26

MasterCard is aiming to replace passwords with selfies. Link 1 Link 2 Link 3

The Identity Check Mobile application will allow customers to complete purchases without the need to enter a password or PIN, measures the company hopes will make them more likely to complete purchases as well as improving security.

How exactly does this improve security? For example, this question suggests that facial recognition is not very secure.

MasterCard states their facial recognition application is more secure than passwords. How have they achieved that?

  • Tims duplicate provides some good answers. If it was part of Multifactor auth, it would improve security. Multifactor auth can be ortogonal and check for something you know, something you have and something you are, in which case confidence can be significantly improved.But if this selfie thing was the only auth factor, I'd think this wasn't very reliable. – Out of Band Mar 16 '17 at 12:06
  • 7
    Not a good idea.. may be cheated with a photograph.[Hackers Trick Facial-Recognition Logins With Photos From Facebook (What Else?)](https://www.wired.com/2016/08/hackers-trick-facial-recognition-logins-photos-facebook-thanks-zuck/) – roetnig Mar 16 '17 at 15:58
  • @roetnig Depends on the camera. For instance, there have been Kinect-based face-ID systems that rely on more than just RGB data (i.e. distance data from the infrared spectrum). Of course, with modern cell phones, this isn't an option, but it could be in the future. – apnorton Mar 16 '17 at 20:00
  • This detail isn't in the question, but it may be an "increase" in security if the facial recognition is used in cases where normally no PIN or password is required (eg, for transactions of a low value), that is it is not replacing a PIN or password but used in situations where the PIN or password check is already omitted. I don't know if this is actually the case though. – thomasrutter Mar 16 '17 at 23:23
  • If it turns out to be fraud, they have a picture of the perpetrator! If you use a stolen credit card, would you give them a picture of you?? – Aganju Mar 17 '17 at 02:01
  • "as well as improving security" really means "as well as fooling you into not realizing we're mining more data from you". – user541686 Mar 17 '17 at 05:23
  • 1
    It's a grim line of thought, but would this authentication method work with a dead body? Because then one wouldn't need to rely on getting a password... – Grizzled Mar 17 '17 at 07:59
  • holy shit, I hope it's just somebody who deployed 1st April jokes too early. – Display Name Mar 17 '17 at 08:29

4 Answers4

29

As I made clear in my answer to the linked question, I am not a fan of biometrics, and I think that current research agrees with me that especially face recognition is a poor authentication mechanism.

That being said, passwords have their problems too. Users are quite bad at choosing good passwords, users reuse passwords, and users write passwords on paper or in textfiles. The first problem may be mitigated with password rules, but password rules may also make it worse. The other problems can only be mitigated by educating users, which is expensive and error-prone.

These problems do not exist with biometrics. The security is completely in your hands, there is no way for the user to screw up.

As stated in the press release, the new feature is linked to an app, so it is fair to assume that the authentication mechanism is based on two factors (what you have - your phone - and what you are - your face - ).

Because the process uses 2FA, using biometrics may be secure enough. While it may seem that banking should be more secure than other transactions, historically, they were rather weak (4 digit pins for cards, passwords limited to 8 chars or less, and so on). Any security breaches were handled differently (transactions reversed, etc). The talk about "improving security" is likely just marketing.

tim
  • 29,018
  • 7
  • 95
  • 119
  • The 4 digit pin is usually accompanied by blocking the card after 3 wrong guesses. No excuses for the bad passwords though. – ratchet freak Mar 16 '17 at 17:00
  • I can access my banking apps using my fingerprint on my phone. However, that is only one device and if I change the finger prints stored on my phone I have to enter my password again – Tim Mar 16 '17 at 18:55
  • @MooingDuck The factors of 2FA or multi-FA are often [defined](https://www.cnet.com/news/two-factor-authentication-what-you-need-to-know-faq/) as something you know, have, and are (eg password, phone, and fingerprint). In this case there is no know-factor, but there are have- and are-factors (phone and face). – tim Mar 16 '17 at 21:39
  • 17
    If only there were some kind of online repository of faces. Some kind of "Book of Faces" one could refer to, for circumventing this security. – Aron Mar 17 '17 at 01:33
  • Good point with the 2FA. If the phone is stolen, then the owner is supposed to contact his bank to block further access. – a25bedc5-3d09-41b8-82fb-ea6c353d75ae Mar 17 '17 at 03:00
  • photos can be stolen and reused as well. even new photos can be stealthily made, especially with good lenses with big focal length because they can be made from quite a distance – Display Name Mar 17 '17 at 08:31
23

After thinking about this for a bit, I can see Mastercard's point of view, but I'd say the "more secure than passwords" thing probably only applies to their business model and close copies.

