Chip And PIN Meets Facial Recognition: Chipping Away At Privacy, Pinning You Down In A Database

from the are-you-sure-you've-thought-this-through? dept

As part of President Obama's BuySecure initiative, US merchants and the public are being encouraged to adopt the Chip and PIN technology for credit, debit, and other payment cards. As the announcement in October last year noted, these Chip and PIN cards have been used for some years in other parts of the world, notably Europe and Canada. For all the technology's vaunted security, there are inevitably still weaknesses that can be exploited, as with any system. That was true five years ago, and it's still true now, as shown by this story on the BBC Web site about one company's idea for reducing Chip and PIN fraud:

One of the biggest payments processing companies has revealed it is developing a chip-and-pin terminal that includes facial recognition technology.

Worldpay's prototype automatically takes a photo of a shop customer's face the first time they use it and then references the image to verify their identity on subsequent transactions.
The company admits that the system is unlikely to be perfect:
Worldpay is not suggesting that shoppers be blocked from making payments if its computer system failed to make a match.

Rather, it suggests that tills would display an "authorisation needed" alert, prompting shop staff to request an additional ID, such as a driving licence.
It's only an experimental idea at present, but Worldpay says it could roll it out to the 400,000 retailers that use its system within five years if there's sufficient interest. That would obviously create rather a large collection of facial biometrics, which raises questions of how they would be stored. But don't worry, Worldpay has got that sorted:
The firm says it would store the captured images in a "secure" central database.
Well, that shouldn't be a problem, then -- provided you remember to change your face when that database gets broken into….

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: chip and pin, credit cards, facial recognition, payments, privacy
Companies: worldpay


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    avideogameplayer, 2 Oct 2015 @ 12:14am

    Forget broken into, that's stuff the Gov't would love to get their hands on...

    link to this | view in chronology ]

  • icon
    lfroen (profile), 2 Oct 2015 @ 12:16am

    ... and what exactly is a problem?

    Sorry, but I just can't see a problem here. My photo and name is not a secret. You don't even need "secured database" for this.
    Credit card info _is_ a secret, and breaking into _this_ database is a crime very similar to bank robbery.
    Now, let's say someone does break into and steal those "biometrics". You can't wear someone else face in "mission impossible" style, and "technology" for stealing money more directly already exists: it's called gun/knife.

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 2 Oct 2015 @ 12:26am

      Re: ... and what exactly is a problem?

      Uhh, yes you can, and with current technologies, to boot.

      Compromising this database give you core personal access to data that neither the government nor criminals should have access to. EVER.

      link to this | view in chronology ]

    • icon
      PaulT (profile), 2 Oct 2015 @ 2:14am

      Re: ... and what exactly is a problem?

      You also can't revoke or reissue your biometrics if your data is compromised. You think it's bad now when your credit card information is compromised, wait until it's your face...

      ""technology" for stealing money more directly already exists: it's called gun/knife."

      Yeah, and if people are going to be trying to compromise my bank account, I'd rather they did it from card data they skimmed than needing me to have my face in front of them.

      link to this | view in chronology ]

      • identicon
        Anonymous Coward, 2 Oct 2015 @ 5:10am

        Re: Re: ... and what exactly is a problem?

        BigGiveAShitCorp: Were sorry, your info has been compromised. You might want to consider a face transplant.

        link to this | view in chronology ]

    • identicon
      Anonymous Coward, 2 Oct 2015 @ 3:48am

      Re: ... and what exactly is a problem?

      You can't wear someone else face in "mission impossible" style,

      No, but someone with access to the database can change the photograph used to identify the card holder.

      link to this | view in chronology ]

    • icon
      John Fenderson (profile), 2 Oct 2015 @ 5:53am

      Re: ... and what exactly is a problem?

      "Sorry, but I just can't see a problem here."

      The problem is that the images are being put into a database, which when combined with the other databases increases the ease and comprehensiveness of corporate and governmental surveillance.

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 2 Oct 2015 @ 12:28am

    Cash is king

    So this database will be full of pictures of me taking out money at the ATM.

    What I spend it on.....

    link to this | view in chronology ]

    • identicon
      mcinsand, 2 Oct 2015 @ 7:21am

      Re: Cash is king...for now

      Decades ago, Analog published a short story where the protagonist was dealing with societal issues associated with using cash. The premise seemed ridiculous, back then. After all, who would assume that, just because you possess something that can be misused that you are going to do so. After all, that's as ridiculous as assuming that, just because you use BitTorrent to download fresh OS ISOs that you must also be using it to pirate music or software. Alternately, you could be judged to be planning to make illegal copies of something because you're buying a pack of blank DVD's.

      The main hangup I had with the short story was that the premise seemed ridiculous. It doesn't seem so today. I can see a campaign to throw suspicion on individuals that use cash for transactions. Cash can be exchanged anonymously, so anyone that uses cash must 'obviously' have something to hide. I fear that is just around the corner, as an effort to make our movements easier to track by the cards we use.

      link to this | view in chronology ]

    • icon
      John Fenderson (profile), 2 Oct 2015 @ 10:18am

      Re: Cash is king

      "this database will be full of pictures of me taking out money at the ATM."

      That database already exists, since ATMs take your picture regardless of the card tech (or if you're even using the ATM).

      link to this | view in chronology ]

      • identicon
        Anonymous Coward, 2 Oct 2015 @ 10:54am

        Re: Re: Cash is king

        ...That database already exists, since ATMs take your picture regardless of the card tech (or if you're even using the ATM)...

