Feeds

back to article PayPal's fizzog-based payments app rubbished over reliability worries

Shop assistants may be too thick to guarantee the security of Paypal's new real-world payment system, a leading security bod has cautioned. PayPal is currently trialling a new system that allows shoppers in the London suburb of Richmond to pay for stuff using their ugly mugs. Customers can pay for goods using their pocket …

COMMENTS

This topic is closed for new posts.
Anonymous Coward

no more cash by 2016?

What planet is this guy living on?

More and more people can't get credit in these financially tight times and are using cash even more than before.

Anyone on a budget can use cash to limit their weekly spend far better than any bit of plastic or mobile app. Nowt in the purse/wallet means I can't afford it this week/month.

Just look at the increase in popularity of the 'payday loans' companies (IMHO they should be wiped off the face of the planet...). This means that more people are cash strapped even in affluent Richmond.

We are also (here in the UK) an aging society despite the current increase in birthrate. As you get older you become naturally more conservative (with a little 'C') in your attitude to life. That includes spending money.

Lets pension this paypal guy off!

7
0

Facial recognition is inherently unreliable

Remember when all plastic cards were going to have the account holder's photo on the back? That idea was trialled and scrapped when it was found that shop staff failed to identify a blatantly different person most of the time[0]. It takes skill and practice to match a (probably bad) photograph to a stranger's face in a second or two. Difficult to see any layer of security here.

[0] I can't find a reference, sorry... and my memory is crap so this might all be rubbish.

2
0

Credit cards?

I don't know how many times I have seen checkout chicks charge groceries' to a card and don't even check the signature on the back matches what is signed.

1
1
Unhappy

Re: Credit cards?

haveing been handed back my card before siging the recipte i have signed donald duck..

i was tempted to contest the transaction but £20 on fuel was not worth the hassel of a new card.

1
0
Bronze badge
Holmes

Re: Facial recognition is inherently unreliable

Remember when all plastic cards were going to have the account holder's photo on the back? That idea was trialled and scrapped when it was found that shop staff failed to identify a blatantly different person most of the time.

Indeed. I know someone whose photo credit card was stolen and successfully used by someone of quite different appearance (race, gender, etc).

The problem is not just that shop staff "fail" to identify the frauds, but that it is not in their interest to make security checks -- it is the customer and/or the card company that lose out from the fraud, whereas the retailer will lose out from the detection of the fraud if it results in the loss of a sale.

Make the retailer liable for the fraud ... and you'll soon find that shops go back to only accepting cash!

1
0
Childcatcher

Re: Credit cards?

Signed!??

Must be 'Merkin - in the big bad world, we don't use signatures, we use PINs.

1
0
Silver badge

Re: Credit cards?

Here in the States we use a PIN for debit cards and a signature for credit cards. For purchases under $50 many retailers don't even require a signature.

0
0
Silver badge

Re: Credit cards?

I have been known to use my partner's debit card occasionally. Usually just to get cash out of the hole in the wall but I have used it in shops as well. Despite my beard and the obviously female name on the card no shop assistant has challenged me yet.

If they can't even be bothered to check that sex of the name on the card and the person in front of them are the same there is no way they can be relied on for any other kind of check.

1
0
Bronze badge

Re: Credit cards?

Not this UKian; never had a pin on my bank card, to the confusion of a lot of shop assistants

0
0
Silver badge

Re: Facial recognition is inherently unreliable

In the U.S. if a customer protests a card charge the merchant has to provide the receipt/electronic signature/PIN confirmation or they are liable for the charge plus a service fee.

If it's an online transaction the merchant already pays a much higher processing fee for the Card Not Present fraud offset and is also liable for a fraudulent charge plus the service fee.

In either case the merchant loses the money, pays a fine and loses the merchandise. The merchant service provider takes the money directly out of the merchants bank account, without consultation and you have to appeal to try and get your money back, which hardly ever happens.

0
0
Silver badge

So the assistant looks at a pic of a face ....

... looks at the customer, and OKs the transaction.

Absolutely no scope for fraud here whatsoever.

4
0
Silver badge

Too thick?

More like "too lazy". Shop assistants can't even be bothered to verify the name and signature on a credit card most of the time, what chance is there of getting them to verify a face?

And then just think of the Burka issue. Crooks will just wear a full veil and scream "persecution" when asked to remove it to verify their face. No junior saleskid in a shop is going to make a scene over that, they'll just wave the transaction through.

4
1
Silver badge

The purchaser has to know the PayPal account ID and password first

Then look enough like the account owner to pass casual inspection, plus the transaction comes from an identifiable device (a mobile phone). As far as I can see that's two if not three factor authentication and should be good enough for practical use.

1
4
Silver badge

Re: The purchaser has to know the PayPal account ID and password first

I'd say two factor, because presumably if you know the password, you can install the app and set up the account on any handset you like. I don't know if they use SMS or an automated phone call to tie it to a particular phone number. That would make it 3 factor.

