back to article Mastercard facial recog-ware will unlock your money using SELFIES

Mastercard will begin using selfies as a means to verify payments, it is being said. The "innovation" will allow some 500 pilot users to take a photo instead of punching in PINs, a move MasterCard chief product security officer Ajay Bhalla says will be popular with youth. Bhalla told CNN Mastercard partnered with all phone …

  1. Steve Davies 3 Silver badge

    What idiot thought this one up?

    Were they from Japan by any chance?

    No, no and thrice No.

    Remember folks that the 'selfie' will have your GPS location tagged in it. Woe betide you if you happen to capture the little bit on the side as you take your 'selfie'.....

    1. Gene Cash Silver badge

      Re: What idiot thought this one up?

      I don't know about Apple, but at least the stock Android camera app has "turn off geolocation" and I've looked at the EXIF headers and it's off.

      But no. Taking a picture of my face would crack the lens.

    2. Anonymous Coward
      Anonymous Coward

      Re: What idiot thought this one up?

      That doesn't make sense. The geolocation is added by the app taking the picture - e.g. the camera app, not by the camera itself. This is a 'biometric recognition system' which uses the camera to take a picture to recognise you. It doesn't transmit that picture to anyone, but could add send your location (regardless of taking a picture) or not depending on the app (you can always turn off location services if you want to).

      However for security it might be better to confirm your location (for fraud analysis) to make sure that it is likely to be a genuine purchase. In fact if it could verify that my current location is a 'trusted' one but allow me to deliver to a different address that is not the same as my registered on it would actually be very useful. If you're worried about your card company knowing your location then you really do need to think carefully about whether you should be using cards at all - they have a massive data collection of you details. All your most personal, plus full credit checks, a lot of your financial information, where you shop, what you buy etc.

    3. JCitizen
      Coffee/keyboard

      Re: What idiot thought this one up?

      Also - what about a replay attack? If the app refused authentication for absolutely identical shots, it would prevent malware recording the session and simply replaying it.

  2. kdh0009
    Facepalm

    What?

    "The new generation, which is into selfies ... I think they'll find it cool." - Not exactly high on the list of specifications required for a payment authorisation system, coolness.

    "You can choose to use your fingerprint or your face - you tap it.." - Obligatory face-phone. Because facial recognition for security purposes has a long and storied history of being bollocks.

  3. PleebSmash
    Paris Hilton

    fad/marketing intern

    End of days? Nah.

    El Reg was doing some pretty serious reporting on Second Life 8-9 years ago. What happened with that?

  4. frank ly

    Heartbeat recognition??

    Very exciting!

    1. Phil O'Sophical Silver badge
      Coat

      Re: Heartbeat recognition??

      Very exciting!

      Do they have special processing algorithms for purchases made at Alton Towers, or in "massage" parlours?

  5. Christian Berger

    Essentially they don't care about fraudulent transactions

    Every fraudulent transaction that isn't found just means more turnover, and the ones that need to be reversed cost virtually no money.

  6. jake Silver badge

    Yet another clueless "security" spokes-head.

    "Users will need to hold their mobile phones at eye-level and blink once when instructed for the check-me-out checkout process to complete. That process is designed to thwart obvious attacks where attackers could use a still image of a victim to verify fraudulent payments."

    Apparently, Bhalla's never seen people use image manipulation software.

    1. Little Mouse

      Re: Yet another clueless "security" spokes-head.

      The new generation, which is into selfies ... I think they'll find it cool"

      That's the kind of thing my dad would say.

      1. Small Furry Animal

        Re: Yet another clueless "security" spokes-head.

        @Little Mouse, +1 for that.

        Bhalla is absolute proof that age does not automatically confer wisdom..*

        SFA

        * I can't believe I'm saying that; I'm 65

      2. Just Enough

        Re: Yet another clueless "security" spokes-head.

        "The new generation, which is into selfies ... I think they'll find it cool"

        "The young folks will be totally hip to this rad new wave of payment solutions. 'Get down with the selfie credit card, dadio' is what they'll be saying around the soda fountains. The kids will fill the Hit Parade with smash 45s about it, and all the coolest cats from school will be doing "The Blink" dance at the after-school hop."

        1. Laura Kerr

          Re: Yet another clueless "security" spokes-head.

          I kinda wish you hadn't said that; I'm old enough to remember that sort of babble when it didn't sound stupid.

    2. PrivateCitizen
      Unhappy

      Re: Yet another clueless "security" spokes-head.

