PayPal using 'risky' facial recognition for high street payments
A technical director at SecurEnvoy has hit out at the scheme and said it leaves users at risk
By Antony Savvas | Computerworld UK | Published: 10:47, 12 August 2013
PayPal is enabling high street shoppers in London to pay for things in shops using facial recognition technology, which has been described as "insecure" by a security expert.
In a blog, PayPal says: "Your profile picture not only marks the gateway to your online social world, but can now also be used to make payments in the physical world."
The electronic payments firm says shops in Richmond, south-west London, are "leading the fight to make the wallet history", allowing shoppers to pay using just their mobile phone and profile picture.
Related Articles on Techworld
A PayPal mobile app now has a tab called "Local", which can be used to find shops or restaurants near the user's location that accept mobile PayPal payments.
Users then "check in" like they would on the Facebook or Foursquare networks, for instance, and they are then able to pay for goods through the PayPal app.
Once a customer has checked in, their name and photo appears on the shop's till, and the cashier charges them by clicking on the shopper's profile picture.
The customer gets an alert on their phone to let them know how much they've paid, as well as PayPal's usual email receipt.
The Richmond shops offering the system include Cook & Garcia, The Farmery, The Tea Box, The Bingham Hotel, Revolution, Caff Paolo, The Cedar Coffee Shop, Urban Diner, Pier 1 Fish and Chips, Noble Jones, Hill Caf and Knot Coffee and Pretzel.
Rob Harper, head of retail services at PayPal, said: "We're pleased to help local businesses of all sizes offer a new, more personal experience, while never having to turn away customers who don't have enough cash on them to pay.
"Now locals in Richmond can leave their wallet or purse at home and be the first in the country to use their profile picture to pay."
However, Andy Kemshall, technical director at SecurEnvoy, a specialist in two-factor security authentication, says PayPal's system leaves users at risk.
Kemshall said: "Paypal's new authentication system is the first in the UK to use a customer's photo to authorise payments.
"The completion of the transaction relies on the shop assistant verifying the customer's face - certainly a risky method of authentication that could easily be subject to human error be it accidental or deliberate."
He said: "Using mobile phones to authenticate processes such as payments is the way forward, but face recognition technology, as it stands, is nowhere near sophisticated enough to act as a reliable method.
"When you're providing a security service for your customers it needs to be 99.9 percent perfect at the very least. Biometrics are nowhere near that level of reliability, especially methods such as manual face recognition."
He added: "Using technology within a device already owned by the individual, such as SMS authentication through mobile phones, is a more secure and cost effective method for organisations. It has a higher reliability rate and is far less prone to faults or replication from unwanted users trying to access an individual's details."