0
0
Silver badge
WTF?

Re: The purchaser has to know the PayPal account ID and password first

@Steve Todd

The way I understood the system on initially reading it is that the phone is the 'something you have' and the face recognition will be used in lieu of a password, which is clearly unsafe as anyone resembling me could just pinch my phone and go on a shopping spree.

The way you are describing it, the user has to identify themselves by Paypal account ID and this is verified by the Paypal password + physical possession of the mobile phone, surely that already is a safe 2-factor authentication. But in this case, face recognition is completely redundant*

*except to vendors of facial recognition technology of course

0
0
Silver badge

Re: The purchaser has to know the PayPal account ID and password first

The user has to log in to the PayPal app on their phone, and then "check in" to the store they want to purchase from. This transfers their details to the store's checkout computers. When the person arrives at the checkout the sales person identifies them by their picture and the account is debited. The account details are wiped if they are not used within a set time.

0
0
WTF?

Re: The purchaser has to know the PayPal account ID and password first

I think I'll just stick to Chip-n-PIN - much simpler!

0
0
Silver badge

Re: The purchaser has to know the PayPal account ID and password first

Different argument. No one is stopping you using Chip & Pin, cash or whatever else you currently use to pay. This is an option if you don't have those handy, and its no less secure than them. The argument was that it was somehow wildly insecure.

0
2
Silver badge

Re: "the transaction comes from an identifiable device "

Oh, you mean "identifiable" like that "expert" who was confused between an Ipod and a Galaxy II S ?

Remember that one ?

0
1
Silver badge
FAIL

Re: "the transaction comes from an identifiable device "

Identifiable as in "has an attached telephone number and IMIE code". Is that confusing to you?

0
1
Silver badge

How about

> . . .

where customers will be able to leave their wallet or purse at home and pay using their phone or tablet.

. . . <

leaving your rubbish-bin-tracked mobile at home and taking money with you?

4
0
g e
Silver badge

Is there a transaction value upper limit?

Like 15 quid?

Cos you'd be pissed off if I went into a store with your phone I'd nicked and bought a 50" LED TV and slipped the checkout person 50 quid saying 'Have a drink on me. This is me *wink*'

1
0
Bronze badge

Yes, use Paypal for normal shopping ......

...... as they are so good at responding to fraud issues on Ebay already. Like when you send back an item, the vendor refuses to refund but tell Paypal they have. The service where if you need to contest any issues you can just lodge a complaint with your local banking ombudsman .... oh ...you can't.

I would say this is fantastic news for the least successful sibling from identical twins, triplets and so on.

5
0

Sledgehammer and nut.

Simply have the right change (or any change for that matter) and it's quicker than anything else.

£4.50 sir. There you go, £4.50 in change. Walks away.

£4.50 sir. Can I pay with my tablet? Sure sir. One minute, just waiting for the app to launch....

4
0
Anonymous Coward

"This is another step on the journey towards a wallet-less high street"

No it isn't! I'll stick to a credit card thanks. At least I'm afforded protections. While I dislike the credit card firm monopolies, their system does work. I've been living in over 20 different countries in recent years, countries that typically have a spotty record on card fraud. When things have gone wrong, the card issuer has addressed the problem immediately and without requiring me to fill out reports. The credit card system is still good enough. Whereas the sheer number of phone / tablet security holes and man in the middle type attacks is worrisome....

2
0

I have an idea

I have an idea which is better than Paypal. How about we all get together and agree on a set of generalised value tokens with pre-specified numerical worth. A central accounting system (which would be provided by organisations such as banks and employers) would issue every citizen with a negotiated number of tokens on a regular basis. To pay, simply hand the shopkeeper an appropriate number of tokens. With modern technology, these could be quite hard to forge and yet still be cheap to produce and easy to carry. You could even have different coloured user-friendly tokens to represent a convenient range of generalised values, although I admit that some backward parts of the developed world would need to upgrade their visual recognition systems to permit this.

At present I call this project the "marketable open numismatic-enabled yield" system but I want the community to help here with a better name as the present acronym, "money" probably won't catch on.

6
1

But it's important

But it's important that people stop using cash. How else are the government going to track what you had for lunch?

1
0

What if ...

I cut off someone's head and take that with their minislab to a shop? Will that work?

I think we should be told if there are measures in place to prevent "Guillotine Fraud" by PayPal.

0
0

20 years ago was working with Datacard on picture on card credit cards. Their conclusion was that no shop assistant worth their salt would risk their lives for the then $50 bounty on a card where the photo did not match the offerer of the card.... many shop assistant were being attacked.

Nothing has changed from the later 1980s,, Paypal have alreadsy lost that one

1
0
This topic is closed for new posts.