MasterCard to start verifying transactions through selfies
americans.orgRelevant link: "Fingerprints are usernames, not password" (applies to all biometrics): http://blog.dustinkirkland.com/2013/10/fingerprints-are-user...
Long story short, it's a bad idea, and it's really not secure.
In the two years since that article was written, how many cases have there been of iPhones actually hacked in the wild through TouchID?
How would one measure that, even if it is happening?
Not hacked in the normal sense but there have been kids who needed their sleeping parents' phones unlocked, so they just put the phone to their parents' fingers...
By news stories?
Given the amount of media attention there was when the early proof of concept hacks emerged, I'd be amazed if they wouldn't be all over any story that had even the slightest suggestion that someone might have lost data as a result of a stolen phone having been hacked via TouchID.
It's much worse for pictures than fingerprints because most people have tons of pictures of themselves online now, and many are also public. It's probably just a matter of time before malicious hackers start spoofing their identities.
don't forget all the ongoing advances in the "here's a bunch of pictures, come up with a 3d model of the person" problem, making the spoofing even easier
Well we had this idea ten years ago, but the biometric scan was checked for freshness against a database of biometric scans. It was thought for protect the conversation between two leers however and not for blind validation.
The idea to protect against this kind of replay attack was that if the algorithm was unsure of the scan it could request a new one, validate it and present it to the user in case of low confidence biometric match or high confidence forgery: the point being that humans are good at detecting the kind of tampering that could fool an algorithm and vice versa.
This required to send the biometric scan to the peer and to validate it on the other side of the communication channel instead that on the device.
Well, we weren't technically using it as password in the end, I guess I'll have a closer look at what they're doing. And check if that old patent is still good. Eheh not that I have any rights to it left of course.
I'm starting to feel like a grey neckbeard. In my day, when I wanted to hang out with my friends, I called them, from a landline, known simply as "the phone". These days, I'm at or near a desktop/laptop computer almost 24/7 so don't see much need for a smartphone. I dread the day when a smartphone is required to be a part of society. It's shifting in that direction rapidly. If being on Facebook/LinkedIn also becomes a necessity, hopefully I'm already retired and have a beautiful lawn.
I always wonder if there were these old fogeys who complained when the first postal services were brought in in the 19th century. Like "Back in my day, I visited my friends and family because I cared, but now any idiot with a stamp can send me an annoying letter."
They did about the telephone, though:
>"The Americans have need of the telephone, but we do not. We have plenty of messenger boys." -- Sir William Preece, chief engineer of the British Post Office, 1876.
Radio, planes and xrays:
>"Radio has no future. Heavier-than-air flying machines are impossible. X-rays will prove to be a hoax." -- William Thomson, Lord Kelvin, British scientist, 1899.
The grand canyon: >"Ours has been the first, and doubtless to be the last, to visit this profitless locality." -- Lt. Joseph Ives, after visiting the Grand Canyon in 1861.
Oil drilling: >"Drill for oil? You mean drill into the ground to try and find oil? You're crazy." -- Workers whom Edwin L. Drake tried to enlist to his project to drill for oil in 1859.
Nuclear energy: >"There is not the slightest indication that nuclear energy will ever be obtainable. It would mean that the atom would have to be shattered at will." -- Albert Einstein, 1932.
The Germ theory: >"Louis Pasteur's theory of germs is ridiculous fiction." -- Pierre Pachet, Professor of Physiology at Toulouse, 1872.
Brain surgery: >The abdomen, the chest, and the brain will forever be shut from the intrusion of the wise and humane surgeon." -- Sir John Eric Ericksen, British surgeon, appointed Surgeon-Extraordinary to Queen Victoria 1873.
All taken from: http://www.rinkworks.com/said/predictions.shtml
> I always wonder if there were these old fogeys who complained when the first postal services were brought in in the 19th century.
The first postal services were formed long before that; there were definitely some in the late 17th Century, may have been earlier.
FWIW, I date it from the issuance of the first really convenient paper postage stamp, much like how OP probably is complaining about smartphones post 2007, as opposed to the first mobile phones in the 70's.
Actually the main reason I have a smartphone is for GPS. Imagine a device where you enter the name of a place and it tells you how to go there.
Sure its easier now, but it wasn't that much of a problem before. Just get an A-Z map of the town you are going. When I was travelling I always had a Lonely Planet guide. It had most of the information you would be likely to find with online searches, and organised in a helpful way.
The next step will be to embed smart phones in children at birth. I guess "The President's Analyst" was more prescient than we gave it credit for.
People are missing the point, like "chip and pin" this is not about protecting the consumer but about protecting Mastercard and their duopoly
"What you mean you did not pay for a hooker and rum in Amsterdam, then who is this in a selfie you took" > shows a selfie some hacker stole from the poor eejits Lifeinvader page.
If only.
> shows a selfie [taken from somewhere]
The software only sends a hash of the "map" of the face to Mastercard for comparison (or so an earlier Dutch article on security.nl put it). They can never show you the original image again.
There's lots of easy avenues to attack this.
1. Look for user's Youtube, Facebook, and other social media for photos/video
2. Videochat and record them.
3. Find them IRL and record them.
4. Print a mask of that person, and leave eye holes. Now you blink instead.
Ridiculous.
This reminds me of the hat from fifth element:
http://images2.fanpop.com/images/photos/5000000/The-Fifth-El...
The don't want to make money safe. making money safe makes money slow. Pay wave / pay pass and mastercard/visa chargebacks are all about getting money moving around more.
I hate selfies. Please leave pin codes for people who don't trust image recognition algorithms enough.
