6 uses of facial recognition in payments
July 7, 2017 9:08 AM
Consumers have accepted the use of fingerprint authentication for mobile payments. But will they be as welcoming of facial recognition? A few companies are testing the waters.
Xaume Olleros/Bloomberg
The Apple effect
The
But the same arguments were made about using fingerprint recognition — a process once considered reminiscent of being placed under arrest — and consumers grew to accept Apple's Touch ID and recognize it as a secure alternative to typing a PIN or password for purchases. Time will tell if Apple can win consumers over to facial recognition as well.
Chris Ratcliffe/Bloomberg
Samsung's false start
The Samsung Galaxy Note 7 debuted in mid-2016 with an infrared camera that recognized the irises of its owner, enabling the user to unlock the phone just by looking at it.
This feature was overshadowed by the dangerous battery issues that led Samsung to recall all Note 7 phones, but it could have set the stage for iris and facial recognition in Samsung Pay.
Galaxy Note 7 were able to use iris scanner to authenticate Samsung Payments as an option alongside Samsung’s existing fingerprint scanner, and iris authentication takes less than a second, Samsung said.
Samsung isn’t the first handset maker to deploy an iris scanner—Microsoft supported a similar feature on two of its Lumia models introduced in 2015—but this is the first time an iris-scanning camera was made available on a smartphone model sold in all global markets, Samsung said.
This feature was overshadowed by the dangerous battery issues that led Samsung to recall all Note 7 phones, but it could have set the stage for iris and facial recognition in Samsung Pay.
Galaxy Note 7 were able to use iris scanner to authenticate Samsung Payments as an option alongside Samsung’s existing fingerprint scanner, and iris authentication takes less than a second, Samsung said.
Samsung isn’t the first handset maker to deploy an iris scanner—Microsoft supported a similar feature on two of its Lumia models introduced in 2015—but this is the first time an iris-scanning camera was made available on a smartphone model sold in all global markets, Samsung said.
Pau Barrena/Bloomberg
Mastercard's 'selfie pay'
Last year, Mastercard upgraded its SecureCode authentication process to Mastercard Identity Check, a fingerprint-or-facial recognition product more commonly known as "selfie pay ," an emerging authentication option in the payments industry.
The system was designed to automatically appear as an option at merchants that offer SecureCode, MasterCard's version of 3D Secure. Selfie pay is an alternative to the longtime process of prompting for a password during checkout to verify the cardholder's identity.
To implement this upgrade, only the issuer needs to make any changes, said Catherine Murchie, senior vice president for processing and enterprise security and network solutions at Mastercard Inc., in an interview at SourceMedia's Card Forum and Expo in Los Angeles last year.
"Any merchant that's SecureCode enabled today … they don't have to do anything different," nor do they need to know that the change is coming, she said. "Essentially what we're doing is replacing the password with a biometric."
The system was designed to automatically appear as an option at merchants that offer SecureCode, MasterCard's version of 3D Secure. Selfie pay is an alternative to the longtime process of prompting for a password during checkout to verify the cardholder's identity.
To implement this upgrade, only the issuer needs to make any changes, said Catherine Murchie, senior vice president for processing and enterprise security and network solutions at Mastercard Inc., in an interview at SourceMedia's Card Forum and Expo in Los Angeles last year.
"Any merchant that's SecureCode enabled today … they don't have to do anything different," nor do they need to know that the change is coming, she said. "Essentially what we're doing is replacing the password with a biometric."
David Paul Morris/Bloomberg
Android Pay add-on?
An upcoming release of Android Pay may have a biometric facial recognition component named “Visual ID," according to a report from 9to5Google based on a teardown of the app. This functionality could be an extension of lessons learned from the recently mothballed Google Hands Free initiative.
The closest Google has come to facial recognition in the past was its Hands Free concept, which displayed a photo of the shopper to the cashier for verification. This concept resembled a model that PayPal and Square have separately experimented with, but didn't let the device itself play a role in verifying the user by his or her looks. It also relied on human judgment and, therefore, invited human error.
One of the main benefits of facial biometrics is the ability to authenticate someone passively from a distance, compared to other biometric capture such as fingerprint and iris scanning that may be perceived as more intrusive and even Orwellian. This can have benefits in terms of fraud reduction, but raises implications for the customer service environment.
