PayPal's fizzog-based payments app rubbished over reliability worries Shop assistants may be too thick to guarantee the security of Paypal's new real-world payment system, a leading security bod has cautioned. PayPal is currently trialling a new system that allows shoppers in the London suburb of Richmond to pay for stuff using their ugly mugs. Customers can pay for goods using their pocket …
What planet is this guy living on?
More and more people can't get credit in these financially tight times and are using cash even more than before.
Anyone on a budget can use cash to limit their weekly spend far better than any bit of plastic or mobile app. Nowt in the purse/wallet means I can't afford it this week/month.
Just look at the increase in popularity of the 'payday loans' companies (IMHO they should be wiped off the face of the planet...). This means that more people are cash strapped even in affluent Richmond.
We are also (here in the UK) an aging society despite the current increase in birthrate. As you get older you become naturally more conservative (with a little 'C') in your attitude to life. That includes spending money.
Lets pension this paypal guy off!
Remember when all plastic cards were going to have the account holder's photo on the back? That idea was trialled and scrapped when it was found that shop staff failed to identify a blatantly different person most of the time[0]. It takes skill and practice to match a (probably bad) photograph to a stranger's face in a second or two. Difficult to see any layer of security here.
[0] I can't find a reference, sorry... and my memory is crap so this might all be rubbish.
I have been known to use my partner's debit card occasionally. Usually just to get cash out of the hole in the wall but I have used it in shops as well. Despite my beard and the obviously female name on the card no shop assistant has challenged me yet.
If they can't even be bothered to check that sex of the name on the card and the person in front of them are the same there is no way they can be relied on for any other kind of check.
Remember when all plastic cards were going to have the account holder's photo on the back? That idea was trialled and scrapped when it was found that shop staff failed to identify a blatantly different person most of the time.
Indeed. I know someone whose photo credit card was stolen and successfully used by someone of quite different appearance (race, gender, etc).
The problem is not just that shop staff "fail" to identify the frauds, but that it is not in their interest to make security checks -- it is the customer and/or the card company that lose out from the fraud, whereas the retailer will lose out from the detection of the fraud if it results in the loss of a sale.
Make the retailer liable for the fraud ... and you'll soon find that shops go back to only accepting cash!
In the U.S. if a customer protests a card charge the merchant has to provide the receipt/electronic signature/PIN confirmation or they are liable for the charge plus a service fee.
If it's an online transaction the merchant already pays a much higher processing fee for the Card Not Present fraud offset and is also liable for a fraudulent charge plus the service fee.
In either case the merchant loses the money, pays a fine and loses the merchandise. The merchant service provider takes the money directly out of the merchants bank account, without consultation and you have to appeal to try and get your money back, which hardly ever happens.
More like "too lazy". Shop assistants can't even be bothered to verify the name and signature on a credit card most of the time, what chance is there of getting them to verify a face?
And then just think of the Burka issue. Crooks will just wear a full veil and scream "persecution" when asked to remove it to verify their face. No junior saleskid in a shop is going to make a scene over that, they'll just wave the transaction through.
Then look enough like the account owner to pass casual inspection, plus the transaction comes from an identifiable device (a mobile phone). As far as I can see that's two if not three factor authentication and should be good enough for practical use.
I'd say two factor, because presumably if you know the password, you can install the app and set up the account on any handset you like. I don't know if they use SMS or an automated phone call to tie it to a particular phone number. That would make it 3 factor.
@Steve Todd
The way I understood the system on initially reading it is that the phone is the 'something you have' and the face recognition will be used in lieu of a password, which is clearly unsafe as anyone resembling me could just pinch my phone and go on a shopping spree.
The way you are describing it, the user has to identify themselves by Paypal account ID and this is verified by the Paypal password + physical possession of the mobile phone, surely that already is a safe 2-factor authentication. But in this case, face recognition is completely redundant*
*except to vendors of facial recognition technology of course
The user has to log in to the PayPal app on their phone, and then "check in" to the store they want to purchase from. This transfers their details to the store's checkout computers. When the person arrives at the checkout the sales person identifies them by their picture and the account is debited. The account details are wiped if they are not used within a set time.
Different argument. No one is stopping you using Chip & Pin, cash or whatever else you currently use to pay. This is an option if you don't have those handy, and its no less secure than them. The argument was that it was somehow wildly insecure.
...... as they are so good at responding to fraud issues on Ebay already. Like when you send back an item, the vendor refuses to refund but tell Paypal they have. The service where if you need to contest any issues you can just lodge a complaint with your local banking ombudsman .... oh ...you can't.
I would say this is fantastic news for the least successful sibling from identical twins, triplets and so on.
No it isn't! I'll stick to a credit card thanks. At least I'm afforded protections. While I dislike the credit card firm monopolies, their system does work. I've been living in over 20 different countries in recent years, countries that typically have a spotty record on card fraud. When things have gone wrong, the card issuer has addressed the problem immediately and without requiring me to fill out reports. The credit card system is still good enough. Whereas the sheer number of phone / tablet security holes and man in the middle type attacks is worrisome....
I have an idea which is better than Paypal. How about we all get together and agree on a set of generalised value tokens with pre-specified numerical worth. A central accounting system (which would be provided by organisations such as banks and employers) would issue every citizen with a negotiated number of tokens on a regular basis. To pay, simply hand the shopkeeper an appropriate number of tokens. With modern technology, these could be quite hard to forge and yet still be cheap to produce and easy to carry. You could even have different coloured user-friendly tokens to represent a convenient range of generalised values, although I admit that some backward parts of the developed world would need to upgrade their visual recognition systems to permit this.
At present I call this project the "marketable open numismatic-enabled yield" system but I want the community to help here with a better name as the present acronym, "money" probably won't catch on.
20 years ago was working with Datacard on picture on card credit cards. Their conclusion was that no shop assistant worth their salt would risk their lives for the then $50 bounty on a card where the photo did not match the offerer of the card.... many shop assistant were being attacked.
Nothing has changed from the later 1980s,, Paypal have alreadsy lost that one
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
