalled]. These registered images will then be used as a reference every time a user opts for facial verification during a transaction.
What prevents the bad guys from taking a selfie of your picture?
Suppose it's as secure as a password.
A password can be changed/revoked when you think it's insecure.
Suppose we also had this kind of protection from photos. I wonder what it would look like.
"He's smiling but didn't shave but looks bored" therefor it's authorized? "Wait, he revoked that as well" "umm, let's go with unshaven, fluffy bunny hat, asymmetric smile..."
I know it's easier but it is not a password.
...Mastercard is going to consider a selfie run through facial recognition to be as good as a fingerprint. So in order to be able to steal, say, Jessica's money, you need to have her card number and a large photo of her face you can hold up in front of your own face. Or if the transaction is monitored by a clerk who might be marginally competent, you can be more subtle and wear the the photo on a tee-shirt, taking a photo of your chest to pay. Maybe the phone itself is the ID, and the selfie just supposed to be proof that you are in possession of the phone? And all of this assumes that you have to upload the photo through an app and can't just text a saved image. If that's not true it's yet another point of failure.
I supposed possessing a card and a photo (or card and phone?) is marginally better security than just card. But my PIN isn't on Facebook, or in my phone's camera folder, so this is worse than just entering a PIN on your phone. The only value of the scheme is in using the phone as a side channel (harder to snoop on than a public keypad), or a as form of ID all it's own. So why not just put the existing identifier (the PIN) on the side channel, and not introduce novel way to fail?
This feels like when banks started letting you check your account over twitter because they just "didn't get it."
No, most of these applications are designed to mitigate that by asking for the person to blink or smile or something. Now: an emulated video feed might work once, but they should also be doing comparisons to previous logins to avoid the same video loop from being used multiple times. Simple crop/distort/stretch and additive noise to create variation should confound naive image hashing so they would do well to use image features to do that analysis but the false positive rate will go up the more sensitive they make the system.
What level of false positive rate is tolerable and what is the desired added difficulty to attackers?
They don't need it and I don't want them to have them.
Fuck it, if they try to force this in the US, I'll cancel my cards and just do all cash...which I try to do more and more every day anyway.
Light travels faster than sound. This is why some people appear bright until you hear them speak.........
Neither. It's for vanity. It's to appeal to the millennials to give them one more selfie opportunity, so they can charge their card AND post about their new purchase on social media at the same time.
If's to encourage sales, which means more revenue for MasterCard in the end. If they had a doubt whether they wanted to buy something, well, the ability to take a selfie of it will hopefully convince them to buy.