PayPal was left fighting a rear-guard action last night after it emerged the fingerprint scanner seen on the Samsung Galaxy 5 smartphone can easily be bypassed.
Germany's Security Research Labs says the spoofing system allows access to a user's PayPal account, which is an important issue since a key feature of the scanner is one-step access to the PayPal money payment system - effectively replacing the user's ID and password with a fingerprint swipe.
Researchers from SRL seem to employ a classic James Bond-style technique to fool the fingerprint scanner, photographing a fingerprint on a smartphone screen - ironically using an iPhone - and then developing an etched PCB image. From there, they create a mould of the fingerprint, swiping it across the sensor and fooling it into thinking it was the real thing.
SRL says it was then able to access the smartphone user's PayPal account, since the Android PayPal app allows the fingerprint authentication process to replace the ID/password single factor authentication step on the PayPal site/service.
Perhaps worse, because fingerprint verification can be subject to false negatives, the software appears to allow unlimited attempts at swiping a fingerprint, rather than the `three strikes' limitation seen on ATMs and most other security systems.
SRL says it was also able to re-use its fake fingerprint mould to authorise a series of rogue transactions.
For its part, PayPal downplayed suggestions that the hack allows unfettered access to a user's account, noting that its users can de-activate the fingerprint authentication system in the event that their smartphone goes missing. The electronic money service says it uses sophisticated fraud and risk management systems to try to prevent fraud and stressed that users are also covered by PayPal's purchase protection policy.
SRL says that one solution to the security problem for Samsung and PayPal would be to use a system of looking for intrinsic errors in the mould/latent imaging process - such as looking for air bubbles (which appear as a white dots on the image) and other blurring effects seen when a fingerprint copying process is used.
Mike McLaughlin, senior penetration tester and technical team lead with First Base Technologies, said the hack highlights the dangers of using a single factor authentication system such as that seen on the Galaxy S5 app. The real issue, he explained, is that any form of security can ultimately be beaten given enough time and effort.
"This is a single point of failure issue. It's similar to the problems that the iPhone 5s scanner had in its early days," he said, adding that using a fingerprint as a straight replacement for an ID/password combination is always going to be risky.
McLaughlin went on to say that he favours two-factor authentication (2FA) as a means of security critical data, and that he would never entrust critical systems to a single authentication system.
"If Samsung does take this on board, as I think it will, they will issue an update. The bottom line here is that no security technology can ever be viewed as 100 percent secure," he said.
Sarb Sembhi, director of consulting services with Incoming Thought, the business research and analysis house, said that the root cause of this hack may lie in the fact that few biometrics systems make use of industry standards, although he noted that Samsung has yet to make a formal comment on the issue.
"It may well be that this issue relates to a more fundamental problem with standards, if they apply here. I think that Samsung will be able to sort this situation out," he said, adding that using fingerprint scanning as a single form of security is a bold move, especially against the backdrop that smartphones can be used to collate user data for Internet-based services.
Andrew Mason, technical director of security and compliance specialist at RandomStorm said that the main flaw in this scenario is the lack of a lock-out mechanism after a few failed attempts at the finger swipe stage.
“With any authentication system, if you don't limit the number of access attempts that can be made, it is just a matter of mathematics and time before a hacker can get in," he said.
"PayPal has already commented that fraudulent transactions would be covered within its purchase protection policy. Given the effort that the researchers went to, to create the etched PCB mould and then the spoof fingerprint - and the amounts that they'd be able to steal using this method - it's likely to remain as a proof of concept," he added.
Andy Davies, Head of Research with security consultancy Pentura, said that any single-factor authentication method - whether it is a password or fingerprint scan - can be abused if the attacker has sufficient means and motive.
"If that single password is captured or cloned by an attacker, it's essentially game over," he said, adding that it is important to utilise two-factor authentication, as the more information we need to provide to prove our identities, the harder it is for attackers to steal or clone credentials, which better protects personal information.