A new video from SRLabs demonstrates a hack of the Samsung Galaxy S5 fingerprint scanner and details how flaws in the implementation expose users' devices, data, and even bank accounts to thieves or other attackers.
Apple's Touch ID can also be circumvented by using a fake finger; however, Apple has built-in several safeguards to make exploitation more difficult.
"Perhaps most concerning is that Samsung does not seem to have learned from what others have done less poorly. Not only is it possible to spoof the fingerprint authentication even after the device has been turned off, but the implementation allows for seemingly unlimited authentication attempts without ever requiring a password. Incorporation of fingerprint authentication into highly sensitive apps such as Paypal gives a would be attacker an even greater incentive to learn the simple skill of fingerprint spoofing."
The attacker in the video is able to use Paypal's new app to perform any task he wishes including making purchases and unsolicited money transfers from the users Paypal account.
Paypal has responded to the video with the following statement:
---
While we take the findings from Security Research Labs very seriously, we are still confident that fingerprint authentication offers an easier and more secure way to pay on mobile devices than passwords or credit cards. PayPal never stores or even has access to your actual fingerprint with authentication on the Galaxy S5. The scan unlocks a secure cryptographic key that serves as a password replacement for the phone. We can simply deactivate the key from a lost or stolen device, and you can create a new one. PayPal also uses sophisticated fraud and risk management tools to try to prevent fraud before it happens. However, in the rare instances that it does, you are covered by our purchase protection policy.
---
Take a look at the video below...
Read More [via BGR]
Apple's Touch ID can also be circumvented by using a fake finger; however, Apple has built-in several safeguards to make exploitation more difficult.
"Perhaps most concerning is that Samsung does not seem to have learned from what others have done less poorly. Not only is it possible to spoof the fingerprint authentication even after the device has been turned off, but the implementation allows for seemingly unlimited authentication attempts without ever requiring a password. Incorporation of fingerprint authentication into highly sensitive apps such as Paypal gives a would be attacker an even greater incentive to learn the simple skill of fingerprint spoofing."
The attacker in the video is able to use Paypal's new app to perform any task he wishes including making purchases and unsolicited money transfers from the users Paypal account.
Paypal has responded to the video with the following statement:
---
While we take the findings from Security Research Labs very seriously, we are still confident that fingerprint authentication offers an easier and more secure way to pay on mobile devices than passwords or credit cards. PayPal never stores or even has access to your actual fingerprint with authentication on the Galaxy S5. The scan unlocks a secure cryptographic key that serves as a password replacement for the phone. We can simply deactivate the key from a lost or stolen device, and you can create a new one. PayPal also uses sophisticated fraud and risk management tools to try to prevent fraud before it happens. However, in the rare instances that it does, you are covered by our purchase protection policy.
---
Take a look at the video below...
Read More [via BGR]