MSE News: Mastercard to verify payments by selfies or fingerprint scans...

aj23_2

Raxiel wrote: »

I'm not sure I see what your reply has to do with what you quoted. In that post I was just talking about the CVV digits on the back of the card that everyone asks for with a 'cardholder not present' transaction.

But yes, with any type of 'push' authentication method, be it SMS, Email, Google Cloud messaging or whatever Apple has, there is always the fall-back to more traditional methods such as entering a password (or part of one) if you don't have the device to hand. It's always optional too (since not everyone will have a suitable device or the desire to use it).

Personally, I would have no problem unlocking my phone and acknowledging a notification to confirm that, yes, the person making a transaction on my card is really me (IF that's how they do it).

I know I'm protected if someone gets my card details through a breech, but dealing with it is still something I'd rather not have to waste my time dealing with, if there's a chance I can get alerted the first time an unauthorised transaction has made. Of course it won't be perfect, but it doesn't have to be, it just has to be better.

And by what metric is it 'clearly' unpopular?

What's why I asked you a question.

aj23_2

tastyhog wrote: »

Well, that clearly won't be happening, it will be secure offline storage, like via a phone app that will prompt for authentication, like android / apple pay payments both online and face 2 face terminals

Essentially. Its no different to. What some banks are doing now for bank transfer paymebts, they will prompt via their mobile apps for you to sign in to verify the payment.

It won't be happening until it happens. If we all think this info stays secure then we can all think again. It's been proven too often in history where we think are our details are secure but they are being sold off and distributed behind our backs.

(And to your reply on page 2, I don't use any form of Contactless payment so I'm not affected by any of these because I choose not to be).

Raxiel

aj23 wrote: »

What's why I asked you a question.

In that case I apologise for the snark.

oldagetraveller

Shakin_Steve wrote: »

Calm down:

You will be able to choose if you want to use facial recognition or fingerprint verification, and you will still be able to authenticate payments by using passwords, but Mastercard says evidence suggests the vast majority of customers prefer biometrics.

Who's hysterical? I made a simple personally not interested post. Same reason contactless, Android Pay etc. doesn't float my boat.:)

Chrysalis

Raxiel wrote: »

With my bank app, the app itself is authorised with a password and SMS code, and then my identity to the app is confirmed using the devices own fingerprint ID authentication system. So while the bank lets me log in with a fingerprint, they don't actually hold or verify my Biometrics themselves.

I wonder if this will be a similar system, either MasterCard issue their own app, or preferably adding a push notification feature to existing banking apps by the card issuers. I'm all for the latter, it's a much more secure system than '3 digits on the back of the card'.

I don't think they'll really be allowing selfies though. What they probably mean is allowing FaceID, which features dual camera and depth sensing to confirm the device is in front of an actual human face (and the right one at that) rather than a photo. Right now that's only the iPhone X, but will no doubt be 'flavour of the year' for next generations handsets.

It shouldnt replace the 3 digit code but be an addition in my view. So 2 factor authentication.

I wish more UK banks took on google authenticator, simple and quite effective, using facial recognition and fingerprints is good, but I would like authenticator as an option as well.

jamesd

JSR wrote: »

It seems you can whitelist organisations to bypass all of this nonsense. I imagine the whitelisting option will be built into most company's 'register a card' process.

https://stripe.com/guides/strong-customer-authentication

Whitelisting seems like a high risk thing to do. It looks like an attempt to harass consumers until they whitelist then use that as an excuse to transfer the fraud risk to them.

This bit seems useful:

"As part of SCA, the customer’s bank will generate a single-use authentication code corresponding to the amount of the payment and the business it is intended for. The customer must be informed up front of the amount and the business being paid. "

The most recent fraud affecting me came when details provided to an online merchant were used. The card company detected and blocked all but the first. Single use codes should protect against that, saving issuers money.

It seems that contactless payments are going to have extra hassle added:

"A payment will be exempted if it is considered a “low value transaction” on the basis that it does not exceed €30. However, SCA will be required if, since the last application of SCA to the customer, either the customer’s total payments exceed €100 or the customer has initiated more than five transactions"

chattychappy

poppy10 wrote: »

That's not how biometrics work, grandad.

Will it play my 78s ?

Raxiel

jamesd wrote: »

Whitelisting seems like a high risk thing to do. It looks like an attempt to harass consumers until they whitelist then use that as an excuse to transfer the fraud risk to them.

This bit seems useful:

"As part of SCA, the customer’s bank will generate a single-use authentication code corresponding to the amount of the payment and the business it is intended for. The customer must be informed up front of the amount and the business being paid. "

The most recent fraud affecting me came when details provided to an online merchant were used. The card company detected and blocked all but the first. Single use codes should protect against that, saving issuers money.

It seems that contactless payments are going to have extra hassle added:

"A payment will be exempted if it is considered a “low value transaction” on the basis that it does not exceed €30. However, SCA will be required if, since the last application of SCA to the customer, either the customer’s total payments exceed €100 or the customer has initiated more than five transactions"

Presumably for contactless, that means having to enter your pin for every sixth transaction, unless you've had to enter it sooner due to a transaction over £30. Similarly, the likes of Android and Apple pay will require a full unlock of the device rather than just the screen on state (I assume that's how it works with Apple, I'm only familiar with Android.

Doesn't seem like too much of a hassle for what will presumably reduce the damage someone who swiped your card could do, although using a contactless card like an Oyster card could be an issue for someone who travels around London a lot, depends on how TFL process the touches.

chattychappy

Raxiel wrote: »

although using a contactless card like an Oyster card could be an issue for someone who travels around London a lot, depends on how TFL process the touches.

Not sure it adds anything to the discussion, but with TfL and contactless, only the card details are scooped up when you swipe. (No payment is taken as it would if you used it in a shop.) The charge happens later as part of a reconcilation process. So TfL take a "chance" on getting the money. If they are unable to make a charge, the card gets blacklisted and won't be accepted by pads.

With Oyster, the deduction is made rightaway, though as I understand it they will later move Oyster to a similar system as contactless later.

unforeseen

Will they supply me with a new PC with camera and biometric scanner to allow me to avail myself of their increased security when I make online purchases?


Thought not.

Having used fingerprint scanners at certain locations due to my job then I am not enamoured with the success rate of such a system