Now the favorite past time of some (namely taking selfies!) might actually become a legit payment method for MasterCard users. The company is experimenting with a feature called ID Check, which would scan your face (or your fingerprint, depending on what you choose) in order to approve an online purchase. Basically they are trying to go full blown biometric.
Ajay Bhalla, the MasterCard executive who’s in charge of the new payment methods told CNN: “The new generation, which is into selfies … I think they’ll find it cool. They’ll embrace it.“
Why MasterCard would do something like that? Definitely not only to please us youngster, but also to cut down fraud, it seems. The US trial is supposed to start very soon with a limited customer base of 500. The launch will follow sometime after that.
If you’re afraid that you’ll need a selfie stick in order to make payments with your MasterCard in the future, don’t worry too much: The way the system is described you’ll just install the MasterCard app, purchase something, and once you want to pay a pop up appears. Now you can choose to complete the payment with a fingerprint scan or via said selfie. According to CNN “you stare at the phone — blink once — and you’re done. MasterCard’s security researchers decided blinking is the best way to prevent a thief from just holding up a picture of you and fooling the system.” Easy peasy, right?
Well, let’s see how it will work out and what’s next: Bhalla also said that MasterCard is experimenting with voice recognition and approving transactions by recognizing your heartbeat …
Fingerprint authentication is not as safe as you would think
Just because logging in with you finger is convenient doesn’t mean it’s the best method to use.
Some days ago we told you about increasing your security on sites and in services by using two-factor authentication. More and more services are using this two-factor log in method. They require that you use “something you know” like a PIN or a password, “something you have” like a token app in your smartphone, and even “something you are” like your fingerprints, for instance.
Many top smartphones – starting with iPhone 5s and newer Androids – are moving to fingerprint authentication technology. That means you can unlock your phone using your finger. It’s more convenient than typing a PIN or password because you always have your finger with you (we hope!). And you would think that it is more secure than using a gesture or pattern to unlock it.
Unfortunately, it’s not. Here’s why:
The authentication process requires that a site or a service (or your smartphone) could recognize you for a thing you know: A PIN or a password. This information must be stored in the service server (or hardware) and it must be matched, i.e., the combination of two pieces (generally username and password) must match to allow access to the right person.
Both you and the service must know this secret combination. But that’s the problem; nowadays, a lot of sites and services have been compromised and pairs of username/passwords have been hacked and sold on the black market.
But what about using your fingerprint? It’s the same scenario. The information about your finger and the technology to match your fingerprint is stored in servers. If they are hacked, your exact, and only, information would be in their hands.
It gets worse.
You can change your credentials to log into a site or service, but you can’t just change your finger! Well, most of us have 9 more chances after the first one is compromised, but still – there are more than just 10 services you want to use. You can change your passwords indefinitely, you can use a stronger password, you can use a password generation service – you’ve got the idea… But you don’t have that many choices with your fingerprint.
It gets even worse.
Everything you touch reveals you. You’re publishing your own secret.
Can you imagine banks or stores letting you use your fingerprint to gain access to your account without even a card? Coincidentally, just hours ago a news report was published saying the Royal Bank of Scotland and MasterCard recently made announcements regarding fingerprint authentication services. They announced that customers can log into the banks’ mobile banking app using their fingerprint. It’s interesting that this article says 16- to 24- years olds are driving this decision because
they want to avoid security slowing down the process of making a payment, with 64% of those surveyed saying they found existing security irritating.
This decision by major banks does not give us confidence in the security of the younger generation and their bank accounts. We venture to wonder about the police with their databases full of prints. What could be done with millions of fingerprints stored by the government?
By the end of last year, young researchers from the Chaos Computer Club showed that your fingerprints could be obtained by photos of your hands and from anything you touched. See the full presentation in this YouTube video. If you have the curiosity to see all the video, you’ll see that using your iris could also be simulated with high quality printed photos. At 30:40 starts the iPhone fingerprint hacking. They took 2 days to develop the method and presented it in a few minutes. Amazing and scary.
Here’s another video with a quick summary of the research.