BETA
This is a BETA experience. You may opt-out by clicking here

More From Forbes

Edit Story

New Technology Lets You Make Payments Simply By Looking At Your Phone, But Is It Safe?

Following
This article is more than 9 years old.

This week, Alibaba unveiled technology that allows people to make payments simply by smiling at their phones. Using facial recognition, the new Alipay system will authorize payments by comparing the image seen by a smartphone’s camera to a pre-known picture of the person making the payment.

Such a system obviously improves convenience – reducing the need for people to remember and use passwords – and is part of a smartphone-biometrics trend that began with the inclusion of fingerprint readers on the iPhone to allow for easy unlocking of the device.

However, as I discussed both at the time the iPhone 5 was released, and earlier this month when the next generation of fingerprint scanners was announced, the use of biometrics on smartphones is risky.

Facial recognition is no exception.

While it is unclear as of yet exactly how Alipay’s authentication works, in general, facial recognition technology relies on the fact that the user authenticating is actually presenting his or her face and not an image of someone else’s. At the entrance to a building, for example, a guard and security cameras would see if someone were holding up a picture rather than approaching a scanner in person.

On a phone, however, no such protection exists. Researchers are already working on authenticating using images of people’s fingerprints and irises.  As Thomas Fox-Brewster wrote in Forbes a couple weeks ago, security researcher Jan Krissler believes that it is already possible to pass biometric eye-based authentication with high-resolution photos of people’s eyes. And, when Google started allowing facial recognition to unlock Android phones, there were reports of hackers breaching the system with ease. Even advanced facial recognition technology that checks for “lifeness” by watching for a user to blink may be tricked by a sequence of photshopped images showing a persons’s eyes open and closed or by using eye-cutouts in a photo so that the criminal can place his/her eyes there and blink for real while tricking the system. A three dimensional mask created from an image could improve the odds of such attacks working as well – and, depending on whose phone has been stolen, might be something for which a criminal is willing to make a small investment.

Allowing facial recognition to be used to authorize payments from smartphones clearly poses risks; if a criminal were to gain access to someone’s phone – either by stealing it or finding it after it is lost – the odds are pretty good that he or she could obtain a high resolution image of the user either directly from the phone, or by doing a search online with the user’s information obtainable from the phone. This is especially true if the phone were not locked at the time, although many people’s phones contain enough information on the lock  screen to allow people to find their images online. Could such images be used to illegally authorize payments?

While biometrics are clearly here to stay, it is important to understand the potential risks before using them.

Follow Joseph Steinberg on Twitter  at @JosephSteinberg