What you say could be perfectly right. I assume that PayPal would take into account that if the fingerprint was stolen it could be used for unauthorized transactions (and therefor be also a problem for them). Giving them reason to also be concerned by the storage of the fingerprint on the device itself. We won't know that until the security is fully detailed (but that took a while for Apple as well).
Your last sentence really is a problem of fingerprint scanners used for security in general.
I wonder if the Galaxy S5's non-hash scan and visual display of your fingerprint will allow one to take a screenshot and then print out a mold of the image to the appropriate size to bypass the scanner.
I wonder if the Galaxy S5's non-hash scan and visual display of your fingerprint will allow one to take a screenshot and then print out a mold of the image to the appropriate size to bypass the scanner.
Who knows . Wouldn't hurt to try I guess .
To be clear I'm not defending Samsung's solution here by any means, first and foremost I don't know how it works exactly. If anything I think they should have just left the fingerprint scanner for what it is and try to think of something else. I was just making assumptions based on what I thought financial service providers would look at/be concerned with.
And like I stated in my comments before, I am really impressed with Apple's security solution as it is well thought out and well executed.
To be clear I'm not defending Samsung's solution here by any means, first and foremost I don't know how it works exactly. I was just making assumptions based on what I thought financial service providers would look at/be concerned with.
I'm with you and I appreciate your balanced response. I have some doubts that Samsung's implementation will have issues for reasons already stated but any final judgement will require waiting to see hands-on tests from users.
This sounds really impressive and I'm glad Apple considered the shortcomings of previous fingerprint scanners. The Touch ID is supposed to be a feature that "just works", which is a common mantra with all Apple products. I'm curious to know what sort of security Samsung will be implementing in theirs. The swiping readers have been around for an awfully long time though.
Originally I experienced significant difficulty with Touch ID. It would work okay for a few hours up to a day or so, after which I'd need to retrain the system completely--and even train on the same digit multiple times (up to the limit of 5) in order to get a decent rate of recognition. Overall the Touch ID experience was unreliable enough that I abandoned its use.
Recently I revisited Touch ID in iOS 7.1 beta, and I am elated to report Touch ID has worked flawlessly. Through a solid week of usage, I have not had to retrain nor did I need to train on the same digit more than once. I have not once had to enter my passcode. The few times Touch ID didn't work the very first time (in a fraction of a second) was when my digit was obviously moist. Quickly drying off the offending digit or switching to a dry one provided near-instant access. Great job, Apple!
Obviously, Apple put a shitload of thought and care into the security and privacy of Touch ID, from all angles, and all aspects. And that came out 5 months ago. Let's contrast that with the (apparently barely functional and poorly thought out) solution by Samsung- which apparently is integrated with Paypal (a horrendous company from my experience) on day one. Oh, and that can't even authenticate purchases from the official Google store. Did Samsung even mention privacy or security in its briefings? How much access will the OS and 3rd party apps have to the sensor? How is it encrypted? Does anyone even care? Apparently not. Just like everything Samsung does, this was thrown is as a shitty "me too!" after-thought. Apparently, it's nearly impossible to "swipe" the sensor while holding the phone in one hand. How the **** did they think that was ok? Most of the time I can unlock touch ID while pulling it out of my pocket. If I had to use 2 hand, it would defeat the entire purpose.
If Apple came out with such a solution 5 months ago they would have been absolutely torched in the media. But with Samsung, it's always a free pass.
Can someone explain how you use your fingerprint to unlock the S5 one handed? Every video I've seen so far the person is using two hands. Seems inconvenient. Also with Touch ID I don't have to wake my device before unlocking it. I just place my thumb on the home button and quickly push down for a second and it unlocks. With the S5 you have to first wake the device. Another inconvenience.
If this news article from Sydney is accurate, the S5 will be encrypting your fingerprint and transmitting it to PayPal, which would mean that PalPal would also have a copy of your fingerprints on their servers...unless there is a dual-authentication model, or their scanner is impossible to spoof, seems to be a pretty big door for fraudulent use of PayPal...
As for concerns about privacy, Lunn says users shouldn't worry.
"The important thing about this announcement is that none of your biometric data is stored on that phone.
"It's not storing your fingerprints locally. It takes your fingerprint, encrypts it, sends it to PayPal, they decrypt it, checks it's the same, and then you're authenticated. It's very, very secure."
Can someone explain how you use your fingerprint to unlock the S5 one handed? Every video I've seen so far the person is using two hands. Seems inconvenient. Also with Touch ID I don't have to wake my device before unlocking it. I just place my thumb on the home button and quickly push down for a second and it unlocks. With the S5 you have to first wake the device. Another inconvenience.
All the hands-on impressions say it's close to impossible. That's usability testing for you.
If this news article from Sydney is accurate, the S5 will be encrypting your fingerprint and transmitting it to PayPal, which would mean that PalPal would also have a copy of your fingerprints on their servers...unless there is a dual-authentication model, or their scanner is impossible to spoof, seems to be a pretty big door for fraudulent use of PayPal...
