Authentication by ‘selfie’ - Will MasterCard bring a smile to the payments world? How secure is it and how has the market responded?

25 May 2016

An increasing number of companies are working on new procedures that quickly and conveniently prove the identity of users making payments. Sascha Breite, Head Future Payments at the payment specialist SIX Payment Services, gives the idea a reality check and examines other European initiatives.

At the Mobile World Congress in Barcelona, MasterCard announced the launch of a new authentication solution: payment by ‘selfie’. This follows last summer’s announcement when, MasterCard stated that it wanted to make passwords and payment codes superfluous.

The rise of the selfie is unstoppable. MasterCard is now counting on self-portraits for its payment procedures. Cardholders will soon be able to take a selfie at the supermarket cash register instead of entering a password in order to identify themselves as the genuine user.  By the middle of 2016, MasterCard’s German customers should be able to prove their identity and authenticate payments using a ‘selfie’. Following this "Selfie Pay" is said to be launched in Austria in 2017.  Ajay Bhalla, the head of MasterCard's security department is convinced that the "selfie generation" will welcome and use the new feature.

Blink to beat misuse

For the procedure to work, users must install the MasterCard app "Selfie Pay" on their smartphone, tablet or PC, and save a sample picture of themselves. A unique code is created using the image data. The selfie taken at the point of payment is then transmitted to MasterCard in an encrypted form and compared with the saved code. Alternatively, customers can prove their identity with their fingerprint, according to a BBC report. Once the user is successfully identified, all they need to do is confirm the transaction.

However, cardholders must not forget to blink in the selfie. The software uses this eye movement as a means of ensuring that a fraudster is not just holding up a photo to the camera. MasterCard seems to be aware that this security measure alone is insufficient. Yet to date, the company has only mentioned vaguely other security measures. A spokesman said that the system recognises attempts at fraud because it evaluates other data. However, security researcher Jan Krissler from the technical university of Berlin (TU Berlin) moved a pencil over the eyes of a photo – which a scanner interpreted as blinking and thus the software accepted the payment. There are more extensive means of face identification by way of 3D models which offer significantly better fraud prevention but these are still in the development phase.

Is the payments market moving to a password-free world?

Banks, financial institutions and payment service providers are working to create a world which functions without the need to input passwords. They are counting on unique biometric features, such as customers' fingerprints or voices, or even the blood flow in their fingertips to authenticate payments. "Consumers hate passwords," states Bhalla with conviction. Apparently the most-used password is 123456. This is in itself very insecure, but in addition many people also use the same password for multiple purposes. "If they are hacked, the intruder has access to almost all their data," explains Bhalla.

Payment by ‘selfie’ is only one of a number of authentication initiatives currently being developed. In 2015, at CeBIT, Alibaba boss Jack Ma demonstrated the payment procedure "Smile to Pay", an app that recognises and authenticates customers based on the shape of their face. Google is currently testing a "Hands Free" app and the UK's Atom Bank is planning to introduce face scanners. Barclays, a UK-based financial service provider, has developed an authentication procedure that measures the bloodflow in a customer's finger. Deutsche Bank is also planning to introduce biometric verification processes with a system that recognises whether the accountholder or a third party is holding the mobile phone being used for a payment. Payment transfers are already feasible via fingerprinting at Deutsche Bank.

New EU directive on payment services

MasterCard tested "Selfie Pay" in a pilot program with 500 participants in the United States and the Netherlands in 2015. According to a BBC report, it will be rolled out in 14 countries this summer, including the UK, France and Germany. The launch in Austria is scheduled for 2017. Yet in countries like Germany, where people are concerned about data protection, MasterCard will not find it easy to convince people to make even more of their personal data available.

It is likely that MasterCard will not reveal any details on security until the service is launched. But an EU directive passed in 2015 obliges providers of mobile payment services to use a strict client authentication procedure through “the use of two or more elements categorised as knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is).”

Ultimately, the more data companies gather, the more money they can demand for it. The amount of data that MasterCard, Google & others collect depends on customers' habits – and whether they are prepared to change them.  Time will tell whether users really prefer to constantly make photos of themselves rather than remembering a password. Some people therefore see MasterCard’s "Selfie Pay" app as a marketing stunt rather than a genuinely market changing development.

There is a school of thought that believes that fingerprint checks are simpler to implement and use in practice. It is clear however that MasterCard will attempt to persuade existing and new customers of the benefits of its new payment function. If it   proves popular amongst the selfie generation, it may spread beyond this group to the wider population