PayPal went on the offensive today after a German-based security company demonstrated how a hacker could unlock the Samsung Galaxy S5 and put a PayPal user’s account at risk.
In an interview with GeekWire, eBay’s senior security adviser Brett McDowell explained the “hack” is not serious enough for PayPal customers to be concerned.
“We do not believe that a security researcher able to demonstrate a spoof fingerprint under lab conditions is news, nor do we believe it poses undue risk to our customers,” McDowell said. “This is a highly focused, unscalable attack.”
Samsung’s flagship Galaxy S5 device went on sale on Friday, receiving high marks for nifty features like being water resistant, acting as a heart rate monitor, and the ability to use your finger print to unlock the device and gain access to PayPal.
The fingerprint scanner on the Galaxy S5 was designed to make the device more secure. While passwords can be stolen or guessed, presumably, a fingerprint is not easily replicated.
But as demonstrated in a video, SRLabs shows how a fingerprint can be spoofed, by lifting a print off and using wood glue to create a fake finger that can then be swiped on the scanner. The video spread quickly, with several publications repeating that the phone had been hacked.
McDowell did not argue that the ability to gain access to the phone and PayPal wasn’t possible, but said your account was still more secure on the Galaxy S5 with a fingerprint scanner than it is with a standalone password.
“They were able to take a pristine sample of a fingerprint, and under lab conditions produce an artificial version that they could wear over a finger to pass over the finer print sensor,” he said.
He also argued that SRLabs stunt is not technically a “hack,” but rather a “spoof.” The difference is significant because “a hack would be if they were injecting malware on to the device to harvest the private key, or harvest the template from the hardware. That’s not what they were attempting to do,” he explained.
Without accessing devices on a mass scale, this threat is not on the same level as other widespread financial breaches, where several thousand customers are affected at once. In this case, it’s one phone, one PayPal account, and the user always has the option of calling PayPal customer support to get the device unauthorized.
In addition to McDowell’s duties at eBay, he is also the VP of the FIDO alliance, which is the organization behind the technology standard on the Galaxy S5 that enables authentication between devices and online services.
When speaking on behalf of the alliance, McDowell said the new protocol offers a layer of protection not available with biometrics in the past. In this case, PayPal doesn’t ever obtain access to your fingerprint — that information is stored on the device using a template.
In other words, “it’s not like your fingerprint was leaked,” he said.
Here’s the video from SRLabs: