PayPal is not rethinking its decision to make its service available on devices emerging on the bleeding edge of technology even after a group said it was able to thwart what sounds like science fiction: fingerprint authentication on mobile phones.
SRLabs, a security research and consulting think tank in Germany, published a video on YouTube purportedly showing how it spoofed a fingerprint to gain access to a Galaxy S5 phone and saying Samsung had not learned from a similar demonstration on Apple’s iPhone 5S.
SRLabs said the video showed how a wood-glue spoof fingerprint bypassed the Galaxy S5’s fingerprint lock. And, it warned, “Incorporation of fingerprint authentication into highly sensitive apps such as PayPal gives a would-be attacker an even greater incentive to learn the simple skill of fingerprint spoofing.”
PayPal issued the following statement on Tuesday in response to the video.
“While we take the findings from Security Research Labs very seriously, we are still confident that fingerprint authentication offers an easier and more secure way to pay on mobile devices than passwords or credit cards. PayPal never stores or even has access to your actual fingerprint with authentication on the Galaxy S5. The scan unlocks a secure cryptographic key that serves as a password replacement for the phone. We can simply deactivate the key from a lost or stolen device, and you can create a new one. PayPal also uses sophisticated fraud and risk management tools to try to prevent fraud before it happens. However, in the rare instances that it does, you are covered by our purchase protection policy.”
In an interview with GeekWire, eBay senior security adviser Brett McDowell said, “We do not believe that a security researcher able to demonstrate a spoof fingerprint under lab conditions is news, nor do we believe it poses undue risk to our customers. This is a highly focused, unscalable attack.”
Here’s how PayPal users pay for items using the Galaxy S5’s fingerprint authentication: “Once you link your fingerprint to PayPal, you can use your fingerprint to log in to shop and pay on any app or merchant that accepts PayPal on mobile and in-stores. When shopping online and ready to check-out with PayPal, you will be prompted to log in using your fingerprint (rather than typing in your user name and password), and then have the ability to view confirm your order.”
PayPal said it does not store users’ fingerprint data. “The only information the device shares with PayPal is a unique encryption key that allows PayPal to verify the identity of the customer without having to store any biometric information on PayPal’s servers, i.e. PayPal never receives a copy or any representation of your fingerprint and your fingerprint-derived information that is used to recognize you in the future, never leaves your device.”
PayPal has been aggressive in integrating its payment solutions on the latest devices. On a marketing page promoting the new Galaxy S5 phone, Samsung promotes the ability of users to make “faster and more secure payments” for purchases using PayPal “with the swipe of your finger.” And likewise, PayPal has its own pages promoting the smartphone.
And PayPal said it was the first payment provider on Samsung’s Gear 2 smartwatch, allowing owners to “check-in to pay at local stores, save and redeem offers, send money and receive payment notifications.”