NEW YORK — This fall, MasterCard will start experimenting with a new program: approving online purchases with a facial scan.
At checkout, you’ll be asked to hold up your phone and snap a photo. MasterCard’s thinking? It’s easier than remembering a password.
“The new generation, which is into selfies … I think they’ll find it cool. They’ll embrace it,” said Ajay Bhalla, who’s in charge of coming up with innovative solutions for MasterCard’s security challenges.
This is MasterCard’s way of cutting down fraud.
Currently, customers can set up something called “SecureCode,” which requires a password when shopping online. This stops credit-card-number-stealing hackers from actually using your card on the Web. It was used in 3 billion transactions last year, the company said.
But passwords get forgotten, stolen, or intercepted. So, banks are following Apple’s lead. The iPhone’s fingerprint scanner started a security revolution in 2013. Apple Pay showed that customers are willing to use biometrics to prove their identity.
MasterCard will launch a small pilot program that uses fingerprints — but also facial scans. It’ll be a limited experiment involving 500 customers. But, once it works out all the kinks, MasterCard plans to launch it publicly sometime after that.
To pull this off, MasterCard said it has partnered with every smartphone maker, including Apple, BlackBerry, Google, Microsoft, and Samsung. The credit card company is still finalizing deals with two major banks, so it wasn’t ready to say whose customers will get this first.
How it works
You have to download the MasterCard phone app to use the feature.
MasterCard said a pop-up will ask for your authorization after you pay for something (the company did not demonstrate a working version to CNNMoney).
If you choose fingerprint, all it takes is a touch. If you go with facial recognition, you stare at the phone — blink once — and you’re done. MasterCard’s security researchers decided blinking is the best way to prevent a thief from just holding up a picture of you and fooling the system.
MasterCard said it doesn’t actually get a picture of your finger or face. All fingerprint scans will create a code that stays on the device. The facial recognition scan will map out your face, convert it to 1s and 0s and transmit that over the Internet to MasterCard.
Bhalla promised that MasterCard won’t be able to reconstruct your face — and that the information would transmit securely and remain safe on the company’s computer servers.
This makes some cybersecurity experts uncomfortable. They prefer that your data stay on your phone.
“I understand why they’d want that data, but no, I do not like it,” said Robert M. Lee, co-founder of consulting firm Dragos Security. “From a privacy aspect it’s awful — but from a business perspective, I don’t understand why they’d accept that risk.”
Keeping this kind of information in one location makes it more tempting to hack. But there’s some faith that MasterCard can adequately protect it.
“They’re storing an algorithm, not a picture of you. And I’m sure they’re doing the appropriate stuff to guard it,” said Phillip Dunkelberger, who runs his own biometrics technology company, Nok Nok Labs.
MasterCard is only at the testing phase, company representatives noted. It might end up keeping facial scans on the device in the long run.
It doesn’t end here. Bhalla said MasterCard is also experimenting with voice recognition, so you’ll be able to simply approve an online transaction by speaking to your phone.
MasterCard is also working with a Canadian firm, Nimi, to develop technology that will approve transactions by recognizing your unique heartbeat. That means no interruptions.