Long story short, it's a bad idea, and it's really not secure.
The idea to protect against this kind of replay attack was that if the algorithm was unsure of the scan it could request a new one, validate it and present it to the user in case of low confidence biometric match or high confidence forgery: the point being that humans are good at detecting the kind of tampering that could fool an algorithm and vice versa.
This required to send the biometric scan to the peer and to validate it on the other side of the communication channel instead that on the device.
Well, we weren't technically using it as password in the end, I guess I'll have a closer look at what they're doing. And check if that old patent is still good. Eheh not that I have any rights to it left of course.
>"The Americans have need of the telephone, but we do not. We have plenty of messenger boys." -- Sir William Preece, chief engineer of the British Post Office, 1876.
Radio, planes and xrays:
>"Radio has no future. Heavier-than-air flying machines are impossible. X-rays will prove to be a hoax." -- William Thomson, Lord Kelvin, British scientist, 1899.
The grand canyon: >"Ours has been the first, and doubtless to be the last, to visit this profitless locality." -- Lt. Joseph Ives, after visiting the Grand Canyon in 1861.
Oil drilling: >"Drill for oil? You mean drill into the ground to try and find oil? You're crazy." -- Workers whom Edwin L. Drake tried to enlist to his project to drill for oil in 1859.
Nuclear energy: >"There is not the slightest indication that nuclear energy will ever be obtainable. It would mean that the atom would have to be shattered at will." -- Albert Einstein, 1932.
The Germ theory: >"Louis Pasteur's theory of germs is ridiculous fiction." -- Pierre Pachet, Professor of Physiology at Toulouse, 1872.
Brain surgery: >The abdomen, the chest, and the brain will forever be shut from the intrusion of the wise and humane surgeon." -- Sir John Eric Ericksen, British surgeon, appointed Surgeon-Extraordinary to Queen Victoria 1873.
All taken from: http://www.rinkworks.com/said/predictions.shtml
The first postal services were formed long before that; there were definitely some in the late 17th Century, may have been earlier.
"What you mean you did not pay for a hooker and rum in Amsterdam, then who is this in a selfie you took" > shows a selfie some hacker stole from the poor eejits Lifeinvader page.
> shows a selfie [taken from somewhere]
The software only sends a hash of the "map" of the face to Mastercard for comparison (or so an earlier Dutch article on security.nl put it). They can never show you the original image again.
1. Look for user's Youtube, Facebook, and other social media for photos/video
2. Videochat and record them.
3. Find them IRL and record them.
4. Print a mask of that person, and leave eye holes. Now you blink instead.
Ridiculous.
http://images2.fanpop.com/images/photos/5000000/The-Fifth-El...
So it looks like it is coming to the US, slowly but surely.
Mastercard is one of the companies trying really hard to prevent pin numbers from happening.
It's almost as if an executive heard that "biometric" is happening, and decided to take a bet on it.
Main thing seems that it's not just facial recognition, you can use a fingerprint scanner (assuming your phone has one) instead, and that it requires you to blink when you're being scanned by the app. So it doesn't seem to be just static image recognition, it's looking at the video stream to ensure that your face is there and that it can blink (getting around the 'just hold a photo in front of the camera' problem).
[1] http://money.cnn.com/2015/07/01/technology/mastercard-facial...
I'll do you one better: you could probably make a print-out paper 'mask' of a person's face and just blink yourself, or something similar. This kind of tech isn't always as smart as we think.
But, I'm left wondering, did the guys at mastercard never even think this through at all? This is people's money after all. It needs to be safe. Did they not even consider that, as soon as this is rolled out, people were going to see money disappear?
I can't believe they didn't think of that. Which makes me wonder, why am I even reading about this at all?
As such, everything the card companies do in the name of "security" is not to prevent people from losing money—they don't need to solve that problem. They just need to solve the perception people have that credit cards are insecure. In other words, all credit card security (yes, even chip-and-pin) is security theatre. Whether it works or not, it's not there to work; it's there to feel good.
100% on that. Money is lost all the time, but thanks to that retroactive liability, the bank and/or merchant loses it instead of the consumer. Security for the consumer is already as good as it could possibly get, so they're really saving themselves and their merchants. This is a good thing, because they have a much more direct incentive to save themselves money than to save you money.
In a competitive credit card market (which we may not really have, but that's a different problem) an issuer reducing the incidence of lost would be able to compete better by either lowering charges or providing greater benefits while making the same profit, forcing other issuers to match those features or be driven out of the market.
My only question is why?
Other verification approach is to use voice like WeChat does.
http://www.biometricupdate.com/201503/instant-messaging-app-...
Because that's essentially what Mastercard has caused everyone to do here.
"Selfie as a Password", - Is it really secure?
Ill leave my original post though. :-)
Id argue its more or less the same as a pin. Both could be gotten past with a determined attacker or a generic setup(camera for pin/selfie).
Infact id say easier for certain people who post selfies on public sites, ripm. Cut and paste on x background.
The more i think about it, the stupider the idea sounds.
