How would you like to be in the middle of an online payment, and instead of being asked to type a password you are asked to say CHEESE! From The Telegraph:
Mastercard is testing new app that could allow customers to make purchases online by taking a selfie rather than entering a password.
Currently, Mastercard customers use a system called SecureCode to verify their identity while shopping online. This requires them to enter a password at the point of sale.
However, passwords can easily be forgotten, stolen or intercepted, so a number of financial organisations and technology companies are experimenting with biometrics as an alternative form of identification.
Participants in Mastercard’s trial will be prompted to snap a photograph of their face using the Mastercard app on their smartphone at the online checkout point, rather than entering a password.
Mr Bhalla said that MasterCard will not be able to reconstruct the user’s face from the data, and that the information will be transmitted and stored securely.
The company is currently testing the technology with 500 customers, and is planning a broader trial for later this year. It is also experimenting with other forms of identification such as fingerprint scanning and voice recognition.
I would like to know what problem they are really trying to solve. Sure nobody can remember all of their passwords. But that’s not the only way to authenticate a credit card. We do it with ZIP codes today at gas stations, and that’s pretty reasonable (unless you aren’t from the US).
Maybe they are trying to combat stolen credit card numbers online, like all the breaches we hear about so much. Well, then just print another number on the back of the card and have the customer enter that number into the app. This new magic number would never be recorded in the transaction at the point of sale, so it couldn’t be acquired in a bulk online theft.
This sounds fairly interesting to make a selfie credit card purchase. Banks and credit card companies are some of the most security minded entities you can find. However, I see a few things that worry me, though.
- Will the face recognition software always recognize me? If I just got hit in the face with a softball and my eye is swollen shut, will I be able to pay the doctor?
- What if I’m in an area with no cellphone reception and no WiFi?
- Will my twin brother be able to use my credit card?
- What if I loan my card to my daughter because I want her to make a purchase? What if she “borrows” it and I don’t want her to make a purchase?
- Who else gets access to the clump of facial data that Mastercard is storing? If the credit card company sends it to the government and the government uses the same facial recognition software, they will certainly track me everywhere they have cameras setup. Not that they aren’t already doing that with my phone.
- It should be straightforward to calculate the equivalent of a password hash on my face and send it over a secure channel to Mastercard. But is that what’s happening? Is the phone doing the magic calculations and sending the crunched data to Mastercard for comparison? Or is it sending the picture and letting Mastercard crunch the numbers? I’d feel more comfortable with the former. Something creeps me out about having my credit card company storing all of my selfies.
As is my personal policy, I will be skipping this technological “advance” until it is fully vetted for both security and privacy.
How many of those scenarios did you think of? Did you think of others? Would you try this technology if it were offered to you now? What other ideas do you have instead of selfies? Let me know in the comments below!