How is this supposed to work in low-light and dark environments, like a classy restaurant? What about people that don't have camera phones? This will end up being opt-in only, I'm sure. Can you imagine the checkout at the supermarket as vain people hold the line up while they make up their hair? I really don't see this as becoming commonplace.
I would just be happy if I could actually use my "chip and pin" credit card when performing a transaction. I have yet to find a retailer where I can actually use it.
Interesting, where are you located? Here in Canada I use mine practically everywhere on a daily basis.
They're in the U.S., the last large bastion of the magnetic strip.
And the paper cheque.
Yep, I still write several checks a month too (almost exclusively for rent, utilities, and the occasional donation).
I think the last cheque I wrote was at least 15 years ago. They don't exist here, Norway, any more.
I love paper checks.
Indiana, US
I'm in the US, and I had never seen anybody actually use it up to a week or so ago, even though lots of retailers are putting in the chip-capable readers. But I've been traveling for the last week or so, and I just ran into a couple of retailers in other states where I had to scan the chip of my cards instead of the mag strip for the charge to go through - and one of them was Target.
So it looks like it is coming to the US, slowly but surely.
Just in the past few months I've been seeing many more of them around the Boston area in the U.S. at big stores. It's coming.
Chip-and-Signature is becoming one of the standards in the U.S, not Chip-and-Pin.
Mastercard is one of the companies trying really hard to prevent pin numbers from happening.
It's almost as if an executive heard that "biometric" is happening, and decided to take a bet on it.
There's a better link here [1], which explains with more details.
Main thing seems that it's not just facial recognition, you can use a fingerprint scanner (assuming your phone has one) instead, and that it requires you to blink when you're being scanned by the app. So it doesn't seem to be just static image recognition, it's looking at the video stream to ensure that your face is there and that it can blink (getting around the 'just hold a photo in front of the camera' problem).
[1] http://money.cnn.com/2015/07/01/technology/mastercard-facial...
Since a video is just a string of images, all the attacker would need is a sufficient number of photoshopped images to show a series that (when stitched into a video) shows the user blinking. I'm pretty sure you could make a Photoshop plugin that would do this.
I'll do you one better: you could probably make a print-out paper 'mask' of a person's face and just blink yourself, or something similar. This kind of tech isn't always as smart as we think.
Seems to me that this is a cheap, relatively smart piece of marketing, rather than a serious proposition - note the heartbeat and voice recognition ideas that they're also "experimenting" with.
Ok, so everyone has pointed out how insecure this would obviously be, and all the simple ways in which you could fool it.
But, I'm left wondering, did the guys at mastercard never even think this through at all? This is people's money after all. It needs to be safe. Did they not even consider that, as soon as this is rolled out, people were going to see money disappear?
I can't believe they didn't think of that. Which makes me wonder, why am I even reading about this at all?
Credit card companies already have the perfect "security" measure: retroactive limited liability for stolen cards. Nobody loses money because someone steals their credit card.
As such, everything the card companies do in the name of "security" is not to prevent people from losing money—they don't need to solve that problem. They just need to solve the perception people have that credit cards are insecure. In other words, all credit card security (yes, even chip-and-pin) is security theatre. Whether it works or not, it's not there to work; it's there to feel good.
> Credit card companies already have the perfect "security" measure: retroactive limited liability for stolen cards. Nobody loses money because someone steals their credit card.
100% on that. Money is lost all the time, but thanks to that retroactive liability, the bank and/or merchant loses it instead of the consumer. Security for the consumer is already as good as it could possibly get, so they're really saving themselves and their merchants. This is a good thing, because they have a much more direct incentive to save themselves money than to save you money.
The cost of limited consumer liability for stolen cards is spread across all consumers in other card fees (perhaps hidden ultimately in network/merchant fees, and thus spread further in consumer prices.)
In a competitive credit card market (which we may not really have, but that's a different problem) an issuer reducing the incidence of lost would be able to compete better by either lowering charges or providing greater benefits while making the same profit, forcing other issuers to match those features or be driven out of the market.
Didn't they get the memo from Japan? http://pinktentacle.com/2008/06/magazine-photos-fool-age-ver...
They require the user to blink to protect against this sort of attack but there are workarounds.
Well, it just shows that banks and credit card issuers will go to any length to avoid implementing a proper PKI and secure transactions.
My only question is why?
Hahahahahaha. Remember that OS X login mode by your own selfie where you could simulate blinking with a matchstick and login with a photograph?
First I thought I mixed up my tabs and I am on 4chan instead of being on HN.
Other verification approach is to use voice like WeChat does.
http://www.biometricupdate.com/201503/instant-messaging-app-...
OK, so who thinks it would be a good idea to post their credit card number and CVV2 code on their Facebook wall?
Because that's essentially what Mastercard has caused everyone to do here.
I don't even have a cell phone. And there is zero chance I would ever get one just so that SlaveCard will process payments for me. That whole industry is like the grandfather that clearly can't drive anymore but everyone's afraid to confront about taking the keys away... why is nobody willing to 'disrupt' these people already?
My question is:
"Selfie as a Password", - Is it really secure?
Its a terrible idea. Its a password you can't change, can't even choose, leave lying about all over the place. Its everything a password shouldn't be.
Edit: after reading JoeAltmaier and thinking more about it, its a terrible idea. You cant change it, its easy to dupe. No. Just no.
Ill leave my original post though. :-)
Id argue its more or less the same as a pin. Both could be gotten past with a determined attacker or a generic setup(camera for pin/selfie).
Infact id say easier for certain people who post selfies on public sites, ripm. Cut and paste on x background.
The more i think about it, the stupider the idea sounds.