Facial recognition payments are a privacy risk, says China central bank official
Alibaba’s Alipay and Tencent’s WeChat Pay made facial recognition payments mainstream, but there are flaws
In China, it’s already common to see people paying for stuff using only their face through facial recognition both in smartphone apps and at properly equipped payment terminals in stores. Unfortunately for all the people now using the feature, one official at China’s central bank warned that it’s not very safe.
Consumers should realize that they’re giving up privacy for convenience, said Li Wei, director of the technology department of the People’s Bank of China, at a fintech summit in Beijing. “What’s to be happy about? This has to be considered,” he said.
Li said that faces are very sensitive personal information, and it could have a huge impact on someone if it were leaked or stolen. While people can put their bank cards in their pockets, Li said, faces are out in the open all the time.
He added that some companies (he didn’t name any) have not considered these questions. He also said it's dangerous to have users pay by scanning their faces while inputting their phone numbers on a big screen, a common method of double verification when paying with facial recognition.
Chinese companies have been charging ahead in incorporating facial recognition into payment apps, facing few regulatory roadblocks or pushback from the public. Both Alipay and WeChat Pay, which control more than 90% of the $41.51 trillion market by transaction volume, support facial recognition payments. In 2018, China had more than 583 million mobile payment users, according to the China Internet Network Information Center (CNNIC).
(Abacus is a unit of the South China Morning Post, which is owned by Alibaba, whose affiliate Ant Financial operates Alipay.)
In February, a data leak revealed that Shenzhen surveillance software maker SenseNets stored the location data of millions of people in an insecure database. The database also included national ID numbers and dates of birth, potentially much more sensitive than facial recognition data.
Things can also go wrong on the user's end. In April, a WeChat user in Zhejiang lost more than 10,000 yuan (US$1,450) after his roommates unlocked his smartphone by pointing it at his face while he was asleep. The roommates reportedly already knew the password to his WeChat Pay, which they used to transfer the money. It was not clear which smartphone was used for the heist, but some facial recognition systems that only use a front-facing camera are notably less secure than those using additional tech like the infrared sensors in Apple’s Face ID.
Smartphones have been trying to improve security, but even more advanced facial recognition systems on Android have been fooled with 3D printed heads.