Following the news that Mastercard is allowing online shoppers to take a selfie to verify their identity for payments, security experts from ESET, Redscan, Alien Vault and NuData Security commented below.

Mark James, Security Specialist at ESET:

mark-james“With mobile technology being incorporated into our daily lives it was only a matter of time before security was integrated into those devices. Touch ID and fingerprint options have enabled us to unlock our phones and laptops without the need to enter passwords for all to see. Biometrics have always been seen as the next state in security moving on from passwords, but what we need to understand is that for security to be effective it needs to be multi-layered. By using biometrics we need to encourage the user to have stronger unique passwords, passphrases or passcodes as a backup.

Face and retina recognition has long been used in sci-fi films to confirm identity and is seen to be the next step in keeping the average public safe when purchasing in store and online. In addition to this, if it encourages users to think more about their security and forces them to better protect their identities then that has to be a good thing in my opinion.”

Robert Page, Lead Penetration Tester at Redscan:

“User passwords are typically the easiest point of attack in computer systems and this is driving increased adoption of biometric authentication systems.  These systems, whilst typically more secure, can pose their own set of issues however. For instance, if biometric information is captured and used by an attacker, it’s not possible for a user to change his or her imprint as they would a password.

Mastercard’s implementation of facial recognition requiring a user to blink appears to be a novel solution to prevent others from taking a picture of a user. The effectiveness of its implementation is yet to stand the test of time however.”

Javvad Malik, Security Advocate at AlienVault:

Javvad Malik“The use of a selfie as an authentication mechanism may seem like something that a millennial cooked up whilst browsing Instagram one night.

However, payments have always been about risk management. Banks have typically been good about walking the line between convenience and security.

From a security viewpoint, financial fraud will never be completely eradicated, and increasing security too much will inconvenience users – so for banks it’s a fool’s errand. Rather, the controls needed should be sufficient to keep fraud within tolerances whilst providing customers with a convenient experience.

This is where selfie pay seems like it is trying to bridge the gap between a fully authenticated method, such as chip and Pin – and an unauthenticated method such as contactless.

The issues that are present are similar to any of the issues that exist with any biometric technology, in that there will be a number of questions users and privacy advocates will be asking. Such as how will the pictures be used; will they be saved? Will the data be shared with advertisers, or other online channels?”

Robert Capps, VP of Business Development at NuData Security:

Robert Capps“The username and password authentication framework is still the sole method of verifying consumer identity in many non-face to face transactions. The problem with it is that it’s proven to be about as waterproof as an open window. Multiple ongoing breaches, with tens, no hundreds of millions of lost records should be enough to give question to its validity as a valid authentication method.

As consumers, we’ve essentially put ourselves in the situation of giving multiple copies of our front door key to complete strangers, and asking them to protect them, with the full knowledge that some can’t, or won’t. We play this game, one with horrible odds, every time we give our keys away using single-point authentication. Even attempts to fix this archaic system have been lacklustre, with weak auxiliary authentication schemes being duct taped over the top of a weak framework, such as SMS challenges, and secret questions and answers, it’s no wonder that consumer authentication is a mess.

Where these techniques fail is that they are just as prone to being stolen via phising attacks, breaches, malware, social engineering, and a cornucopia of methods, in just the same way as passwords.

For most banks, traditional online authentication boiled down to a choice between “effective”, “easy” and “low friction”, where you can only pick two options. The option usually left out of the mix, was customer experience. Banks, in particular, need to provide customers with security reassurance, the security guard at the front door, if you will. Username and password authentication, layered with varieties of 2FA provide some of this visual reassurance, but do little in the way of actual security – and banks know that customers also require real protection too.

Physical biometrics has been touted as the new generation of security for a while now, and it’s starting to lose it’s glossy shine. Fingerprint and retinal scans, seem impressive in movies, but fall far short of true authentication in the real-world – especially in non-face-to-face interactions. Just like passwords, high resolution copies of fingerprints can be stolen, copied and stored (just check out this WikiHow if you don’t believe it). The OPM breach is a disastrous example that will likely have ripple effects for several years. Any physical biometric also has the added negative consequence of not being replaceable, meaning that while you can change your password you can’t change your fingerprint or retina. Once they are stolen, it’s a lifelong risk that you can’t make right again.

Many large companies and banks are looking to multi-layered solutions as the future in authentication, realizing that single-point identify verification is inadequate. Advances in behavioural tracking technologies that monitor customer behaviour, by way of analysing hundreds of human interactional signals, has injected new life in to the authentication scheme and enlivened the whole multi-factor security paradigm.

Banks have discovered that a deep data-driven understanding of how good customers behave gives them the ability to find better ways to protect and service them. It’s reimagined security as a customer service, empowering banks to reduce customer friction for good customers, and introduce more of it when needed.

Perhaps the greatest advantage of about these new behavioural authentication technologies, however, is that they provide real security for customers and their accounts because it disarms hackers of their main weapon – personally identifiable information, and usernames and passwords. Unable to successfully replicate the behavioural interaction profile of a legitimate user, hackers can’t get past the test, so we’ve effectively made their entire quest for the keys pointless.

Banks can now access technologies that build a user behavioural profile that is then used for authentication without the customer being aware of its existence. Completely invisible, and operating behind the scenes, this technology can determine if the user is legitimate based on how they have acted in the past, and how other humans with good intentions act.

Maybe we shouldn’t be so quick to rid ourselves of usernames and passwords though. Even physical biometrics can still have a place in the authentication scheme. These obvious security measures help reassure customers that the bank is secure, and provide valuable touchpoints for further intelligence about the customer interaction. They also add to the completeness of the ongoing customer behavioural biometric profile. In an ironic twist of fate, they could even serve as a kind of ‘bait’ to lure hackers into wasting their time and resources collecting data that will eventually prove useless to them. How fun would it be to turn the tables?!”

Information Security Buzz