      Apparently, Bhalla's never seen people use image manipulation software.

      Also it indicates that there are many other stages to attack than just the photo session.

      Bhalla says the image like other biometric forms will be converted to a format such that a person's photo is neither stored nor transmitted in its normal construction.

      So the "verification" aspect isnt actually a photo comparison in the way human eyes would do it. It is likely that the process involves capturing some key data (ratio of distance between eyes and width of mouth or whatever voodoo they want here) and then hashing it to send back for a verification check.

      Not only does it open the door for many more attacks on the mobile device and its transmission signal, but it also seems fraught with false negatives at the checkout point.

      Sense - I see non here.

    3. Anonymous Coward
      Anonymous Coward

      Re: Yet another clueless "security" spokes-head.

      "Apparently, Bhalla's never seen people use image manipulation software."

      Interestingly you'd need to do photo manipulation and have it blink but without it being on a display device (as the software could easily detect that). So you would need some kind of moving picture that doesn't use a projector or a light emitting display device. Possibly a very high res full colour e-paper solution? These are difficult to find in the real world.

      Therefore I would say the it could currently "thwart obvious attacks" but is not fully secure. But then again what is?

      1. Anonymous Coward
        Unhappy

        Re: Yet another clueless "security" spokes-head.

        >Therefore I would say it could currently "thwart obvious attacks" but is not fully secure. But then again what is?

        Thwarting obvious attacks is not enough. It needs to thwart attacks by people whose job is credit card fraud.

        1. Anonymous Coward
          Anonymous Coward

          Re: Yet another clueless "security" spokes-head.

          The reply was to a comment about the term "thwart obvious attacks". Whether obvious attacks are a significant bar to adoption is a different discussion.

          In the realm of credit cards we have signature & magstripe, pins, contactless, CNP phone payments etc none of these are secure, most don't even thwart an obvious attack. This new system isn't meant to be an ultra secure system as far as I can see and imho is not a great solution.

          1. Graham Marsden
            Facepalm

            Re: Yet another clueless "security" spokes-head.

            > That process is designed to thwart obvious attacks where attackers could use a still image of a victim

            So, let's see: How about I get a picture of someone, wear it as a mask so my eyes are looking through the eye-holes and then blink when it says?

            Hmm, of course that's not obvious, is it???

  7. Mark 85

    Simple solution...

    <shakes head and cuts up MasterCard>

    <calls and cancels account>

    1. Anonymous Coward
      Anonymous Coward

      Re: Simple solution...

      Your problem (and the problem in general) is that you don't actually have an account with MasterCard - you have it with a credit provider who then uses the MasterCard system.

      There is so much wrong with card payments as they stand it's hard to know where to begin but I can tell you one thing for sure: any solution will not come from Visa, MasterCard, Discover (etc). The middlemen make money, whatever happens. So, knowing good ol' US business traditions, what do you think they would choose? Fixing the system so you're safer. but it would cost a lot of money (due to a fairly massive hardware platform), or letting you suffer the results - at no extra cost or risk to themselves?

      Yes, exactly.

  8. Flocke Kroes Silver badge

    Interesting

    Steal a phone, root it, add a fake camera device that loops a short video of someone blinking. Drawing eye-lids on a photo already stored on the phone would probably be sufficient.

    For some reason, this plan does not inspire confidence.

  9. Nigel Brown

    Checks article date for April 1st date tag....

    Nope, not a joke.

    Stop the world, I want to get off.

    1. swampdog

      Stop the world, I want to get off.

      You can't because corpses can't blink. Now when our time is up, it's ye olde late night wheelie bin coffin.

  10. Paul Crawford Silver badge

    So when you want to purchase something with only a crappy GPRS link available (or none at all), what then?

  11. AndrueC Silver badge
    Thumb Down

    The "innovation" will allow 500 pilot users to take a photo instead of punching in PINs, a move MasterCard chief product security officer Ajay Bhalla says will be popular with youth.

    Does 'youth' have enough money to make them a target in the first place? I reckon the 'no longer youth' crowd have more to protect and will be less impressed by this idea.

  12. M7S

    If this starts to hold up payment queues as people struggle to get it to work

    then I anticipate a whole new meaning to the word "photobomb"

  13. Jimboom

    ohh dear lord no

    Please don't give people an excuse to call selfie sticks part of their "security procedure"... because you know they will.

  14. MrXavia
    FAIL

    Easier to defeat than fingerprints!

    Steal youngsters phone, won't get reported for hours because they've forgotten how to dial a phone number from a normal phone (or they've never done it)

    Will already have tons of selfies stored on board.

