Mastercard expects to launch in 2017 its "selfie" function to verify online transactions in Singapore and parts of Asia, a top executive said.
This function, known as Mastercard's Identity Check, will allow consumers to use facial recognition technology to match selfies against facial identification, ensuring that the online transactions are the real deal.
The "selfie" function adds a layer of protection to fill in the gaps of various tools of authentication such as biometrics, tokenisation, and behavioural analytics, even as these are already heightened forms of security.
"There could be an issue with twins, but . . . I would need to have a bad twin. They would have to break into my house, steal my phone, and be at my location," Bob Reany, executive vice-president for identity solutions at Mastercard, told reporters at a recent media session held in the US.
"We're trying to fight 40 million fraud accounts being compromised on the dark Web. If you've got a bad brother or sister, you've probably got other problems."
Mastercard is prototyping facial recognition to be converted and stored as encrypted code on some mobile devices.
The "selfie" would not need to be a perfect match, and banks would set the threshold for the matching accuracy. "We'll advise the bank and say 'you don't want to be too open and have only 20 per cent of the things match'. Then, everybody and their dog could use it," said Mr Reany.
The function can either be on a standalone application or integrated into the existing bank apps. It can also work with any other payment brands, as long as the bank that wants to offer the selfie verification also sells Mastercard products.
No specific date has been set for the launch in Singapore, which has banks here not just providing tokenisation, but are also using two-factor authentication for transactions.
The technology has been rolled out in 12 markets in Europe that include the UK, Germany and Sweden.
Still, this comes amid the higher fraud cases for online transactions globally that also means lower transaction approval rates for digital transactions.
Data cited by Mastercard showed that the gross fraud rate for online payments is at about 23.9 basis points (bps), much higher than the 7.2 bps for physical transactions.
Against this, banks are approving just 83 per cent of online transactions, compared to the 96 per cent for physical transactions.
"Those two numbers go hand in hand. Whenever there's high fraud, there's low approval rate. The business is going from a very beautiful, efficient model to a model where there's chaos," Mr Reany said.
Cybercrime is also gaining in sophistication, with new forms of malware popping up on the dark Web.
"People that are doing fraud are not the 400-pound hackers sitting on their beds at night," he said.
"These people are not dumb. They are getting PhDs and they are finding ways to commit fraud. What we have to do is to ruin their business model."
And this runs along the enormous potential for growth in the online payment space, with the number of online and mobile transactions expected to double to 40 billion by 2020, added Mr Reany.
As it is, tokenisation already cuts the risk that credit card numbers would be stolen from single individuals, with those details then sold in larger batches on the dark Web.
With tokenisation, a card number is replaced by a unique set of numbers that are not tied to actual account details. Mastercard is now working to fill another gap by tokenising the card details that merchants already have on their file.
Such security functions may also be foiled by more practical issues. The biometric function may not work with a wet finger, Mr Reany said.
Banks and payments companies would have to combine various tools to create a more secure form of authentication, he noted. This should so significantly raise the costs for criminal to exact fraud that the returns are no longer worth it. "If it's not a scalable attack, we're winning."
