idea: brinworld meets the credit card

[Adam Lydick]

You might find "facecerts" interesting.

http://www.computer.org/proceedings/dcc/1896/18960435.pdf

This is more for face-to-face checking, however.

For your remote scenario some sort of one-way hash to verify the image
might be intersting. It would have to allow for fuzzy matching after
hashing (for obvious reasons). I think this just raises the bar a tiny
bit though, as an attacker could stalk their victim before stealing
their card to get an idea about what appearance to forge. (or capture
webcam traffic before lifting the card / identity info)

Cheers,

Adam Lydick

On Tue, 2003-07-08 at 12:16, Major Variola (ret) wrote:
> Authentication is "Something you have / know / are."
> 
> A simple plastic credit card + PIN provides the first
>  two,
> including a photo provides the third "something you are".
> A face is more often checked than the readily forgable
> signature, in live authentication.
> 
> But as cameras become ubiquitous
> (e.g., in cell phones) some extra security could be obtained
> for *remote* authentication by sending a trusted photo of the
> account holder plus a live picture of the card user.
> 
> A picture glued into the card could be forged, but a
> smartcard (with more data area than a magstripe)
> could include a picture of the account holder,
> so a thief has no idea what to look like.  But the vendor can
> check the encrypted smartcard face to the face on the phone
> or webcam.  For high-value remote transactions, where you
> pay someone to check faces, this might be viable in a few years.
> In a few years after that, machines might be able to check faces
> more cheaply, as reliably.
> 
> The live face-check with embedded digital photos is already standard
> practice
> on high-security building-entry cards (and passports?),
> with the guard comparing the card-embedded face to the one before him.
> Ubiquitous cameras will bring that face-check to remote transactions,
> reducing cost due to lower fraud.
> 
> Thoughts?