MasterCard Rolls Out 'Selfie' Verification For Mobile Payments

An anonymous reader writes: MasterCard has announced plans to invest in facial recognition technology in the UK, in a push to reduce false decline transactions and increase security for mobile payments. Following trials in countries including the U.S. and the Netherlands, 'Selfie Pay' will be introduced in Britain this summer as part of the financial services company's identity validation process. Users will be able to choose between finger scanning and face recognition for verification, instead of traditional passwords or PIN numbers. Consumers will be asked to upload their pictures to be stored on MasterCard servers [paywalled]. These registered images will then be used as a reference every time a user opts for facial verification during a transaction.

I'm going to upload a dick pic

Which will make things really awkward at the store.

Re:I'm going to upload a dick pic

Australia is way ahead of you.

What prevents the bad guys ..

What prevents the bad guys from taking a selfie of your picture?

Secure? or Convenient?

[QuietLagoon]

Is this really more secure? Or is it just more convenient?

Re:Secure? or Convenient?

You could get around this kind of "security" just by holding up a photo.

Re:Secure? or Convenient?

No, most of these applications are designed to mitigate that by asking for the person to blink or smile or something. Now: an emulated video feed might work once, but they should also be doing comparisons to previous logins to avoid the same video loop from being used multiple times. Simple crop/distort/stretch and additive noise to create variation should confound naive image hashing so they would do well to use image features to do that analysis but the false positive rate will go up the more sensitive they make the system.

What level of false positive rate is tolerable and what is the desired added difficulty to attackers?

So let me get this straight...

[Ghostworks]

...Mastercard is going to consider a selfie run through facial recognition to be as good as a fingerprint. So in order to be able to steal, say, Jessica's money, you need to have her card number and a large photo of her face you can hold up in front of your own face. Or if the transaction is monitored by a clerk who might be marginally competent, you can be more subtle and wear the the photo on a tee-shirt, taking a photo of your chest to pay. Maybe the phone itself is the ID, and the selfie just supposed to be proof that you are in possession of the phone? And all of this assumes that you have to upload the photo through an app and can't just text a saved image. If that's not true it's yet another point of failure.

I supposed possessing a card and a photo (or card and phone?) is marginally better security than just card. But my PIN isn't on Facebook, or in my phone's camera folder, so this is worse than just entering a PIN on your phone. The only value of the scheme is in using the phone as a side channel (harder to snoop on than a public keypad), or a as form of ID all it's own. So why not just put the existing identifier (the PIN) on the side channel, and not introduce novel way to fail?

This feels like when banks started letting you check your account over twitter because they just "didn't get it."

Re:Most people want convenience.

[cayenne8]

I am NOT going to give my credit card companies, nor bank my picture or fingerprints.

They don't need it and I don't want them to have them.

Fuck it, if they try to force this in the US, I'll cancel my cards and just do all cash...which I try to do more and more every day anyway.

Re:Most people want convenience.

[ShaunC]

My objection to using my fingerprints as a means of authentication is that they're permanent and irrevocable. If someone gets ahold of my passwords, I can change them. My fingerprints, not so much.