PayPal went on the offensive today after a German-based security company demonstrated how a hacker could unlock the Samsung Galaxy S5 and put a PayPal user’s account at risk.

paypal on samsung galaxy s5In an interview with GeekWire, eBay’s senior security adviser Brett McDowell explained the “hack” is not serious enough for PayPal customers to be concerned.

“We do not believe that a security researcher able to demonstrate a spoof fingerprint under lab conditions is news, nor do we believe it poses undue risk to our customers,” McDowell said. “This is a highly focused, unscalable attack.”

Samsung’s flagship Galaxy S5 device went on sale on Friday, receiving high marks for nifty features like being water resistant, acting as a heart rate monitor, and the ability to use your finger print to unlock the device and gain access to PayPal.

The fingerprint scanner on the Galaxy S5 was designed to make the device more secure. While passwords can be stolen or guessed, presumably, a fingerprint is not easily replicated.

But as demonstrated in a video, SRLabs shows how a fingerprint can be spoofed, by lifting a print off and using wood glue to create a fake finger that can then be swiped on the scanner. The video spread quickly, with several publications repeating that the phone had been hacked.

McDowell did not argue that the ability to gain access to the phone and PayPal wasn’t possible, but said your account was still more secure on the Galaxy S5 with a fingerprint scanner than it is with a standalone password.

samsung finger_print“They were able to take a pristine sample of a fingerprint, and under lab conditions produce an artificial version that they could wear over a finger to pass over the finer print sensor,” he said.

He also argued that SRLabs stunt is not technically a “hack,” but rather a “spoof.” The difference is significant because “a hack would be if they were injecting malware on to the device to harvest the private key, or harvest the template from the hardware. That’s not what they were attempting to do,” he explained.

Without accessing devices on a mass scale, this threat is not on the same level as other widespread financial breaches, where several thousand customers are affected at once. In this case, it’s one phone, one PayPal account, and the user always has the option of calling PayPal customer support to get the device unauthorized.

In addition to McDowell’s duties at eBay, he is also the VP of the FIDO alliance, which is the organization behind the technology standard on the Galaxy S5 that enables authentication between devices and online services.

When speaking on behalf of the alliance, McDowell said the new protocol offers a layer of protection not available with biometrics in the past. In this case, PayPal doesn’t ever obtain access to your fingerprint — that information is stored on the device using a template.

In other words, “it’s not like your fingerprint was leaked,” he said.

Here’s the video from SRLabs:

Comments

  • UnderSerf

    Yeah, under lab conditions – for now. Just 3D print a fingerprint using commonly available public records (or surreptitiously obtained from contact points), no? Much easier than cracking a password, IMO, considering the ease of obtaining fingerprints from public sources. The NSA must be drooling over the opportunities such gizmos would represent…

  • http://bit.ly/11F2eas Philip Cohen

    Regardless …
    PayPal: “The [un]safe way to pay and be paid” …

    “How to complain about PayPal in the UK”
    http://www.mukaumedia.co.uk/complain-paypal-uk/
    On this article, when I last looked, 410 negative readers’ comments on “PreyPal”—well worth a read for any small merchant using, or thinking of using, “PreyPal” to accept payments and who has not as yet had a problem with “PreyPal” because, when you do eventually have that problem, it could be a serious business-threatening problem …

    “PayPal: ‘Aggressive changes’ coming to frozen funds policy”
    http://money.cnn.com/2013/01/21/technology/paypal-frozen-funds/
    Of the 368 readers’ comments currently on this article, see if you can find any that are complimentary of “PreyPal” …

    And, just for fun, a story from Anna Tims of the Guardian/Observer detailing an apparent systems failure at “PreyPal” that undoubtedly affected who knows how many people …
    http://www.theguardian.com/money/2013/sep/01/paypal-refund-missing-money

