Slashdot Mirror

← Back to Stories (view on slashdot.org)

MasterCard Rolls Out 'Selfie' Verification For Mobile Payments (thestack.com)

Posted by timothy on from the remember-your-duress-grimace dept.

An anonymous reader writes: MasterCard has announced plans to invest in facial recognition technology in the UK, in a push to reduce false decline transactions and increase security for mobile payments. Following trials in countries including the U.S. and the Netherlands, 'Selfie Pay' will be introduced in Britain this summer as part of the financial services company's identity validation process. Users will be able to choose between finger scanning and face recognition for verification, instead of traditional passwords or PIN numbers. Consumers will be asked to upload their pictures to be stored on MasterCard servers [paywalled]. These registered images will then be used as a reference every time a user opts for facial verification during a transaction.

2 of 109 comments (clear)

  1. I'm going to upload a dick pic by Anonymous Coward · · Score: 5, Funny

    Which will make things really awkward at the store.

  2. So let me get this straight... by Ghostworks · · Score: 4, Interesting

    ...Mastercard is going to consider a selfie run through facial recognition to be as good as a fingerprint. So in order to be able to steal, say, Jessica's money, you need to have her card number and a large photo of her face you can hold up in front of your own face. Or if the transaction is monitored by a clerk who might be marginally competent, you can be more subtle and wear the the photo on a tee-shirt, taking a photo of your chest to pay. Maybe the phone itself is the ID, and the selfie just supposed to be proof that you are in possession of the phone? And all of this assumes that you have to upload the photo through an app and can't just text a saved image. If that's not true it's yet another point of failure.

    I supposed possessing a card and a photo (or card and phone?) is marginally better security than just card. But my PIN isn't on Facebook, or in my phone's camera folder, so this is worse than just entering a PIN on your phone. The only value of the scheme is in using the phone as a side channel (harder to snoop on than a public keypad), or a as form of ID all it's own. So why not just put the existing identifier (the PIN) on the side channel, and not introduce novel way to fail?

    This feels like when banks started letting you check your account over twitter because they just "didn't get it."