Site icon Panda Security Mediacenter

Will it be safe to use a selfie instead of your password to pay with your credit card?

selfie

Get ready for this: Soon, selfies will not only be a good way to record the passing of time upon your face everywhere you go. As physical features are unique of each person, they will also be used as credit card passwords. At least that’s what credit card firm MasterCard thinks.

The company announced at the Mobile World Congress tech show in Barcelona that it will soon be accepting selfies as an alternative to passwords for online payments. The service will be available next summer in the USA, Canada and several European countries such as Italy, France, Netherlands, UK and Spain.

In order to use it, customers will only have to download an app to their computer, tablet or smartphone. Then, they will only have to look at the camera or use the device’s fingerprint reader (if available). However (at least for the moment), customers will still have to provide their credit card details. It’s if additional authentication is required that they will be  able to use the aforementioned feature.

With this new strategy, MasterCard aims to protect customers from fake online transactions made with users’ stolen passwords, as well as providing a more convenient system to users. In fact, the company says that 92 percent of the people who have tested the new system prefer it to traditional passwords.

Despite all the fuss, this is not the first time that this technology is put forward. E-commerce giant Alibaba announced some months ago that it would use facial recognition technologies for online payments.

Even though biometric security experts have already heralded that iris-scanning, facial recognition, fingerprints and even voice recognition will be the future, MasterCard’s initiative has re-opened the debate of whether selfies can be a safe replacement for passwords.

In fact, some experts have started wondering how information will be protected to prevent cyber-crooks from easily obtaining a user’s fingerprints or facial photograph if a transaction is made via careless use of a public Wi-Fi network.

These cyber-security experts claim that the system should incorporate several security layers to prevent potential theft of users’ facial photographs. After all, online payments make a very attractive target for cyber-criminals.

A few months ago, a group of experts from the Technical University of Berlin demonstrated that it is possible to extract the PIN of any smartphone using the owner’s selfie.  To do that, they read the passcode reflected on a user’s eyes as he typed it on his OPPO N1 phone. An attacker simply has to take control of a device’s front camera to carry out this rudimentary attack. Could a criminal take control of a user’s device to take a selfie photo and make online payments with the password they saw written on the victim’s face?

MasterCard insists its security mechanisms should be able to detect suspicious behavior. For example, users will be required to blink for the app to demonstrate it is a live image and not a photo or a previously-filmed video. The system maps out a picture of the user’s face, converting it to code and transmitting it securely over the Internet to MasterCard. The firm promises that this information remains safe on its servers, and the company won’t be able to reconstruct  the user’s face.

MasterCard has explained that the new service will only be used  for the moment in certain contexts where additional authentication is required. Additionally, this technology will also help identify the user’s location and the place where the goods are being shipped to, other indicators of a fake online transaction.

In a few months, security experts will be able to tell whether MasterCard’s system is sufficiently safe, or if in this case the cure is worse than the disease. Meanwhile, the company will continue to investigate into iris, voice and even electrocardiogram recognition as biometric alternatives to passwords.

Exit mobile version