Is MasterCard's 'selfie pay' too much of a security risk?

Biometrics were the talk of the town last month in Barcelona. As the world’s mobile technology companies gathered for their largest annual event, Mobile World Congress 2016, talk centered firmly around authentication and identity.

Whilst MasterCard announced it will accept selfie photographs and fingerprints as an alternative to passwords when verifying IDs for online payments, security company Vkansee was demonstrating how easy it was to create a spoof finger with clay and a pot of Play-Doh.

The Future of Mobile Payments

When the MasterCard system goes live in the UK and 14 other countries this summer, users will be able to complete an online purchase without the need for PIN codes, passwords, or confirmation codes. Instead, they can opt to download an application to their PC, tablet, or smartphone and opt to take a selfie which is mapped against a stored image on file to allow payment.

The new biometric system is, says MasterCard, the first of a number of new biometric services designed to improve identify verification for mobile phone payments and other wearable devices. The company is also testing voice and iris scanning as a means to authenticate credit card transactions and eliminate fraud.

And, according to MasterCard, consumers love the "selfie pay" approach. Trials in the Netherlands and US found that 92 percent of participants preferred the new approval system to passwords.

Tackling False Declines

You can understand the appeal of the proposition for consumers looking to take advantage of the convenience of mobile payments. Meanwhile, MasterCard aims to use this technology to reduce the number of false declines that cost it dear: in the past year, the value of false declines has hit $118bn (£85bn) per annum -- more than 13 times the total amount lost annually to card fraud.

MasterCard has spoken about the concept of selfies and fingerprints for identity verification for some time, and it’s easy to see why they are keen to move forward with this innovative technology. Removing barriers to purchase increases conversion rates. What’s more, every time a user loses their password or PIN, it’s a cumbersome process for card issuers to manage.

Are These New Technologies Secure?

However, the technology needs to be totally secure before rolling it out. Security experts have already expressed concerns that it might be easy to spoof the system -- which, after all, is delivered to consumers via an app. Others have highlighted that facial scans and fingerprint sensors can be compromised.

But there are bigger questions to be considered here. Whilst not ideal, passwords can be changed. Fingers and fingerprints can’t be. As an industry we need bullet proof methods of storing this data securely before we play Russian Roulette with people’s identities.

User devices are notoriously prone to penetration by cyber criminals -- whether that’s as a result of users adapting their devices or overriding device security parameters, or using non-secure public WiFi when transacting online. Which means biometric data will need to be encrypted to ensure it cannot be stolen -- otherwise we open a whole new vector for identity theft.

What’s more, rigorous PCI standards already exist to protect users and merchants, especially where liability is concerned should things go wrong. What’s not clear in this scenario is whether liability will shift -- and to whom. Quite simply, we’re in new territory here.

Considering the GDPR

Merchants operating in Europe are already busy preparing for the new General Data Protection Regulation (GDPR). Coming into force in 2018, GDPR brings with it some punishing requirements when it comes to sensitive personal data like biometric data -- fingerprints, facial recognition, retinal scans, and so forth -- which must be afforded enhanced protection.

And that has significant implications for organizations, triggering the need for an organizational Data Protection Impact Assessment if biometric data is processed on a large scale. At the moment, the MasterCard "selfie ID" is designed to offer a convenient second security form factor for the authentication of online credit card payments, in addition to the credit card number itself.

But it opens the way for biometrics to become a primary payment authorization instrument. And that should trigger some industry wide debate to make sure that consumer identifies are protected.

Done right, biometric data could open the way to a more secure, more convenient way for transacting online that eliminates fraud for all. But data breach has become a major issue for consumers and organizations alike -- and that makes a belt and braces approach to every issue vital.

André Malinowski, head of International Business at Computop.

Published under license from ITProPortal.com, a Net Communities Ltd Publication. All rights reserved.

Photo Credit: Pixelbliss/Shutterstock