I came across this announcement today. Apparently Master Card is applying biometrics in an attempt to make online shopping faster and safer. My impression of the current state of biometrics is that it is not great. Some technology may be considered reliable (a relative term in any case), but it is generally expensive, and typically consists of invasive things like retina scanning, which requires a person to physically lean close or right up to a specialized piece of equipment. General consumer technology like the fingerprint scanners on phones and the like are easily fooled, and may give a false sense of security.
So what is Master Card using? Well according to articles from biometricupdate.com and mobileworldlive, they’re experimenting with fingerprint scans and short video shots of faces (facial recognition) as replacements for passwords when authenticating payments. CNN Money has this video demonstrating the facial recognition solution.
The motivation behind this is to make security less of a hassle for customers, to keep them from abandoning purchases at the final step. I think this is an interesting and admirable effort, and the solutions seem pretty cool. A number of questions come to mind though:
A short disclaimer might be appropriate at this point: I do not have detailed knowledge of Master Card’s technical solution, nor do I know what data they are collecting, or where they are going with this in the long run. The following are just my personal musings and speculations based on limited information. If some of these ideas seem unlikely, take them with a grain of salt. This analysis is just an attempt to view the world from a slightly paranoid information security-centered perspective.
How will Master Card control whether a given devices is trustworthy? I would assume there are discrepancies between the quality of both fingerprint scans and photos taken by different phones and other devices. Will Master Card trust all of them, or just some? What will happen when a particular model is hacked? What if a flaw is revealed that allows a criminal to steal someone else’s fingerprint or photo data, and use it to imitate them?
What about completely fake data? A photocopy of a finger is generally enough to fool most fingerprint scanners, and there may be other tricks I’m not aware of. Will a photo of a person be enough to fool the facial recognition system? If someone has stolen your credit card, or at least gotten hold of it’s number, is it plausible they could grab photos of you from your Facebook profile and use them to authorize transactions in your name? Master Card’s requirement that users blink during the authentication will probably make it more complicated to spoof someones “selfie signature“, but I would not be surprised if someone was able to circumvent this. An automated process for adding an animation to an existing photo seems plausible. How long will it take before we have an Android app that can take a photo and add a “blink” animation? It will then just be a question of getting the right speed and quality for Master Card’s technology to accept it.
Can biometric data be stored for later use? If you scan your fingerprint, or take a photo of your face, could you then save the resulting data and use it to sign a purchase with your credit card minutes, hours or days later? The app in the video above does not appear to work that way, but that does not rule the possibility out. If the data could be saved for later, then that should imply that it would also be possible to copy (read: steal) it, and use it later. This is really not that different from a password, except that if your password is stolen, you can change it. If your fingerprint or selfie-sig is stolen and can be reproduced, you likely won’t have any other options than to stop using the solution to and disable it for your account. I would hope that Master Card has built some kind of one time password solution (OTP) into their app. It might for instance combine biometric data with a digital signature which would only be valid for a limited time.
What other meta data is included? If you are a customer you’ve already entrusted Master Card with your personal finances (the actual money), as well as information about such things as your purchasing habits, the locations in which you use your card (both physical and online), and more. Given this, the personal data-issue may seem trivial, but I still think it is worth considering briefly: What kind of information is collected from your phone? Does it have access to your contacts? Your social network? Remember that this is not limited to the moment when you confirm a transaction. If Master Card already knows where and how you spend your money, they could in theory combine this with information about your contacts and every detail of their purchasing history. That would produce a lot of interesting data. Who might be able to access it, and what kind of implications might it have?
What about your (twin?) sibling? This probably won’t be a problem even for most twins (what kind of person would rob his brother, anyway, right?). The principle is still interesting though: How close in resemblance can two people be before facial recognition software is unable to distinguish them from one another?
I also wonder about the practicality of biometrics for cases like this. Will it really be an improvement over plain old passwords? There are lots of problems with passwords: People tend to either choose lousy passwords (quick, name a family member of yours who’s password is a pet’s name!), or forget them all the time. Often they write them down on pieces of paper kept in plain view, and even if they learn a password, they will typically use it everywhere, and not change it until forced to do so. Take note however, that all of these issues have to do with human behavior, and that none rooted in technical aspects of passwords themselves. Used correctly, a good password can not only provide great security; in fact, it can have a number of distinct advantages over biometrics:
You only have one face. With passwords, you can use a different one for each site or service. With biometrics on the other hand, you’re stuck with the physical traits you have. The fact that Master Card seems to have their own solution here mitigates this point, since it likely means that you would never use the same authentication method with any on other than Master Card. Still, it’s something to keep in mind if this type of technology should become more regular.
You can’t change it. If someone should be able to hack the facial recognition technology at some point, you might not have any other choice than to stop using it. If someone manages to steal your password, at least you can change it and carry on.
But hang on – what if it DOES change? What happens if you catch a really bad cold, and your face goes all puffy for a week? Or if you go on a serious diet and loose a lot of weight? Or if you have an accident that affects your appearance? Certain nerds may also wonder if they will still be able to complete credit card purchases during the last two weeks of Movember?
How long does it take to authenticate your great looks? I’m sure scanning your thumb or taking a selfie can simplify your life if you constantly find yourself forgetting your password, but what if that is not a problem for you? Although the technology seems cool and fun to use, I’m not sure I would want to use it in the long run personally; sure, it would be fun to test it (and try to hack it!), but in general I would rather spend a few seconds typing a password than be required to open my phone, unlock it with a pin code, locate an app and performing some kind of action with it just to authenticate a purchase. The case would be different if the biometrics app provided a higher level ov security compared to passwords, but from what I’ve seen, I’m not convinced that is the case. It just replaces a password with something else, and even if this something else may initially seem harder to steal and abuse than a password, it would as mentioned have the drawback of not being replaceable if it ever is stolen.
So what does all this mean?
Master Card will have thought things through thoroughly before rolling out this technology, and I have no doubt it will be appreciated by many of their customers. Even if the security solution is not entirely without drawbacks (what solution is anyway?), it might well be good enough for the vast majority of users. Abuses of the types mentioned above do admittedly seem unlikely at the moment, and with a global customer base like Master Card’s, even a tiny increase in the number of completed transactions is likely to result in a solid return on investment.
It will be interesting to see how this develops, and to see what alternatives other companies will roll out. I’m also anticipating news about this technology getting hacked over the next few weeks, months and years; I have a feeling it will be much too interesting not to.