
MasterCard to start verifying transactions through selfies - oldskewlcool
http://americans.org/2015/07/03/mastercard-to-start-verifying-payments-via-selfies/
======
Fradow
Relevant link: "Fingerprints are usernames, not password" (applies to all
biometrics): [http://blog.dustinkirkland.com/2013/10/fingerprints-are-
user...](http://blog.dustinkirkland.com/2013/10/fingerprints-are-user-names-
not.html)

Long story short, it's a bad idea, and it's really not secure.

~~~
higherpurpose
It's much worse for pictures than fingerprints because most people have tons
of pictures of themselves online now, and many are also public. It's probably
just a matter of time before malicious hackers start spoofing their
identities.

~~~
tetraodonpuffer
don't forget all the ongoing advances in the "here's a bunch of pictures, come
up with a 3d model of the person" problem, making the spoofing even easier

------
logn
I'm starting to feel like a grey neckbeard. In my day, when I wanted to hang
out with my friends, I called them, from a landline, known simply as "the
phone". These days, I'm at or near a desktop/laptop computer almost 24/7 so
don't see much need for a smartphone. I dread the day when a smartphone is
required to be a part of society. It's shifting in that direction rapidly. If
being on Facebook/LinkedIn also becomes a necessity, hopefully I'm already
retired and have a beautiful lawn.

~~~
herge
I always wonder if there were these old fogeys who complained when the first
postal services were brought in in the 19th century. Like "Back in my day, I
visited my friends and family because I cared, but now any idiot with a stamp
can send me an annoying letter."

~~~
dragonwriter
> I always wonder if there were these old fogeys who complained when the first
> postal services were brought in in the 19th century.

The first postal services were formed long before that; there were definitely
some in the late _17th_ Century, may have been earlier.

~~~
herge
FWIW, I date it from the issuance of the first really convenient paper postage
stamp, much like how OP probably is complaining about smartphones post 2007,
as opposed to the first mobile phones in the 70's.

------
yc1010
People are missing the point, like "chip and pin" this is not about protecting
the consumer but about protecting Mastercard and their duopoly

"What you mean you did not pay for a hooker and rum in Amsterdam, then who is
this in a selfie you took" > shows a selfie some hacker stole from the poor
eejits Lifeinvader page.

~~~
lucb1e
If only.

> shows a selfie [taken from somewhere]

The software only sends a hash of the "map" of the face to Mastercard for
comparison (or so an earlier Dutch article on security.nl put it). They can
never show you the original image again.

------
kefka
There's lots of easy avenues to attack this.

1\. Look for user's Youtube, Facebook, and other social media for photos/video

2\. Videochat and record them.

3\. Find them IRL and record them.

4\. Print a mask of that person, and leave eye holes. Now you blink instead.

Ridiculous.

------
snarfy
This reminds me of the hat from fifth element:

[http://images2.fanpop.com/images/photos/5000000/The-Fifth-
El...](http://images2.fanpop.com/images/photos/5000000/The-Fifth-Element-the-
fifth-element-5050874-1918-796.jpg)

------
gonzo41
The don't want to make money safe. making money safe makes money slow. Pay
wave / pay pass and mastercard/visa chargebacks are all about getting money
moving around more.

------
EugeneOZ
I hate selfies. Please leave pin codes for people who don't trust image
recognition algorithms enough.

------
IKnowComputer
How is this supposed to work in low-light and dark environments, like a classy
restaurant? What about people that don't have camera phones? This will end up
being opt-in only, I'm sure. Can you imagine the checkout at the supermarket
as vain people hold the line up while they make up their hair? I really don't
see this as becoming commonplace.

------
jlgaddis
I would just be happy if I could actually use my "chip and pin" credit card
when performing a transaction. I have yet to find a retailer where I can
actually use it.

~~~
51Cards
Interesting, where are you located? Here in Canada I use mine practically
everywhere on a daily basis.

~~~
frandroid
They're in the U.S., the last large bastion of the magnetic strip.

~~~
harperlee
And the paper cheque.