<p style="border:0px;color:rgb(93,96,99);margin-bottom:.8em;vertical-align:baseline;">As for concerns about privacy, Lunn says users shouldn't worry.</p>
<p style="border:0px;color:rgb(93,96,99);margin-bottom:.8em;vertical-align:baseline;">"The important thing about this announcement is that none of your biometric data is stored on that phone.</p>
<p style="border:0px;color:rgb(93,96,99);margin-bottom:.8em;vertical-align:baseline;">"It's not storing your fingerprints locally. It takes your fingerprint, encrypts it, sends it to PayPal, they decrypt it, checks it's the same, and then you're authenticated. It's very, very secure."</p>
If this news article from Sydney is accurate, the S5 will be encrypting your fingerprint and transmitting it to PayPal, which would mean that PalPal would also have a copy of your fingerprints on their servers...unless there is a dual-authentication model, or their scanner is impossible to spoof, seems to be a pretty big door for fraudulent use of PayPal...
As for concerns about privacy, Lunn says users shouldn't worry.
"The important thing about this announcement is that none of your biometric data is stored on that phone.
"It's not storing your fingerprints locally. It takes your fingerprint, encrypts it, sends it to PayPal, they decrypt it, checks it's the same, and then you're authenticated. It's very, very secure."
Yeah, thats what I thought. Sounds like a security nightmare. On the iPhone the fingerprint is NEVER transferred while making a purchase. But hey, who gives a **** about security, right? Nobody, when it comes to any company that isn't Apple.
Yeah, thats what I thought. Sounds like a security nightmare. On the iPhone the fingerprint is NEVER transferred while making a purchase. But hey, who gives a **** about security, right? Nobody, when it comes to any company that isn't Apple.
The articles I have read just question the security aspects lightly while raving about the openness to developers.
[url=http://www.webpronews.com/paypal-will-let-you-approve-payments-using-your-fingerprint-on-the-galaxy-s5-2014-02]WebProNews [/url]clarifies the concern as in a report. It says “the company (paypal) notes that all your financial information is stored in the cloud and never on your device. The fingerprint scanner instantly communicates with the cloud to authorize purchases and doesn’t store biometric data on the device or on PayPal’s servers. In short, the worst that can happen is hackers breaking into PayPal’s servers and stealing your financial information. While that’s certainly bad, they at least won’t have your biometric data which will one day be the most important identifier you have.”
If this news article from Sydney is accurate, the S5 will be encrypting your fingerprint and transmitting it to PayPal, which would mean that PalPal would also have a copy of your fingerprints on their servers...unless there is a dual-authentication model, or their scanner is impossible to spoof, seems to be a pretty big door for fraudulent use of PayPal...
As for concerns about privacy, Lunn says users shouldn't worry.
"The important thing about this announcement is that none of your biometric data is stored on that phone.
"It's not storing your fingerprints locally. It takes your fingerprint, encrypts it, sends it to PayPal, they decrypt it, checks it's the same, and then you're authenticated. It's very, very secure."
1) So how does the phone simply unlock your device? Does it have to check with PayPal to do that?
2) Having your fingerprint scanned on one device and then your biometrics sent over the internet to be checked by a copy sitting on a server controlled by a 3rd-party is not good security and users should worry if indeed that is how it works. That said, that is such a wretched design that I doubt that report is accurate.
3) Apple's setup is so far the best I've seen. They don't store your fingerprint anywhere. Not even on your phone. It's a hash that gets checked and even the path from the Touch ID sensor to the secure enclave millimeters away has a good deal of encryption in place. It's not impossible to break but as previously noted there are easier ways to gain access to one's device.
Remember when Google brought out face recognition to unlock their devices? I watched the demo on a Google keynote - guess what it failed to unlock the device. Since then I have never seen anyone unlock their device using this method. I don't think many will be using Samsungs fingerprint scanner either.
Comments
I wonder if the Galaxy S5's non-hash scan and visual display of your fingerprint will allow one to take a screenshot and then print out a mold of the image to the appropriate size to bypass the scanner.
I wonder if the Galaxy S5's non-hash scan and visual display of your fingerprint will allow one to take a screenshot and then print out a mold of the image to the appropriate size to bypass the scanner.
Who knows
To be clear I'm not defending Samsung's solution here by any means, first and foremost I don't know how it works exactly. If anything I think they should have just left the fingerprint scanner for what it is and try to think of something else. I was just making assumptions based on what I thought financial service providers would look at/be concerned with.
And like I stated in my comments before, I am really impressed with Apple's security solution as it is well thought out and well executed.
NYT headline: iPhone touch ID less secure in major cities.
Still I wonder what develops from this for Apple.
I'm with you and I appreciate your balanced response. I have some doubts that Samsung's implementation will have issues for reasons already stated but any final judgement will require waiting to see hands-on tests from users.
Just slightly off-topic...
Originally I experienced significant difficulty with Touch ID. It would work okay for a few hours up to a day or so, after which I'd need to retrain the system completely--and even train on the same digit multiple times (up to the limit of 5) in order to get a decent rate of recognition. Overall the Touch ID experience was unreliable enough that I abandoned its use.
