08/07/2015

By Chris Averill, CEO, wae


There have been several recent announcements from various different credit card providers around contactless payments and facial recognition tools which promise to make our lives easier when it comes to authorising consumer purchases made using mobile devices.

For example, MasterCard is testing a smartphone app that uses facial recognition to verify online purchases. Instead of having to manually enter passwords or security codes, users simply hold their phone up as though taking a selfie to approve transactions. The initiative, which was unveiled last week, will ask customers during their mobile check-outs to hold up their smartphone and snap a photo of themselves.

Hi-tech Barclaycard bPay wristbands – as well as key fobs and stickers – also went on sale last week. The technology works like contactless credit or debit cards, allowing people to buy goods by simply placing their device against a card reader at the till.

In my opinion a lot of these announcements are being made in direct response to the fact that Apple plans to introduce its contactless payment system Apple Pay into the UK in mid-July. This is already shaking up the market and I think is why both Barclaycard and MasterCard in particular have rushed to come out with these new options. The good news is that the overall limit for all contactless payments are set to rise to £30 from September which will make contactless payment far more useful. It has also been reported that Apple Pay could go limitless later this year so watch this space.

My question is how secure are any of these capabilities? MasterCard states that it is conducting the facial recognition testing because passwords that are used today can be forgotten, stolen or intercepted, which leads to data theft and losses for card issuers and retailers. However, I would question the latest MasterCard announcement as in my view, facial recognition technology isn’t really that secure and can be easily compromised. Certainly, it should always be complemented with extra layers of security.

I remember a while back when Google tried facial recognition on Android phones. There were a lot of problems in the early days. For example, people realised you could take a photo of somebody, present it to the camera, and the phone would unlock. Whilst a lot has been done to remedy this scenario, I certainly think that social recognition tools are not very stable and therefore not great tools when a high level of security is needed. There is still quite a big margin for error.

Google on the other hand has openly admitted on the website for one of its devices that its facial recognition is "less secure than a pattern, PIN or password". MasterCard's app asks users to blink to prove that they are human, but even this has been spoofed in the past. Apparently people took photographs and animated them, drawing on eyelids. While there have been advances in biometrics since then, I still don’t think that we are quite there yet.

I believe more robust and reliable security is needed for these types of transactions such as a finger print scanners and biometric data, otherwise this type of technology simply doesn’t give a benefit to anyone and is likely to cause more security incidents than it is solving.