~~~
jlgaddis
Yep, I still write several checks a month too (almost exclusively for rent,
utilities, and the occasional donation).

~~~
kwhitefoot
I think the last cheque I wrote was at least 15 years ago. They don't exist
here, Norway, any more.

------
tehmaco
There's a better link here [1], which explains with more details.

Main thing seems that it's not just facial recognition, you can use a
fingerprint scanner (assuming your phone has one) instead, and that it
requires you to blink when you're being scanned by the app. So it doesn't seem
to be just static image recognition, it's looking at the video stream to
ensure that your face is there and that it can blink (getting around the 'just
hold a photo in front of the camera' problem).

[1] [http://money.cnn.com/2015/07/01/technology/mastercard-
facial...](http://money.cnn.com/2015/07/01/technology/mastercard-facial-scan/)

~~~
peterwwillis
Since a video is just a string of images, all the attacker would need is a
sufficient number of photoshopped images to show a series that (when stitched
into a video) shows the user blinking. I'm pretty sure you could make a
Photoshop plugin that would do this.

I'll do you one better: you could probably make a print-out paper 'mask' of a
person's face and just blink yourself, or something similar. This kind of tech
isn't always as smart as we think.

------
gearhart
Seems to me that this is a cheap, relatively smart piece of marketing, rather
than a serious proposition - note the heartbeat and voice recognition ideas
that they're also "experimenting" with.

------
bobm_kite9
Ok, so everyone has pointed out how insecure this would obviously be, and all
the simple ways in which you could fool it.

But, I'm left wondering, did the guys at mastercard never even think this
through at all? This is people's money after all. It needs to be safe. Did
they not even consider that, as soon as this is rolled out, people were going
to see money disappear?

I can't believe they didn't think of that. Which makes me wonder, why am I
even reading about this at all?

~~~
derefr
Credit card companies already have the perfect "security" measure: retroactive
limited liability for stolen cards. Nobody loses money because someone steals
their credit card.

As such, everything the card companies do in the _name_ of "security" is not
to prevent people from losing money—they don't need to solve that problem.
They just need to solve the _perception_ people have that credit cards are
insecure. In other words, all credit card security (yes, even chip-and-pin) is
security theatre. Whether it works or not, it's not there to work; it's there
to feel good.

~~~
ufmace
> Credit card companies already have the perfect "security" measure:
> retroactive limited liability for stolen cards. Nobody loses money because
> someone steals their credit card.

100% on that. Money is lost all the time, but thanks to that retroactive
liability, the bank and/or merchant loses it instead of the consumer. Security
for the consumer is already as good as it could possibly get, so they're
really saving themselves and their merchants. This is a good thing, because
they have a much more direct incentive to save themselves money than to save
you money.

------
jnsaff2
Didn't they get the memo from Japan?
[http://pinktentacle.com/2008/06/magazine-photos-fool-age-
ver...](http://pinktentacle.com/2008/06/magazine-photos-fool-age-verification-
cameras/)

~~~
__z
They require the user to blink to protect against this sort of attack but
there are workarounds.

------
marcosdumay
Well, it just shows that banks and credit card issuers will go to any length
to avoid implementing a proper PKI and secure transactions.

My only question is why?

------
chinathrow
Hahahahahaha. Remember that OS X login mode by your own selfie where you could
simulate blinking with a matchstick and login with a photograph?

------
istvan__
First I thought I mixed up my tabs and I am on 4chan instead of being on HN.

Other verification approach is to use voice like WeChat does.

[http://www.biometricupdate.com/201503/instant-messaging-
app-...](http://www.biometricupdate.com/201503/instant-messaging-app-wechat-
on-ios-adds-voice-biometrics)

------
TrevorJ
OK, so who thinks it would be a good idea to post their credit card number and
CVV2 code on their Facebook wall?

Because that's essentially what Mastercard has caused everyone to do here.

------
bcg1
I don't even have a cell phone. And there is zero chance I would ever get one
just so that SlaveCard will process payments for me. That whole industry is
like the grandfather that clearly can't drive anymore but everyone's afraid to
confront about taking the keys away... why is nobody willing to 'disrupt'
these people already?

------
eurmag
My question is:

"Selfie as a Password", - Is it really secure?

~~~
JoeAltmaier
Its a terrible idea. Its a password you can't change, can't even choose, leave
lying about all over the place. Its everything a password shouldn't be.

