“Passwords are a pain,” said MasterCard Chief Product Security Officer Ajay Bhalla.
Then he delineated the terrible things we do to strip them of their security dignity: by forgetting them, writing them down, and of course a few he neglected to mention, like cooking up passcodes that are limp and easy-to-guess or by just giving them away to TV reporters.
Then, after those raggedy little beggars get into the hands of crooks, password reuse multiplies the misery, he said:
They get very surprised when a hacker gets into a particular website and then knows the passwords to all the websites.
So here’s MasterCard’s plan to kill passwords: pay-by-face for online transactions.
As CNNMoney reports, MasterCard will start experimenting with a program to approve online purchases with a facial scan starting this autumn.
It also plans to enable customers to use another biometric authentication factor – fingerprints – via a downloadable app.
As well, MasterCard told Computer Business Review, it’s looking at introducing voice recognition and is already working with Nymi to use a person’s heartbeat in a future version of the app.
The credit card company will recruit 500 UK customers to trial the new pay-by-face or -fingerprint approval method.
MasterCard is reportedly partnering with Apple, BlackBerry, Google, Microsoft and Samsung to use their devices in the trials.
It’s still finalizing deals with two major banks, so it’s not ready to say which banks’ customers will first get to use pay-by-face.
This is how it will work:
- Download the MasterCard phone app.
- After you pay for something, a pop-up will ask for authorization.
- If you opt to use a fingerprint, you just have to touch the screen. If you instead choose to use facial recognition, you stare at the phone and then blink once.
CNNMoney says that MasterCard’s security researchers decided blinking is the best way to prevent a thief from just holding up a picture of you to fool the system.
Is it? Hmmm!
There’s a distinct aura of deja vu with this facial recognition technology.
For one thing, Chinese e-commerce megabrand Alibaba announced in March that it wants to use selfies for payment processing.
Authentication-by-face goes back further still, of course, as do the efforts of security researchers to foil it.
Google, for example, in June 2013 filed a patent for a technique to unlock your computing devices by grimacing to prove you’re alive, as opposed to being a photo being held up by, say, a phone thief.
Or by a little brother. Or, well, by anyone.
The patent was one of Google’s multiple attempts to remedy the easily tricked Face Unlock feature introduced in the Ice Cream Sandwich version of Android, which was initially tricked by holding up a photo to the phone.
But researchers found it a snap to fool Liveness Check with just a few minutes of editing, animating photos to make them look like subjects were fluttering their eyelashes.
That was back in 2012.
One would imagine that MasterCard’s security researchers are aware of the ways that Liveness Check was duped, and that advances in facial recognition/liveness checks have been put to good use to make MasterCard’s pay-by-face technology more secure, but time – and other curious security researchers – will tell.
As far as MasterCard amassing massive databases of people’s faces or fingerprints goes, the credit card company said that its fingerprint scans will create a code that stays on the device.
The facial recognition scan will map out a user’s face, convert it, and then send that data to MasterCard.
In short, Bhalla told CNNMoney, MasterCard won’t be able to reconstruct your face.
The data will be transmitted securely, he said (no details about encryption or the like were mentioned), and the company will stash the information securely on its servers (again, no details of how exactly the information will be kept secure were forthcoming).
Who cares about the details? <–teensy bit of sarcasm!
Pay-by-face is cool! Or so says Bhalla:
The new generation, which is into selfies ... I think they'll find it cool. They'll embrace it.
Maybe they will. Or maybe they’ll embrace paying friends peer-to-peer (P2P) on Facebook Messenger.
Or maybe they’ll think Apple Pay or Google Wallet, both of which use tap-and-pay fueled by Near Field Communication (NFC), is cool.
Or maybe all of the above!Follow @NakedSecurity