Mastercard’s Selfie ID: Playing Russian Roulette with consumer identities?

André Malinowski, Head of International Business at Computop

At this week’s Mobile World Congress in Barcelona, MasterCard announced it will accept selfie photographs and fingerprints as an alternative to passwords when verifying IDs for online payments.

By the summer, consumers will be able to purchase online without a PIN code, password or confirmation code.
Instead, they’ll choose to download an application to their PC, tablet or smartphone and opt to take a ‘selfie’ picture which is mapped against a stored image on file to allow payment.

The new biometric system is, says MasterCard, the first of a number of new biometric services designed to improve identify verification for mobile phone payments and other wearable devices. The company is also testing voice and iris scanning as a means to authenticate credit card transactions.

And, according to MasterCard, consumers love the selfie pay approach. Trials in the Netherlands and US found that 92% of participants preferred the new approval system to passwords.

You can understand the appeal of the proposition for consumers looking for convenience. Meanwhile, MasterCard aims to use this technology to reduce the number of false transaction declines that cost it dear: in the past year, the value of false declines has hit $118bn per annum – more than 13 times the total amount lost annually to card fraud.

It’s also easy to see why MasterCard is keen to move forward with this innovative technology. Removing barriers to purchase increases conversion rates. What’s more, every time a user loses their password or PIN, it’s a cumbersome process for card issuers to manage.

However, security experts have already expressed concerns that it might be easy to spoof the system – which after all, is delivered to consumers via an app. Others have highlighted that facial scans and fingerprint sensors can be compromised.

Compliance

But there are bigger questions to be considered here. Whilst not ideal, passwords can be changed. Fingers and fingerprints can’t be. As an industry we need bullet proof methods of storing this data securely before we play Russian Roulette with people’s identities.

User devices are notoriously prone to penetration by cyber criminals – whether that’s as a result of users adapting their devices or over riding device security parameters, or using non-secure public WiFi when transacting online. Which means biometric data will need to be encrypted to ensure it cannot be stolen – otherwise we open a whole new vector for identity theft.

What’s more, rigorous PCI standards already exist to protect users and merchants, especially where liability is concerned should things go wrong. What’s not clear in this scenario is whether liability will shift – and who too.

The new General Data Protection Regulation (GDPR) comes into force in 2018 and brings with it some punishing requirements when it comes to sensitive personal data like biometric data – which must be afforded ‘enhanced’ protection. That has significant implications for organisations, triggering the need for an organisational Data Protection Impact Assessment.

At the moment, the MasterCard ‘selfie ID’ is designed to offer a convenient second security form factor for the authentication of online credit card payments, in addition to the credit card number itself. But it opens the way for biometrics to become a primary payment authorisation instrument.

Done right, biometric data could open the way to a more secure, more convenient way for transacting online. But data breach is a major issue which makes a ‘belt and braces’ approach to every issue vital.