Galaxy S5 print-scanning spoof: PayPal responds

Apr 15, 2014
1
Galaxy S5 print-scanning spoof: PayPal responds

Earlier today the folks at SRLabs showed a demonstration of how using a bit of wood glue and some interesting printing techniques, they were able to trick the Samsung Galaxy S5’s fingerprint scanner. This trick took the same method used for their test of the iPhone 5s’ Touch ID, much in the same way CCC (Germany’s Chaos Computing Club) tricked iPhone 5s’ scanner this past September.

SRLabs show the video you’re about to see, letting it be known how simple it is to move past Samsung’s implementation of fingerprint scanning. The print, they say, was made under "lab conditions", but is relatively simple to create in the wild.

Soon after this video was released, PayPal spoke up. PayPal is Samsung’s big brand-name collaboration on this effort, working with an app which gives access to a user’s PayPal account with a swipe of their finger.

While we take the findings from Security Research Labs very seriously," says a PayPal spokesperson, "we are still confident that fingerprint authentication offers an easier and more secure way to pay on mobile devices than passwords or credit cards."

This same PayPal spokesperson goes on to say that the company never stores "or even has access to" your fingerprint. The device instead uses a system which sees your fingerprint and unlocks a cryptographic key. This key is the only bit of info PayPal has, and they’ve made clear that they’re able to deactivate said key at any time.

Making clear that PayPal "also uses sophisticated fraud and risk management tools to try to prevent fraud before it happens," this representative also suggests that "in the rare instances that [fraud happens], you are covered by our purchase protection policy."

Good enough to calm your nerves? Or have you been forever changed by the demonstration above?


Must Read Bits & Bytes