When it comes to Samsung’s fingerprint scanner technology embedded in the home button on the new Galaxy S5, there’s good news and bad news. The good news is that we have spent plenty of time testing it, and we’ve found that it works very well. The bad news, however, is that it has apparently already been hacked, leaving Galaxy S5 owners’ devices and their PayPal accounts at risk.
As noted by German-language security blog H Security, SRLabs has posted video evidence that the fingerprint scanner on Samsung’s Galaxy S5 can easily be spoofed using a lifted print. In mere minutes, the group was able to create a “dummy finger” using an actual fingerprint to gain unauthorized access to the phone.
Some might recall that Apple’s iPhone 5s fingerprint scanner was hacked using the same method. As SRLabs points out, however, the Galaxy S5’s fingerprint security implementation makes this hack far more dangerous.
With Apple’s Touch ID system, users are required to input their password one time before using a fingerprint for authentication. The password must be used again once each time the device is rebooted. This extra step seems annoying, but it prevents the very spoof achieved by SRLabs.
On Samsung’s Galaxy S5 however, no password is needed to access the device. Even after a reboot, a simple swipe of a finger will unlock the phone. And what could be much more alarming is the fact that, even after a reboot, users don’t need a password to access PayPal and make payments through the app if it has been configured for fingerprint authentication.
A video showing exactly how the hack works is embedded below.
UPDATE: A PayPal spokesperson contacted BGR via email with the following statement:
While we take the findings from Security Research Labs very seriously, we are still confident that fingerprint authentication offers an easier and more secure way to pay on mobile devices than passwords or credit cards. PayPal never stores or even has access to your actual fingerprint with authentication on the Galaxy S5. The scan unlocks a secure cryptographic key that serves as a password replacement for the phone. We can simply deactivate the key from a lost or stolen device, and you can create a new one. PayPal also uses sophisticated fraud and risk management tools to try to prevent fraud before it happens. However, in the rare instances that it does, you are covered by our purchase protection policy.