        While true, is that imagery being sent off elsewhere? That is the issue. Many ATMs' imagery is stored locally, whether it's in the ATM itself or in the building the ATM is in. When there's an inquiry the imagery can be copied or transmitted elsewhere. Not all ATM video systems have off-site archiving, and I have seen ATMs that don't have built-in cameras (a chain c-store in my area several years ago took over the ATMs in their stores when their bank contracts expired; none of the ATMs involved had any cameras in them, and still don't today).

        link to this | view in chronology ]

      • icon
        Kal Zekdor (profile), 2 Oct 2015 @ 11:47am

        Re: Re: Cash is king

        He was making a wry comment that if POS devices start taking photos when doing Card Transactions, he'll stop using Credit/Debit Cards at POS devices and only at ATMs to withdrawal cash. As such, the only images would be him withdrawing his cash, not him spending it.

        link to this | view in chronology ]

  • identicon
    Glenn, 2 Oct 2015 @ 1:39am

    That would be the chip-pin-finger-retinal-face print db?

    link to this | view in chronology ]

  • icon
    PaulT (profile), 2 Oct 2015 @ 2:15am

    "Worldpay's prototype automatically takes a photo of a shop customer's face the first time they use it and then references the image to verify their identity on subsequent transactions."

    If this is as reliable as Cisco's similar system for sitting their exams, it's got a long way to go. Every damn time, I have to spend 20 minutes with the exam centre verifying things because my photo & signature weren't captured properly the first time and the exam can't be authorised until it's recognised me... Although i haven't sat one in the last 2 years so maybe it's improved, who knows.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 2 Oct 2015 @ 2:49am

    Rather, it suggests that tills would display an "authorisation needed" alert, prompting shop staff to request an additional ID, such as a driving licence.

    Why not just ask for that in the first place? Unless the idea is to do away with people, at which point I'd ask if such a system really is that more inexpensive.

    link to this | view in chronology ]

  • icon
    Violynne (profile), 2 Oct 2015 @ 2:57am

    There's going to be a fantastic irony set when these chip and pin systems see a spike in "Anonymous/V for Vendetta" face mask purchases.

    link to this | view in chronology ]

    • icon
      Ninja (profile), 2 Oct 2015 @ 3:54am

      Re:

      And it isn't even remotely secure. Unless they are very sophisticated a picture of the owner face would be enough to fool the system.

      Biometrics can be awesome but it's an issue when it's breached because you can't change them. The idea of using biometrics as a multi-factor authentication is nice but it shouldn't be the only set of keys needed to enter.

      link to this | view in chronology ]

      • icon
        That One Guy (profile), 2 Oct 2015 @ 4:00am

        What you have vs What you know

        It's been a good while so I can't remember who said it, but someone basically noted a while back that biometrics are great as the equivalent of a user name, but they should never be used as passwords.

        link to this | view in chronology ]

  • icon
    Chris-Mouse (profile), 2 Oct 2015 @ 3:59am

    Given the typical accuracy of facial recognition systems, I'd give it about a week before 90% of merchants are either ignoring it or demanding extra ID for all transactions.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 2 Oct 2015 @ 5:41am

    As a card carrying member ...

    ... of the Church of Elvis, all of our pastors (and lay impersonators) are all eligible to access the Church's one bank account through this new system. Feel the love!

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 2 Oct 2015 @ 7:24am

    IN europe chip and pin means you put the card into a
    card reader , and type in your pin no,
    if someone steals your card or clones it.
    Its of no use to them, as only you know the pin no.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 2 Oct 2015 @ 7:38am

    Face-Off coming to a retailer/theater near you ..sooo which mask/face do you want Nic Cage's or Johnny Travolta...

    and I find it funny Worldplay ... gives a ton of WordPlay to say it kinda works ..but we'll still need your ID, which makes it pointless unless they are just gathering data for the agencies of the 3 letter variety.

    link to this | view in chronology ]

  • identicon
    Rekrul, 2 Oct 2015 @ 8:45am

    My friend doesn't use his credit card much. A while back he was going on about how much more secure the cards with a chip in them were than a normal credit card. He was telling everyone how he was going to contact his credit card company to get a new card with a chip in it. Of course when I finally saw his card, it was already chipped, he just didn't realize it.

    I tried to point out to him that if someone obtained his card number and the verification number on the back, the chip would do absolutely nothing to prevent them from using it online or placing orders with a mail-order company over the phone. He still insisted that having the chip somehow magically endowed the card with extra protection against such things.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 2 Oct 2015 @ 11:22am

    They had better not sell pictures of my face because I own the copyright and I'll throw a huge fit wasting loads of cash on lawyers.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 3 Oct 2015 @ 10:19am

    Some people love technology, some of them dont know the concept of "building technology that can easilly fringe upon peoples right"

    Hey, can i take a picture?

    No!

    Take the picture anyway

    Its not the action, its that you ignored the no


    Those that ignore, deserve the things they do to others, ignore their rights as they ignore the rights of others, within reason, an eye for an eye, an eye for an ear, but not an eye for a life, unless its a life for a life

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 3 Oct 2015 @ 10:27am

    Maybe they should look into improving chip and pin security, that....i dont know,....does'nt have the side affect of being a potential rights violator in the public sphere, lord knows with already got that in abundance, wether we like it or not

    link to this | view in chronology ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.