Euro Security Watch with Mathew J. Schwartz

Can Selfies Fight Payment Card Fraud? MasterCard Tests Facial Recognition App
Can Selfies Fight Payment Card Fraud?

MasterCard is set to trial a smartphone app that will let users authenticate themselves to approve online transactions using not just their fingerprint, but also their face, via the equivalent of taking a selfie. The goal is to battle payment card fraud, without users having to remember passwords.

See Also: Protect Your Microsoft Identity Infrastructure

What could go wrong? The answer is "quite a lot," as anyone will know who's ever seen John Woo's Face/Off, or any other film involving criminals or terrorists stealing, swapping or faking out fingerprints, faces or eyeballs.

Blinking appears to be an attempt to avoid the facial-recognition feature getting spoofed by someone who uses a photograph of a face that's been registered on the device. 

Then again, a payment card transaction-verification app is not designed to defend state secrets. In fact, when it comes to authorizing transactions, arguably we just need systems that are "good enough," thus providing the right mix of security and convenience.

Apple's Touch ID - which allows users to use a fingerprint to unlock their device or authorize Apple Pay transactions - offers a great example. As each new version of Touch ID has been rolled out, security experts have quickly demonstrated a variety of techniques that can be used to fake out the fingerprint reader (see Apple iPhone 6 Touch ID Hacked). But no such attacks or related fraud have been reported outside the laboratory; no doubt there are easier ways to commit card fraud than stealing someone's iPhone and spoofing their fingerprint.

Manufacturers, Banks On Board

News of MasterCard's selfie trials was first reported by CNN, and the fraud-prevention app is currently being tested by about 500 people prior to a full launch, it says. MasterCard already has agreements in place for the app to run on smartphones from major manufacturers - including Apple, BlackBerry, Google, Microsoft and Samsung - as well as two large, unnamed banks, CNN reports. But certain details, such as how MasterCard plans to safeguard people's biometric-related data, have yet to be detailed.

The app could become an alternative to MasterCard's SecureCode authentication, which asks people to enter parts of a password they have preregistered, whenever they make an online transaction. MasterCard says that system handled 3 billion transactions last year. But it's not perfect, in part because it relies on passwords (see Why Are We So Stupid About Passwords?).

Forget Passwords

"Passwords are a pain," Ajay Bhalla, chief product security officer at MasterCard, tells CNN. "They're a real problem. People forget it, people write it in places, and they get very surprised when a hacker gets into a particular website and then knows the passwords to all their accounts."

By comparison, the new app would be employed after users make an online purchase, to authenticate the transaction directly with MasterCard. According to a demonstration video posted on CNN, users first use the app to verify the amount of their payment, and then verify their identity by either using a fingerprint or taking a selfie. If users go the selfie route, the app requires them to blink.

Blinking appears to be an attempt to avoid the facial-recognition feature getting spoofed by someone who uses a photograph of a face that's been registered on the device.

"Google tried facial recognition on Android phones and there were a lot of problems in the early days," security researcher Ken Munro from Pen Test Partners tells the BBC. "People realized you could take a photo of somebody and present it to the camera, and the phone would unlock."

Nothing Is Perfect

Facial recognition is already a feature on Google Nexus devices, although Google warns: "This is less secure than a pattern, PIN or password. Someone who looks similar to you could unlock your phone."

Such a warning is a reminder that any type of authentication has upsides and downsides. That fact was demonstrated by Matthew Green, who teaches cryptography and information security at Johns Hopkins University, and who reported in December waking up to find that his finger had been placed on his iPhone's Touch ID to unlock it, by his seven-year-old son, who wanted to play Minecraft and Angry Birds Transformers. "Next thing he'll be asking for the make and model of my first car," he said.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.

Around the Network