Paypal says Samsung fingerprint payments 'very secure' : "The important thing about this announcement is that none of your biometric data is stored on that phone.
"It's not storing your fingerprints locally. It takes your fingerprint, encrypts it, sends it to PayPal, they decrypt it, checks it's the same, and then you're authenticated. It's very, very secure."
Well, I think this is a very dangerous method!! Samsung's implementation is fundamentally flawed. i) 3rd party keeps your un-encrypted biometric info ii) encryption key leakage from 3rd party or Samsung iii) local hardware hack, if there is no specifical chip handle the scan and encryption directly (I don't see it right now) iv) android system's security...
Further research shows:
The inside story is that Samsung is the first smartphone maker to deploy a fingerprint sensor that uses the new FIDO Alliance authentication standard (FIDO stands for Fast IDentity Online).
The FIDO Alliance is based on the simple idea that a user can authenticate to their own device and then use public key encryption to authenticate to the network. PKE is very strong encryption (though NSA shenanigans have raised concern about back doors) and, like Apple’s scheme, does not involve biometric data itself residing in the cloud.
Ok, sounds better now. It seems the security flaw in theory could only happen locally, on Samsung's phone. Point ii, iii & iv are still valid.
No comments:
Post a Comment