Alibaba’s ‘Selfie’ Payments Vulnerable, May Work With Decentralized Security

E-commerce giant Alibaba Group and its affiliated online payment service AliPay, presented their prototype of using facial recognition instead of passwords for authentication.
E-commerce giant Alibaba Group and its affiliated online payment service AliPay, presented their prototype of using facial recognition instead of passwords for authentication.

E-commerce giant Alibaba Group, and its affiliated online payment service AliPay, presented their prototype of using facial recognition instead of passwords for authentication. But with cyber theft becoming more and more common, users may be wary of having their personal images stored on centralized servers that are vulnerable to attack.

‘Selfie’ Payments

Alibaba founder Jack Ma compared the simplicity of this technology for purchasing stuff with taking selfie and demonstrated this technology in the CeBit conference in Hanover, Germany last week.

Jack Ma says:

“Online payment to buy things is always a big headache. You forget your password, you worry about your security. Today we show you a new technology.”

Ma also announced that the service will be available to the public by 2017 and that they have been testing this method from a security standpoint.

Authentication methods galore

User verification typically can be done by something that user knows (Passphrases and Passwords) or something that the user has (Token) or something that the user is (Biometric). Biometric authentication like fingerprints for instance is common among users and is used in many different authentication schemes. Other types of biometrics such as retinal scanning and facial recognitions do exist, but are not as commonly used.

The real reason why biometric verification methods like facial recognition have not caught on yet is essentially due to their high cost and security concerns. Despite the futuristic appeal and potential to speed up online payments, this method of authentication presents significant security risks.

Facial recognition when the user actually scans their physical face and not an image of someone else’s. In physical cases a safeguard can monitor and verify this to avoid fraud. However, the digital world offers ways to get around this security barrier. For example, as 3D printers and micro- manufacturing technology become more and more common, printing a 3D image of a person’s face should not be too difficult by 2017.

“So the question becomes: is AliPay sacrificing the security for fanfare and “convenience”?

Yes. In fact, other companies have also been seeking similar solution but none so far have been close to this kind of easy-to-use payment authentication where you can basically login by smiling to your phone.

Other interesting methods proposed to distinguish a person from an image include the monitoring of user’s blinks through video authentication. However, some hackers have already developed ways to circumvent this by making dynamic images instead of static ones.

Decentralized security

But regardless of the biometrics used, we can see that the authentication method relies on single server that verifies a person by distinguishing the real data image from a fake. This single server or single point of failure may therefore be an attractive target for hackers.

Meanwhile, blockchain technology in a decentralized network have better security solutions than a centralized entity such as AliBaba’s servers, which have proven to be vulnerable putting millions of users at risk. Instead of having a centralized system of servers, which can fail, decentralized solutions can have multiple points and decision makers that reach a consensus and agreement across the network.

For example, instead of Alibaba’s “dumb” servers in this case, we can provide a decentralized authentication method where a user can be confirmed by all of the other users who verify the given digital image in return for financial incentive akin to how “mining” is done on the Bitcoin network. This is also similar to having the physical safeguard making sure that no one is trying to cheat.

Conclusion

Ultimately, technology will reach a point when we can simply login by smiling as AliBaba is promising. However, rather than AliBaba attempts to make this system secure using a centralized server, one should consider using a decentralized network for this verification process to compare which method would be the most reliable under various conditions.

We will soon realize that the crux of the problem is not innovative biometric authentication or other cutting edge technology, but rather it is the traditional centralized architecture that handles sensitive data, presenting a single point of failure to would-be hackers. We have been witnessing the inevitable consequences of these centralized data storage for quite some time, so perhaps the moment is now ripe to consider some promising alternatives like the blockchain and distributed data storage.