Speed can be another factor. Google Hands Free was tested primarily in McDonald's and Papa John’s restaurants, where business margins are dependent on processing as many customers as possible during business hours. Facial biometrics could cut down on the time the cashier spends handling the payment, even initiating the transaction before the customer gets to the register.
The closest Google has come to facial recognition in the past was its Hands Free concept, which displayed a photo of the shopper to the cashier for verification. This concept resembled a model that PayPal and Square have separately experimented with, but didn't let the device itself play a role in verifying the user by his or her looks. It also relied on human judgment and, therefore, invited human error.
One of the main benefits of facial biometrics is the ability to authenticate someone passively from a distance, compared to other biometric capture such as fingerprint and iris scanning that may be perceived as more intrusive and even Orwellian. This can have benefits in terms of fraud reduction, but raises implications for the customer service environment.
Speed can be another factor. Google Hands Free was tested primarily in McDonald's and Papa John’s restaurants, where business margins are dependent on processing as many customers as possible during business hours. Facial biometrics could cut down on the time the cashier spends handling the payment, even initiating the transaction before the customer gets to the register.
QILAI SHEN/QILAI SHEN
Anti-money laundering effort
Security at ATMs in the island region of Macau will require cardholders from mainland China to scan their UnionPay cards and also pass a facial recognition scan prior to withdrawing cash as the government seeks to crack down on money laundering in the territory and restrict cash flow out of China.
As the only Chinese region to permit gambling, Macau government officials said the island has become a haven for criminals and tax dodgers seeking to launder their cash, pushing down the value of the Renminbi and draining capital reserves.
Macau authorities have yet to give a timeline for the roll out of facial recognition measures, although the initial effort will concentrate on ATMs installed in casinos, according to a government statement issued in May.
"Customers with bank cards issued in Macau and other regions do not need the [facial recognition] procedure and can carry out withdrawals as usual," a government official stated. "Financial institutions will closely monitor the situation of customer use."
As the only Chinese region to permit gambling, Macau government officials said the island has become a haven for criminals and tax dodgers seeking to launder their cash, pushing down the value of the Renminbi and draining capital reserves.
Macau authorities have yet to give a timeline for the roll out of facial recognition measures, although the initial effort will concentrate on ATMs installed in casinos, according to a government statement issued in May.
"Customers with bank cards issued in Macau and other regions do not need the [facial recognition] procedure and can carry out withdrawals as usual," a government official stated. "Financial institutions will closely monitor the situation of customer use."
Glevalex - stock.adobe.com
Finding new hacks
Biometric authentication may be a huge step up from older methods such as passwords and PINs, but it is not a silver bullet.
Tworecent hacks by researchers have highlighted vulnerabilities in biometric systems used in banking and payments.
The first was a breach of HSBC’s voice biometrics phone banking system by a BBC reporter and his non-identical twin brother. The second, a hack of Samsung’s Galaxy S8 iris scanning authentication by taking a picture of the subject's face, printing it on paper, superimposing a contact lens, and holding the image in front of the camera of a locked Galaxy S8. While somewhat embarrassing for both companies involved, it is worth putting these breaches into context as omitting the bigger picture: These so-called vulnerabilities are way more convoluted than stealing a password or PIN.
The advantage of biometrics (what you are) over passwords and PINs (what you know) can be distilled to a single factor — what you know can be easily shared.
The HSBC and Samsung hacks are less like a stolen PIN and more like fraud committed by a friend or family member. These forms of fraud are already on the radar of many banks and merchants, which know that a relative is more likely to be able to answer challenge questions or guess passwords than a complete stranger would be.
This is a separate category of fraud, and it doesn't negate the value of challenge questions for the general population.
Two
The first was a breach of
The advantage of biometrics (what you are) over passwords and PINs (what you know) can be distilled to a single factor — what you know can be easily shared.
The HSBC and Samsung hacks are less like a stolen PIN and more like fraud committed by a friend or family member. These forms of fraud are already on the radar of many banks and merchants, which know that a relative is more likely to be able to answer challenge questions or guess passwords than a complete stranger would be.
This is a separate category of fraud, and it doesn't negate the value of challenge questions for the general population.
