An increasing number of companies are working on new procedures that quickly and conveniently prove the identity of users making payments. Sascha Breite, Head of Future Payments at the payment specialist SIX Payment Services, gives the idea a reality check and examines other European initiatives
At the Mobile World Congress in Barcelona, MasterCard announced the launch of a new authentication solution: payment by ‘selfie’. This follows last summer’s announcement when MasterCard stated that it wanted to make passwords and payment codes superfluous.
The rise of the selfie is unstoppable. MasterCard is now counting on self-portraits for its payment procedures. Cardholders will soon be able to take a selfie at the supermarket cash register instead of entering a password in order to identify themselves as the genuine user. By the middle of 2016, MasterCard’s German customers should be able to prove their identity and authenticate payments using a selfie.
Following this, Selfie Pay is set to be launched in Austria in 2017. Ajay Bhalla, head of MasterCard’s security department is convinced that the ‘selfie generation’ will welcome and use the new feature.
Blink to beat misuse
For the procedure to work, users must install the MasterCard Selfie Pay app on their smartphone, tablet or PC, and save a sample picture of themselves. A unique code is created using the image data.
The selfie taken at the point of payment is then transmitted to MasterCard in an encrypted form and compared with the saved code. Alternatively, customers can prove their identity with their fingerprint, according to a BBC report. Once the user is successfully identified, all they need to do is confirm the transaction.
How well do you really know your competitors?
Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.
Your download email will arrive shortly
Not ready to buy yet? Download a free sample
We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below formBy GlobalData
However, cardholders must not forget to blink in the selfie. The software uses this eye movement as a means of ensuring that a fraudster is not just holding up a photo to the camera.
MasterCard seems to be aware that this security measure alone is insufficient. Yet to date, the company has only mentioned vaguely other security measures. A spokesman said that the system recognises attempts at fraud because it evaluates other data. However, security researcher Jan Krissler from the technical university of Berlin (TU Berlin) moved a pencil over the eyes of a photo – which a scanner interpreted as blinking and the software accepted the payment.
There are more extensive means of face identification by way of 3D models which offer significantly better fraud prevention but these are still in the development phase.
A password-free world?
Banks, financial institutions and payment service providers are working to create a world which functions without the need to input passwords. They are counting on unique biometric features, such as customers’ fingerprints or voices, or even the blood flow in their fingertips to authenticate payments.
"Consumers hate passwords," states Bhalla with conviction. Apparently the most-used password is 123456. This is in itself very insecure, but in addition many people also use the same password for multiple purposes. "If they are hacked, the intruder has access to almost all their data," explains Bhalla.
Payment by selfie is only one of a number of authentication initiatives currently being developed. In 2015, at CeBIT, Alibaba boss Jack Ma demonstrated the payment procedure ‘Smile to Pay’, an app that recognises and authenticates customers based on the shape of their face.
Google is currently testing a Hands Free app, and the UK’s Atom Bank is planning to introduce face scanners. In the UK, Barclays, has developed an authentication procedure that measures the bloodflow in a customer’s finger. Deutsche Bank is also planning to introduce biometric verification processes with a system that recognises whether the account holder or a third party is holding the mobile phone being used for a payment. Payment transfers are already feasible via fingerprinting at Deutsche Bank.
New EU directive on payment services
MasterCard tested Selfie Pay in a pilot program with 500 participants in the US and the Netherlands in 2015. According to a BBC report, it will be rolled out in 14 countries this summer, including the UK, France and Germany. The launch in Austria is scheduled for 2017.
Yet in countries such as Germany, where people are more concerned about data protection, MasterCard will not find it easy to convince people to make even more of their personal data available.
It is likely that MasterCard will not reveal any details on security until the service is launched. But an EU directive passed in 2015 obliges providers of mobile payment services to use a strict client authentication procedure through ‘the use of two or more elements categorised as knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is)’.
Ultimately, the more data companies gather, the more money they can demand for it. The amount of data that MasterCard, Google and others collect depends on customers’ habits – and whether they are prepared to change them. Time will tell whether users really prefer to constantly make photos of themselves rather than remembering a password. Some people therefore see MasterCard’s Selfie Pay app as a marketing stunt rather than a genuinely market changing development.
There is a school of thought that believes that fingerprint checks are simpler to implement and use in practice. It is clear, however, that MasterCard will attempt to persuade existing and new customers of the benefits of its new payment function. If it proves popular amongst the selfie generation, it may spread beyond this group to the wider population.