Oct. 1^st was the big day. On that day, U.S. merchants were required to be equipped to process payments made with EMV cards, a.k.a. chip cards, or face liability for fraudulent transactions that they accept. The big question is: Do EMV cards really solve anything?

Among the issues presented by EMV cards is the chip-and-signature versus chip-and-PIN debate. Some argued that chip-and-PIN, dominant outside the U.S., is more secure because it requires a PIN that presumably only the cardholder knows. However, recent reports showed that clever fraudsters figured out years ago how to bypass PIN security by secretly embedding a second chip of their own in stolen cards.

On the other hand, earlier that month, the FBI issued an endorsement of chip-and-PIN technology as the more secure option. According to the FBI statement, chip-and-signature, favored in the U.S. primarily because it's less disruptive for consumers, does nothing to prevent the type of fraud made famous by the Target breach.

Credit card payment technologies found ways to sidestep the physical plastic card entirely. For example, Apple Pay let users register their cards for use on their iPhone 6 and later Apple devices. Once registered, users are authenticated at the point of sale using their fingerprints.

There's just one problem. No special trickery is required to register a stolen card on any iPhone a fraudster happens to be using, assuming that card has not already been registered with Apple Pay by the legitimate user.

It's important to note that all of these technologies addressed only card-present/point-of-sale types of transactions. What about online transactions, where about one third of all fraudulent activity takes place?

Employees at the $7.9 billion First Tech Federal Credit Union in Mountain View, Calif., are currently engaged in a pilot program with MasterCard to test an authentication technology for online transactions that uses facial recognition. Or to put it another way, they're trying out a technology that uses selfies.

Yes, you read it correctly. Selfies.

The cornerstone of this selfie authentication is MasterCard's Identity Check mobile app. Once the app is installed on the user's smartphone, the user registers by snapping a selfie. Future online transactions then flow like this:

The user goes shopping on a participating e-commerce site.
At checkout, a notification is sent to the user's smartphone via the Identify Check app notifying them that a transaction is pending.
The user snaps a new selfie via the app which is then matched to the selfie submitted at registration.
Assuming the two selfies match, the transaction is authorized.

What if some fraudster already had a photograph of the user and just snapped a picture of the picture? MasterCard already thought of that. The app requires the user to blink while snapping the authentication selfie. This eye movement lets the app know that a live person is being photographed.

If there's one thing history has proven, it's that for every security measure we implement, there's some clever and unscrupulous fraudster out there who is ready, willing and able to figure a way around it. Only time will tell if the experts ever finally develop the completely bullet-proof security scheme.

Instant Insights /

Are Truly Secure Credit Card Transactions Just a Pipe Dream?

Related Stories

Recommended For You