Web security is on everyone’s minds these days, especially in light of the recent Heartbleed internet security breach. With consumers purchasing products online from all over the world, it’s particularly important to provide them with secure browsing and payment options. Over the last several years, web hosts have launched security features to protect websites from malware and other malicious attacks, but how about mobile device security?
With new mobile payment options like the fingerprint payment system on the Samsung Galaxy S5 (which was recently hacked, according to multiple sources), as well as the iPhone 5s fingerprint scanner (which was also hacked), is secure web hosting the only bastion of true online security right now? How is the rise of mobile devices contributing to this push toward a more secure digital infrastructure?
The Rise of Fingerprint Payments
The Samsung Galaxy S5 has a home button, much like the iPhone. But unlike the iPhone, users swipe their finger across the home button (rather than press it) to scan their fingerprint. This unlocks the phone, and the registered fingerprints can be linked to other features. PayPal, in particular, worked with Samsung to provide a way to link a user’s PayPal account to their registered fingerprints. This allows customers to simply scan their fingerprint on their phone to purchase items, without entering usernames, passwords, or account information. With this technology, customers can shop online at any store that accepts PayPal and complete their transaction with a simple swipe of the finger.
How Does it Work?
The Galaxy S5 uses a biometric tool to scan the fingerprint. The fingerprint scan is then linked to the phone’s unique cryptographic chip to identify the user and the device. This information links the device with the user’s PayPal account. The fingerprint scanner’s output is coded into cryptographic keys that combine with the cryptographic keys of the phone’s chip to create a third key. This third key is the information that’s sent to linked accounts to process payment. This keying method follows FIDO protocol to ensure that the fingerprint can’t be copied or recreated outside of the device and isn’t stored anywhere other than the phone.
What are the Benefits?
These days, we have passwords for everything. As such, we have to remember many passwords, especially with the advent of the smartphone. As a result, many people tend to use simple, easily remembered passwords, and use the same password across several accounts and devices. According to the FIDO Alliance, this overuse of and reliance on simple passwords makes it easy for criminals to guess passwords and take control of various accounts. The fingerprint scan allows for a unique identification that’s easy to use (even one-handed) and doesn’t require the memorization or upkeep of multiple passwords.
The fingerprint scan can also purchase applications within Google Play, much like the fingerprint scan on the iPhone. Linking fingerprint data to PayPal not only allows consumers to easily purchase items online, but also in physical stores and other locations that accept PayPal. Samsung has also released the fingerprint technology SDK to developers, which will result in many other applications utilizing the fingerprint scan technology.
What are the Drawbacks?
Currently, the most serious drawback of the Samsung Galaxy S5’s fingerprint payment system is that it has been hacked. This was done by whitehat hackers at Germany’s Security Research Labs using a “lifted print” process. A similar tactic was used to hack into the iPhone’s fingerprint scanner, but the implications of hacking into the Galaxy S5 are far more serious.
With the iPhone, a password still had to be entered after every reboot, both to access the phone and to purchase apps. This thwarted the lifted print spoof. However, with the Galaxy S5, no password is needed after the initial registration, for either phone access or PayPal, even following a device reboot. Due to the link between the fingerprint key and account data, criminals can gain access to more vital information using the Galaxy S5, including the victim’s bank account details and any physical address that is linked to the account.
Samsung released a statement that highlighted their concerns for their customer’s account security, but also restated that the fingerprint data was not stored outside of the phone and that PayPal’s payment protection prevented account misuse. They also pointed out that since the fingerprint is coded with the device’s cryptographic key, it’s a simple matter to deactivate the link once the phone is reported missing or stolen.
Getting on board now with fingerprint scanning may provide better security for users’ online accounts. According to Sebastien Taveau, the former chief technology officer of Validity (a fingerprint sensor company), fingerprint scan technology will soon be widespread. Recent security concerns, such as the Target debit card leak and the Heartbleed password breach, indicate that a shift is occurring from password reliance to more secure methods. Competitors will likely follow Apple and Samsung’s lead, and incorporate fingerprint scan technology into their own devices.
Consumers are eager for better account security, especially with online payments, and the Samsung Galaxy S5’s fingerprint payment system may be the answer to that security concern. However, it seems that more adjustments need to be made to protect against spoofing such as the “lifted print” technique.