Photographic evidence
By Dave Birch posted May 4 2010 at 5:09 PM[Dave Birch] I got involved in an interesting discussion about photos as an authentication method at POS following on from Erin McCune's excellent reports from Payments 2010 discussing Facecash, amongst other things. Facecash displays a picture of the "card" holder at POS as an authentication mechanism, which sounds as if should add a great deal of security to the payments process and deter criminals, but I'm not so sure that this will work. Citibank had a go at putting photos on credit cards nearly twenty years ago but found, as did (as far as I can remember) RBS in the UK, that it actually doesn't make a difference.
Many people choose to have their pictures on their debit and credits, but KFOX found out they actually do little to keep your accounts from being used without permission.
[From KFOX Investigates: Are Photos On Credit Cards Effective? - News Story - KFOX El Paso]
I recall working with a retailer on EMV migration some years ago, and they specifically instructed their staff not to look at any photos on payment cards because they didn't want their staff to be put at risk for refusing. "Computer says no" is acceptable in modern Britain whereas "I'm sorry tattooed thug with rottweiler on chain, you don't look like Mrs. Doris Finklestein" will get you stabbed. The retailers want the POS to say yes or no, and they didn't want to have to make any judgements about risk: that's what they pay the banks for.
One way around this problem is to get the POS to make the judgement call by having it do the face recognition. Unfortunately, this doesn't work as well in practice as it does in the laboratory, as was discovered in a recent UK pilot.
UK border officials at Manchester airport allege the machines have been recalibrated so that passengers shown as having just a 30% likeness to their passport photographs are being let into the country. The devices are designed to check the faces of British and European passengers against their digital passports.
The machines started to throw up numerous false alarms because the software failed to match the faces of law-abiding passengers with pictures on their passports as they stood in the booths... This weekend Rob Jenkins, one of Britain’s leading authorities on facial recognition, said such a reduction in the matching threshold would make the machines unable to distinguish between Osama Bin Laden and Winona Ryder, the Hollywood actress.
[From ‘Rigged’ face scan airport security risk - Times Online]
It won't be like this for ever. When the POS can do biometric authentication (not identification, note) with the right performance curves -- remember the Touch2ID pitch at the Digital Money Forum -- then I am sure that the industry will switch fairly quickly. Incidentally,
According to researchers at the University of Bath, England, the nose is both unique and easily scanned in a crowd, making it the perfect biometric identification marker.
[From Noses Beat Eyes as a Biometric Identification Marker | Popular Science]
I suspect that iris-at-a-distance might be a more plausible technology path, but who nose (yuk yuk). However, none of these technologies will define the market path of this approach, because the key factor is liability. If the retailer has to accept liability for a card that is used by someone who is not the person pictured on the card or iPhone, then I suspect that the retailers will refuse to accept the card or iPhones. On the other hand, if the retailer is not liable, then they won't bother looking at the picture and the biometric will not enhance security (in fact, from the cardholder's perspective it will make matters worse because when you dispute a transaction you will be told that you must have made the transaction because the retailer was shown your picture).
These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]
Comments