First, remember that the way you used to pay with a credit card is to hand it over to someone in a store, who would physically create a rub-through copy of the card and let you walk away with your purchase. No risk for you at all, lot of risk for the credit card company if it turned out later that the card was stolen. But the risk was manageable, because most cards weren't stolen, and a stolen card once in a while didn't offset the earnings too much.

Along came phone and online payment systems, and now it became much worse - instead of having to be in physical possession of a card that looked legit, all you needed was a name, a card number and possibly a postal code. All things that could easily be stolen, looked up and shared online. I don't know for sure, but this must have increased the risk for credit card companies dramatically.

If Mastercard can establish their own smartphone app as the main way you use your credit card for payment (by making it very easy for all parties involved), there will be much less stolen cc details floating around.

The selfie/app combination thing doesn't have to be perfect for this to work; it doesn't even have to be very secure at all. It doesn't matter whether you can fool the app by holding a picture of someone in front of the camera and so on, because it's about the big picture - and in the big picture, credit card thieves currently don't steal credit cards from people's wallets and then sell them on the internet - they steal credit card details by the million from hacked online databases. So that's the threat they need to counter most - worrying about people's smartphones getting stolen or misused by acquaintances simply doesn't seem very relevant compared to that.

So if your evil twin manages to trick your app into letting him buy something, or a couple of tricksters talk some acquaintances into lending them their phones and manage to take a picture of them with the payment app, the credit card company won't care - it will just do what it always did, and reimburse the damaged party (and then happily recover the loss from said evil twin/acquaintance, since the evildoers are now socially connected to the victim and therefore easier to identify - but that's an aside). What it really cares about is the huge losses it sustains by stolen cc info, and a reasonably secure app sitting on every customer's smartphone which is used for online payments, instead of the customer handing a hundred different online stores his cc details, will massively reduce the risk for the credit card company.

So I'd say it's not about whether selfies are more secure than passwords or not - I think the actual reason they do this is because selfies are faster and easier than typing your password on a smartphone keyboard, and possibly user friendly enough so that using your smartphone app to pay instead of having to login into an online account and entering your cc details becomes preferable to many cc owners.

Out of Band
  • 9,150
  • 1
  • 21
  • 30
  • 1
    I really appreciate the points made in this answer. My distilled 2 cents is: This move appears to be designed to integrate two-factor authentication in a more seamless fashion - if they can make it easier (less expensive) to train & encourage users to use a more secure (TFA > text passwords) authentication mechanism, then it should be effective at "Improving Security". – Aron Mar 16 '17 at 16:53
9

As Tim points out, the face recognition is actually part of a two factor authentication where the other factor is possession of the phone. This mitigates some of the well known problems with using biometrics for authentication.

But still, this is far from safe:

  • A person who has physical access to your phone is also likely to have a access to photos (and video) of you to hold up in front of the camera. Is the face recognition good enough to not be fooled by that?
  • What about the literal evil twin, or just a sibling that looks a lot like you? The chance that someone with possession of your phone looks a lot like you is higher than the chance for a random stranger.
  • Borrow a friends phone, saying you are out of battery and need to send a text. Start their banking app, and get to the point where it wants a photo for authentication. "Oh, I love your new haircut. I want to tell my hairdresser I want the same." Snap.

The last one could be mitigated (only allow the front camera to be used, and make it obvious that the phone is in authentication and not camera mode). But the two first ones are hard to do anything about.

Anders
  • 64,406
  • 24
  • 178
  • 215
2

It depends on the implementation of the Facial Recognition System. A traditional implementation is very likely to be less secure than passwords.

As you can see on the Wikipedia page, there are techniques of facial recognition that are meant to prevent the attack you are suggesting, i.e. 3-dimensional recognition, Skin texture analysis and Thermal cameras. On mobile phones and PCs, the first and second options are possible, while the third one isn't (at least for now).

Those techniques are supposed to serve as a biometric identifier, and are believed to be hard to counterfeit. Although some papers (1,2) are claiming otherwise or are skeptical.

If I had the choice, I would wait a couple of years to see if this is actually safe.

MiaoHatola
  • 2,284
  • 1
  • 14
  • 22