Amazon may be looking at ways to let you pay for purchases with just a look. But experts warn that such systems have proven easy to fool in the past.
In a new patent application — U.S. patent No. 20,160,071,111, filed on March 10 — the company described a system that would let a user authorize a purchase using two things: an image of the person's face and a live motion to check that the image is actually the owner of the phone.
In theory, the system would help stop fraud, as many online stores (Amazon included) have apps that let anyone make purchases directly from a phone. To make sure it is a real person making a purchase, and not a just photo of the individual taken from somewhere, the system would ask for a blink, a wink or some other motion that only live humans do.
The problem is that faces are not hard to fake, said Jim Wayman, a facial-recognition expert and senior fellow at San Jose State University in California.
Securty researcher Jan Krissler noted that Amazon's methods of detecting whether a person was real or not – motion detection, for instance – would need hardware that phones don't have yet, like infrared sensors and LEDs. (Krissler was the hacker who famously faked German Defense Minsiter Ursula von der Leyen’s fingerprints using only a few photos — inlcuding one he took from several yards away.)
Gestures, Krissler noted, are not hard to fake either. "It's still easy to fake if they only use the normal camera built into a smartphone or computer. You can simply use a video showing the required gesture instead of a photo."
There are a number of already-publicized instances where people used Photoshop to simulate closed eyes. Creating a GIF, or short movie file, that stitches together a closed- and open-eye photo and animates is easy, too. [Shop 'Til You Drop: 7 Marketing Tricks Retailers Use]
For example, Android introduced a "face unlock" feature in 2011 that let users hold their phones in front of their faces to unlock the devices. But it didn't take long for hackers and even relatively novice users to discover that the recognition software would respond to photos of their faces as well.
There was even a video, uploaded to YouTube by user "Technotricks," that showed how a phone could be unlocked using a photo presented by another phone. Google (which makes Android phones) had denied that this was possible, in a story by Matt Brian at TheNextWeb.
Less than a year later, Google introduced the "Liveness Check" aimed at preventing the use of photos to unlock phones. But once again, a little work with a basic photo editor was able to fool the system.
According to its patent application, Amazon said it plans to use tracking technologies to look for head movement or some other indication that the person in the phone's camera view is actually a living, breathing human being. If that's the case, said Lisa Vaas, writing on security company Sophos' Naked Security blog, the kind of monitoring needed to do this will require a lot of computing power.
There's a long way to go from a patent application to an actual product, and it is far from clear what the technical details of the system will be, as the patent application doesn't say.
Wayman noted that even government agencies that have tried to create security systems based on face recognition have had problems making it work. "The National Security Agency [NSA] worried about this problem [of using photos] in the late 1990s and publicized the work on national TV at the direction of NSA Director Mike Hayden," Wayman said.
The segment aired in 2001. Since then, the NSA has been looking at using gestures to secure its smartphones, according to the news site biometricupdate.com.