MasterCard is experimenting with facial recognition as a layer of security for its credit card payments. The idea is that customers could use their smartphones to prove that they’re who they say they are when they’re making what the industry calls a “card not present” transaction. A good example of that type of transaction is purchases online or over the phone.
MasterCard will be testing the idea by having users send short video clips of their faces, taken in real time. Current reports are that the video clip would require the user to take some action, such as smiling, that would prove that they’re real, and not a photo of the actual card holder. While complete details of how this will play out remain for later this year, a MasterCard spokesperson did confirm that this description is correct. MasterCard is not yet releasing much in the way of details about the new technology.
However, MasterCard Vice President and Business Leader Jane Khodos told eWEEK that this effort is a companion to other forms of identity verification available to the company. “In the physical world, we have EMV to make our purchases more secure,” Khodos said. “When it comes to online purchases, most of us can agree that passwords are a real problem.
“People forget them often and it’s a pain to go through the retrieval process. Consumers that dislike passwords have a choice to secure their online payment transactions with their face and/or fingerprint, or continue to use passwords. MasterCard Identity Check is another layer of security to guard against online fraud,” she continued.
In some ways, the concept is similar to what Apple uses for Apple Pay. There, a person’s fingerprint is stored securely in his or her phone. Then, when a purchase is made, software on the phone asks for the fingerprint again and compares it with the stored image of the fingerprint, and if they match, approves the purchase.
With the MasterCard approach, the card holder would allow a photo or video clip to be taken and then stored, but rather than being stored on their phone, a digital representation of his or her image would be stored on servers at MasterCard. Note that this isn’t the same thing as storing a photo of the card holder. Facial-recognition software analyzes the structure of a person’s face as a three-dimensional numeric representation and stores that. If you were to look at the data file, you would not see what the person looked like.
Presumably, a person’s phone or computer would contain the image processing software for the image comparison, if only because the data involved in transferring images between MasterCard’s servers and the device collecting the image would become unwieldy, not to mention expensive on some data plans. Even so, for such an image capture to remain feasible, the resolution would have to be limited.
The real-world limits to the imaging technology raise a concern in regards to how it’s going to prevent fraud. While the reports about MasterCard’s technology say that the subject will be asked to perform an action such as smiling as a way to prevent the use of a photo, will that work if, instead of a photo, the Bad Guy uses a video clip? Let’s say, for example, you’re trying to prove that you’re the owner of the device that’s being used to buy something. Couldn’t you just have a short video of the person smiling that you loop constantly, so that there’s always a smile at the ready?
MasterCard’s Plans for Facial Recognition Raise Questions
While such a thing might be hard to arrange in the case of a stolen phone, it might not be. How many people have their phones filled with images of themselves and with short video clips? Of course, the technology isn’t even in the field yet, so it’s impossible to say whether it could be fooled in such a way.
Fortunately, one of the other questions that are being raised in regards to this technology, concerning privacy, is probably not an issue. It’s unlikely that MasterCard has plans to store actual images of each user in this program on their servers considering the amount of data involved. This is especially the case when the numeric representation of the image is what’s really needed by the facial-recognition software, and not having to convert from a photo each time would dramatically reduce the workload and the related latency.
It’s also important to remember that the idea of using a short video clip or other selfie as a means of identity verification is only a companion method. It’s unlikely that MasterCard is planning to use images as a stand-along means of identity verification, if only because of the number of identical twins in the population. The idea of using a selfie will certainly appeal to a part of the population—but hopefully not to that part of the population that’s made up of evil twins.