    Small bit of software to fake a blink.. OR use one of those crappy selfie videos where they are sure to blink.

    I'll stick to a pin number thank you.. BUT could I PLEASE have an 8 digit pin? 4 is to short....

  15. Gideon 1

    Remember that this is in the US, where they are only just starting to roll out chip and pin.

  16. JimmyPage Silver badge
    Meh

    What part of this is news ?

    Face recognition - old hat

    Face recognition as security - old hat (my Android tablet has done it for 2+ years)

    Payment verification - old hat

    Biometric payment verification - old hat.

    Or is it a Friday grump ?

  17. Just Enough
    FAIL

    Stock Photo Fail

    That stock "selfie" photo on the article.

    Is no-one going to tell them they're doing it wrong?

  18. Valerion

    Awesome

    All I need is one of those cutout masks of Simon Cowell from the party shop, put that up to my face - they already have holes for eyes so my eyes can substitute - and I can buy anything I like!

  19. GrumpenKraut
    Mushroom

    But, but, "payment experience"!

    "Shove marketdroid into meatgrinder" now on my to-do list.

  20. Yugguy

    Pandering to youth

    I am SO bored with this constant preoccupation with pandering to youth.

    Young people are basically stupid, lacking the perspective to make fully informed choices.

    Kids, especially boys, should be buried at 11 and dug up at 30.

    1. Mark 85
      Devil

      Re: Pandering to youth

      Some believe the barrel system is best.. put the kid in a wooden barrel at age 5... keep them there. At age 18, decide whether to remove the lid and let them out or drive in the bung.

    2. Laura Kerr
      Thumb Up

      Re: Pandering to youth

      "Young people are basically stupid, lacking the perspective to make fully informed choices."

      And that is exactly why marketeers pander to yoof. It's easier to flog them overpriced shiny crap, because they're more gullible and don't have the life experience to understand the consequences of what they're getting into. And once you've got them young, you've got them for ever.

      God, I sound like my dad. But OTOH, I'm beginning to see that he did have a point occasionally.

  21. biomio

    This is a bit oversimplified. A good PIN-less system would be flexible enough to give user and/or provider a choice of selfie / fingerprint / location so selfie wouldn't be required but an option. Typically selfies are server-based biometrics and as such have pros and cons. fingerprint are client-based (don't send data to the server). Location does send the data. If you're interested, chat me up at dan @ biom. io - we make a flexible passwordless auth stack like that and getting ready to open source it.

  22. Anonymous Blowhard

    What problem are they trying to solve with this?

    Oh I know:

    "How can we make people think MasterCard is run by fuckwits?"

  23. CanadianMacFan

    New MasterCard ads

    (Don't know if they ran the ads in the UK but they had a series of them in Canada .)

    Paying for an over-priced Starbucks coffee... $3.75

    Getting the cute barista's phone number with extravagant tip... $5

    Looking like a twat while taking a selfie to pay for it all... priceless.

    There are some things money can’t buy. For everything else, there’s MasterCard.

  24. phil dude
    Coat

    image recognition doesn't need a blindfold...

    who says it has to be your *face* you give as an image....

    P.

  25. Arachnoid
    Holmes

    Still image

    A semi life size image with a slider where the eye is would make blinking on time easy.Havent we been here before anyway with facial recognition its all hocum dressed up as the next big security solution.

    "You can't because corpses can't blink."

    You can actually with a needle and cortton

  26. Jin

    Probably moving in a wrong direction

    Whether iris, face, fingerprint, typing, gesture, heartbeat or brainwave, biometric authentication could be a candidate for displacing the password if/when (only if/when) it has stopped depending on a password to be registered in case of false rejection while keeping the near-zero false acceptance.

    Threats that can be thwarted by biometric products operated together with fallback/backup passwords can be thwarted more securely by passwords alone. We could be certain that biometrics would help for better security only when it is operated together with another factor by AND/Conjunction (we need to go through both of the two), not when operated with another factor by OR/Disjunction (we need only to go through either one of the two) as in the cases of Touch ID and many other biometric products on the market that require a backup/fallback password, which only increase the convenience by bringing down the security.

    In short, biometric solutions could be recommended to the people who want convenience but should not be recommended to those who need security. It may be interesting to have a quick look at a slide titled “PASSWORD-DEPENDENT PASSWORD-KILLER” shown at

    http://www.slideshare.net/HitoshiKokumai/password-dependent-passwordkiller-46151802

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like