    And another story from Anna Tims demonstrating eBay’s unconscionable lack of fair transaction mediation and hard-wired bias towards buyers; 324 readers’ comments on this story; see if you can find any that are complimentary of eBay …
    http://www.theguardian.com/money/2013/dec/09/seller-beware-listing-ebay

    “eBay Seller Caught in the Middle of PayPal Dispute”—ecommercebytes.com
    http://www.ecommercebytes.com/C/letters/blog.pl?/pl/2013/9/1378388736.html
    This story is the classic demonstration of just how unprofessional and “clunky” PreyPal is and always will be because “PreyPal” is little more than a credit card merchant account operator (with Wells Fargo Bank); an extra layer of clunky middleman operating in between the seller’s PayPal “pretend bank” merchant account and the buyer’s source of funds.

    And yet another interesting article in the Guardian on the lack of security and protection for sellers receiving payments via eBay’s clunky “PreyPal” (or dealing with Bitcoins); note the many negative readers’ comments about “PreyPal”.
    http://www.theguardian.com/money/2014/mar/01/paypal-bitcoin-scam-ebay

    And, while we are at it, an independent view on Bitcoin …
    http://seekingalpha.com/article/2120043-bitcoin-is-sinking-fast-so-are-hopes-of-bitcoin-related-investments?v=1396512737

    “Anyone rushing out to load PayPal onto their phone might want to stop and read The New York Times Haggler column from Sunday. PayPal apparently generates a huge percentage of The Haggler’s traffic.”—Tom Groenfeldt, Forbes …
    “If PayPal isn’t the most reviled online company in the country, which is? The Haggler invites reader suggestions for this unhappy title, but before you write in, consider the sheer quantity of animosity that PayPal inspires. There are anti-PayPal Facebook sites, anti-PayPal YouTube tirades, PayPal-loathing Twitter accounts and more than 550 complaints about PayPal on ConsumerAffairs.com.”
    Yet another classic, ugly, PayPal story …
    http://www.nytimes.com/2013/10/13/your-money/stuck-in-a-dispute-between-paypal-and-itself.html?ref=thehaggler&_r=0
    Clunkity, clunk, clunk, clunk …

    And (yet) another negative “PreyPal” story; an oldie but well worth a read …
    http://nrgfxit.net/2010/12/16/paypal-a-standard-bearer-for-the-class-of-out-of-control-online-service/
    “PayPal (Owned by eBay) is symptomatic of the Achilles heel of online commercial ventures today that leave users in distressed states of helplessness. An innocent trust given in good faith by a user is not reflected back by the service provider, in fact it is abused and taken advantage of.” …

    And another quite typical “PreyPal” horror story, ultimately “fixed” …
    http://boards.straightdope.com/sdmb/showthread.php?t=700733
    “… I know it is child’s play to get creative with a graphics program and manufacture what may apparently look like a utility bill with someone’s name on it. Not that I would do such a thing which probably breaks all sorts of anti-terrorism laws and would subject the perpetrator to drone bombings and/or water-boarding. You know things have gotten out of hand when honest people have to lie just to get around the impossible [PayPal] bureaucracy.”

    “How to sue eBay or PayPal [in the U.K.]”
    http://www.thewholesaleforums.co.uk/threads/how-to-sue-ebay-or-paypal.44565/

    The reality is, if you have not yet been burnt by “PreyPal”, then your turn is coming, and being burnt by “PreyPal” can be a serious business-threatening situation. PayPal’s close association with the “wild west” eBay marketplace has destroyed any credibility “PreyPal” may ever have had with many merchants and frankly, I think that anyone that thinks that “PreyPal” now has any long term future outside of the eBay marketplace or as the merchant account provider “of last resort” for non-professional sellers, is uninformed as to just how unprofessional the clunky “PreyPal” operation really is when compared to the retail banks’ MasterCard/Visa operations and the new “MasterPass” and “V.me” offerings …

Job Listings on GeekWork

Find more jobs on GeekWork. Employers, post a job here.