6 uses of facial recognition in payments

Published
  • July 07 2017, 9:08am EDT

Consumers have accepted the use of fingerprint authentication for mobile payments. But will they be as welcoming of facial recognition? A few companies are testing the waters.

The Apple effect

Apple is testing 3-D facial scanning, eyeing the technology for logins and payment approvals as an addition to the iPhone 8, Bloomberg reported, citing anonymous sources. Apple has never responded to requests for confirmation about speculation that surfaces in the media, especially on technology sites or those devoted specifically to following Apple rumors or patents.

The Federal Trade Commission has long touted facial recognition as a key safety tool in mobile commerce, social networks and any other financial or health process in which personal data needs protection, while phone manufacturers and card brands have their eyes set firmly on device authentication and, in turn, payment security. But the road to facial recognition moves down a slippery slope in some instances, not the least of which is consumer knowledge and adoption.

But the same arguments were made about using fingerprint recognition — a process once considered reminiscent of being placed under arrest — and consumers grew to accept Apple's Touch ID and recognize it as a secure alternative to typing a PIN or password for purchases. Time will tell if Apple can win consumers over to facial recognition as well.

Content Continues Below

Samsung's false start

The Samsung Galaxy Note 7 debuted in mid-2016 with an infrared camera that recognized the irises of its owner, enabling the user to unlock the phone just by looking at it.

This feature was overshadowed by the dangerous battery issues that led Samsung to recall all Note 7 phones, but it could have set the stage for iris and facial recognition in Samsung Pay.

Galaxy Note 7 were able to use iris scanner to authenticate Samsung Payments as an option alongside Samsung’s existing fingerprint scanner, and iris authentication takes less than a second, Samsung said.

Samsung isn’t the first handset maker to deploy an iris scanner—Microsoft supported a similar feature on two of its Lumia models introduced in 2015—but this is the first time an iris-scanning camera was made available on a smartphone model sold in all global markets, Samsung said.

Mastercard's 'selfie pay'

Last year, Mastercard upgraded its SecureCode authentication process to Mastercard Identity Check, a fingerprint-or-facial recognition product more commonly known as "selfie pay," an emerging authentication option in the payments industry.

The system was designed to automatically appear as an option at merchants that offer SecureCode, MasterCard's version of 3D Secure. Selfie pay is an alternative to the longtime process of prompting for a password during checkout to verify the cardholder's identity.

To implement this upgrade, only the issuer needs to make any changes, said Catherine Murchie, senior vice president for processing and enterprise security and network solutions at Mastercard Inc., in an interview at SourceMedia's Card Forum and Expo in Los Angeles last year.

"Any merchant that's SecureCode enabled today … they don't have to do anything different," nor do they need to know that the change is coming, she said. "Essentially what we're doing is replacing the password with a biometric."

Android Pay add-on?

An upcoming release of Android Pay may have a biometric facial recognition component named “Visual ID," according to a report from 9to5Google based on a teardown of the app. This functionality could be an extension of lessons learned from the recently mothballed Google Hands Free initiative.

The closest Google has come to facial recognition in the past was its Hands Free concept, which displayed a photo of the shopper to the cashier for verification. This concept resembled a model that PayPal and Square have separately experimented with, but didn't let the device itself play a role in verifying the user by his or her looks. It also relied on human judgment and, therefore, invited human error.

One of the main benefits of facial biometrics is the ability to authenticate someone passively from a distance, compared to other biometric capture such as fingerprint and iris scanning that may be perceived as more intrusive and even Orwellian. This can have benefits in terms of fraud reduction, but raises implications for the customer service environment.

Speed can be another factor. Google Hands Free was tested primarily in McDonald's and Papa John’s restaurants, where business margins are dependent on processing as many customers as possible during business hours. Facial biometrics could cut down on the time the cashier spends handling the payment, even initiating the transaction before the customer gets to the register.

Content Continues Below

Anti-money laundering effort

Security at ATMs in the island region of Macau will require cardholders from mainland China to scan their UnionPay cards and also pass a facial recognition scan prior to withdrawing cash as the government seeks to crack down on money laundering in the territory and restrict cash flow out of China.

As the only Chinese region to permit gambling, Macau government officials said the island has become a haven for criminals and tax dodgers seeking to launder their cash, pushing down the value of the Renminbi and draining capital reserves.

Macau authorities have yet to give a timeline for the roll out of facial recognition measures, although the initial effort will concentrate on ATMs installed in casinos, according to a government statement issued in May.

"Customers with bank cards issued in Macau and other regions do not need the [facial recognition] procedure and can carry out withdrawals as usual," a government official stated. "Financial institutions will closely monitor the situation of customer use."

Finding new hacks

Biometric authentication may be a huge step up from older methods such as passwords and PINs, but it is not a silver bullet.

Two recent hacks by researchers have highlighted vulnerabilities in biometric systems used in banking and payments.

The first was a breach of HSBC’s voice biometrics phone banking system by a BBC reporter and his non-identical twin brother. The second, a hack of Samsung’s Galaxy S8 iris scanning authentication by taking a picture of the subject's face, printing it on paper, superimposing a contact lens, and holding the image in front of the camera of a locked Galaxy S8. While somewhat embarrassing for both companies involved, it is worth putting these breaches into context as omitting the bigger picture: These so-called vulnerabilities are way more convoluted than stealing a password or PIN.

The advantage of biometrics (what you are) over passwords and PINs (what you know) can be distilled to a single factor — what you know can be easily shared.

The HSBC and Samsung hacks are less like a stolen PIN and more like fraud committed by a friend or family member. These forms of fraud are already on the radar of many banks and merchants, which know that a relative is more likely to be able to answer challenge questions or guess passwords than a complete stranger would be.

This is a separate category of fraud, and it doesn't negate the value of challenge questions for the general population.