Recently I revisited Touch ID in iOS 7.1 beta, and I am elated to report Touch ID has worked flawlessly. Through a solid week of usage, I have not had to retrain nor did I need to train on the same digit more than once. I have not once had to enter my passcode. The few times Touch ID didn't work the very first time (in a fraction of a second) was when my digit was obviously moist. Quickly drying off the offending digit or switching to a dry one provided near-instant access. Great job, Apple!
Obviously, Apple put a shitload of thought and care into the security and privacy of Touch ID, from all angles, and all aspects. And that came out 5 months ago. Let's contrast that with the (apparently barely functional and poorly thought out) solution by Samsung- which apparently is integrated with Paypal (a horrendous company from my experience) on day one. Oh, and that can't even authenticate purchases from the official Google store. Did Samsung even mention privacy or security in its briefings? How much access will the OS and 3rd party apps have to the sensor? How is it encrypted? Does anyone even care? Apparently not. Just like everything Samsung does, this was thrown is as a shitty "me too!" after-thought. Apparently, it's nearly impossible to "swipe" the sensor while holding the phone in one hand. How the **** did they think that was ok? Most of the time I can unlock touch ID while pulling it out of my pocket. If I had to use 2 hand, it would defeat the entire purpose.
If Apple came out with such a solution 5 months ago they would have been absolutely torched in the media. But with Samsung, it's always a free pass.
If Apple came out with such a solution 5 months ago they would have been absolutely torched in the media. But with Samsung, it's always a free pass.
You won't hear Samsung calling it a "free" pass! They pay beaucoup advertising dollars in order to receive blindly favorable press.
If this news article from Sydney is accurate, the S5 will be encrypting your fingerprint and transmitting it to PayPal, which would mean that PalPal would also have a copy of your fingerprints on their servers...unless there is a dual-authentication model, or their scanner is impossible to spoof, seems to be a pretty big door for fraudulent use of PayPal...
As for concerns about privacy, Lunn says users shouldn't worry.
"The important thing about this announcement is that none of your biometric data is stored on that phone.
"It's not storing your fingerprints locally. It takes your fingerprint, encrypts it, sends it to PayPal, they decrypt it, checks it's the same, and then you're authenticated. It's very, very secure."
http://www.smh.com.au/it-pro/business-it/paypal-says-samsung-fingerprint-payments-very-secure-20140227-hve02.html
Can someone explain how you use your fingerprint to unlock the S5 one handed? Every video I've seen so far the person is using two hands. Seems inconvenient. Also with Touch ID I don't have to wake my device before unlocking it. I just place my thumb on the home button and quickly push down for a second and it unlocks. With the S5 you have to first wake the device. Another inconvenience.
All the hands-on impressions say it's close to impossible. That's usability testing for you.
That suggests that the Samsung method is an open wound inviting virii.
If this news article from Sydney is accurate, the S5 will be encrypting your fingerprint and transmitting it to PayPal, which would mean that PalPal would also have a copy of your fingerprints on their servers...unless there is a dual-authentication model, or their scanner is impossible to spoof, seems to be a pretty big door for fraudulent use of PayPal...
As for concerns about privacy, Lunn says users shouldn't worry.
"The important thing about this announcement is that none of your biometric data is stored on that phone.
"It's not storing your fingerprints locally. It takes your fingerprint, encrypts it, sends it to PayPal, they decrypt it, checks it's the same, and then you're authenticated. It's very, very secure."
http://www.smh.com.au/it-pro/business-it/paypal-says-samsung-fingerprint-payments-very-secure-20140227-hve02.html
Yeah, thats what I thought. Sounds like a security nightmare. On the iPhone the fingerprint is NEVER transferred while making a purchase. But hey, who gives a **** about security, right? Nobody, when it comes to any company that isn't Apple.
I thought the general impression is that the Samsung method doesn't function well with two hands either.
The articles I have read just question the security aspects lightly while raving about the openness to developers.
[url=http://www.webpronews.com/paypal-will-let-you-approve-payments-using-your-fingerprint-on-the-galaxy-s5-2014-02]WebProNews [/url]clarifies the concern as in a report. It says “the company (paypal) notes that all your financial information is stored in the cloud and never on your device. The fingerprint scanner instantly communicates with the cloud to authorize purchases and doesn’t store biometric data on the device or on PayPal’s servers. In short, the worst that can happen is hackers breaking into PayPal’s servers and stealing your financial information. While that’s certainly bad, they at least won’t have your biometric data which will one day be the most important identifier you have.”
1) So how does the phone simply unlock your device? Does it have to check with PayPal to do that?
2) Having your fingerprint scanned on one device and then your biometrics sent over the internet to be checked by a copy sitting on a server controlled by a 3rd-party is not good security and users should worry if indeed that is how it works. That said, that is such a wretched design that I doubt that report is accurate.
3) Apple's setup is so far the best I've seen. They don't store your fingerprint anywhere. Not even on your phone. It's a hash that gets checked and even the path from the Touch ID sensor to the secure enclave millimeters away has a good deal of encryption in place. It's not impossible to break but as previously noted there are easier ways to gain access to one's device.