Slashdot Mirror

← Back to Stories (view on slashdot.org)

MasterCard Rolls Out 'Selfie' Verification For Mobile Payments (thestack.com)

Posted by timothy on from the remember-your-duress-grimace dept.

An anonymous reader writes: MasterCard has announced plans to invest in facial recognition technology in the UK, in a push to reduce false decline transactions and increase security for mobile payments. Following trials in countries including the U.S. and the Netherlands, 'Selfie Pay' will be introduced in Britain this summer as part of the financial services company's identity validation process. Users will be able to choose between finger scanning and face recognition for verification, instead of traditional passwords or PIN numbers. Consumers will be asked to upload their pictures to be stored on MasterCard servers [paywalled]. These registered images will then be used as a reference every time a user opts for facial verification during a transaction.

16 of 109 comments (clear)

  1. I'm going to upload a dick pic by Anonymous Coward · · Score: 5, Funny

    Which will make things really awkward at the store.

    1. Re:I'm going to upload a dick pic by Anonymous Coward · · Score: 3, Funny

      Australia is way ahead of you.

  2. What prevents the bad guys .. by Anonymous Coward · · Score: 3, Interesting

    What prevents the bad guys from taking a selfie of your picture?

  3. Secure? or Convenient? by QuietLagoon · · Score: 3, Insightful

    Is this really more secure? Or is it just more convenient?

    1. Re:Secure? or Convenient? by Anonymous Coward · · Score: 3, Insightful

      You could get around this kind of "security" just by holding up a photo.

    2. Re:Secure? or Convenient? by Anonymous Coward · · Score: 3, Interesting

      No, most of these applications are designed to mitigate that by asking for the person to blink or smile or something. Now: an emulated video feed might work once, but they should also be doing comparisons to previous logins to avoid the same video loop from being used multiple times. Simple crop/distort/stretch and additive noise to create variation should confound naive image hashing so they would do well to use image features to do that analysis but the false positive rate will go up the more sensitive they make the system.

      What level of false positive rate is tolerable and what is the desired added difficulty to attackers?

  4. Re:App appers app apps with selfie apps! by NEDHead · · Score: 2

    Per apps, per apps not

  5. Revoke? by Anonymous Coward · · Score: 2, Interesting

    Suppose it's as secure as a password.

    A password can be changed/revoked when you think it's insecure.
    Suppose we also had this kind of protection from photos. I wonder what it would look like.

    "He's smiling but didn't shave but looks bored" therefor it's authorized? "Wait, he revoked that as well" "umm, let's go with unshaven, fluffy bunny hat, asymmetric smile..."

    I know it's easier but it is not a password.

  6. So let me get this straight... by Ghostworks · · Score: 4, Interesting

    ...Mastercard is going to consider a selfie run through facial recognition to be as good as a fingerprint. So in order to be able to steal, say, Jessica's money, you need to have her card number and a large photo of her face you can hold up in front of your own face. Or if the transaction is monitored by a clerk who might be marginally competent, you can be more subtle and wear the the photo on a tee-shirt, taking a photo of your chest to pay. Maybe the phone itself is the ID, and the selfie just supposed to be proof that you are in possession of the phone? And all of this assumes that you have to upload the photo through an app and can't just text a saved image. If that's not true it's yet another point of failure.

    I supposed possessing a card and a photo (or card and phone?) is marginally better security than just card. But my PIN isn't on Facebook, or in my phone's camera folder, so this is worse than just entering a PIN on your phone. The only value of the scheme is in using the phone as a side channel (harder to snoop on than a public keypad), or a as form of ID all it's own. So why not just put the existing identifier (the PIN) on the side channel, and not introduce novel way to fail?

    This feels like when banks started letting you check your account over twitter because they just "didn't get it."

    1. Re:So let me get this straight... by slashping · · Score: 2

      ...Mastercard is going to consider a selfie run through facial recognition to be as good as a fingerprint

      Could be correct. Fingerprints aren't very secure either.

  7. Re:Why not two factor? by JcMorin · · Score: 2

    Why not just an app on your phone that you click accept or denied? No need to enter a pin...

  8. 'Privacy' agreement by kheldan · · Score: 2

    I'm sure part of the 'privacy' agreement that will go along with this, is the 'sharing' of the exemplar photo and/or fingerprints with their 'partner' companies, which no doubt will also include the government. For safety purposes, of course. Really, the government only wants to know where you are at all times and everything you're purchasing for your own safety, really they do!

    Bollocks.

    --
    Are YOU using the TOOL, or is the TOOL using YOU? Think about it!
  9. At least it by goombah99 · · Score: 2

    Will work on Halloween unlike face recognition. But you'll have to stop using chat roulette or your bank account will be drained. I

    --
    Some drink at the fountain of knowledge. Others just gargle.
  10. Re:Most people want convenience. by cayenne8 · · Score: 3, Interesting
    I am NOT going to give my credit card companies, nor bank my picture or fingerprints.

    They don't need it and I don't want them to have them.

    Fuck it, if they try to force this in the US, I'll cancel my cards and just do all cash...which I try to do more and more every day anyway.

    --
    Light travels faster than sound. This is why some people appear bright until you hear them speak.........
  11. Re:Most people want convenience. by ShaunC · · Score: 3, Insightful

    My objection to using my fingerprints as a means of authentication is that they're permanent and irrevocable. If someone gets ahold of my passwords, I can change them. My fingerprints, not so much.

    --
    Thanks to the War on Drugs, it's easier to buy meth than it is to buy cold medicine!
  12. Re:Chip cards a step back by vux984 · · Score: 2

    That's not poor design, that's deliberate design.

    Too many people left things behind when it happened at once. So now the card doesn't come out until AFTER you take the money.

    (At least if you forget the card, its probably not that big of a deal); since it's useless without the pin.)

    Plus doing multiple things at once leads to much more difficult to handle error conditions; which is something you don't want to do when dealing with money. So each step is an atomic transaction. Don't do X until we know that Y was actually successful.