Samsung has followed Apple in their footsteps and included a fingerprint sensor in their flagship Galaxy S5, however we weren’t very impressed. It was very picky in recognising fingerprints, and took much longer than having to simply dial in your PIN. Now, the news is set to get worse, with the BGR report below detailing how a loophole in the security has been found.
Related: Galaxy S5 vs Xperia Z2
As noted by German-language security blog H Security, SRLabs has posted video evidence that the fingerprint scanner on Samsung’s Galaxy S5 can easily be spoofed using a lifted print. In mere minutes, the group was able to create a “dummy finger” using an actual fingerprint to gain unauthorized access to the phone.
Some might recall that Apple’s iPhone 5s fingerprint scanner was hacked using the same method. As SRLabs points out, however, the Galaxy S5′s fingerprint security implementation makes this hack far more dangerous.
With Apple’s Touch ID system, users are required to input their password one time before using a fingerprint for authentication. The password must be used again once each time the device is rebooted. This extra step seems annoying, but it prevents the very spoof achieved by SRLabs.
On Samsung’s Galaxy S5 however, no password is needed to access the device. Even after a reboot, a simple swipe of a finger will unlock the phone. And what could be much more alarming is the fact that, even after a reboot, users don’t need a password to access PayPal and make payments through the app if it has been configured for fingerprint authentication.
A video showing exactly how the hack works is embedded below.
UPDATE: A PayPal spokesperson contacted BGR via email with the following statement:
While we take the findings from Security Research Labs very seriously, we are still confident that fingerprint authentication offers an easier and more secure way to pay on mobile devices than passwords or credit cards. PayPal never stores or even has access to your actual fingerprint with authentication on the Galaxy S5. The scan unlocks a secure cryptographic key that serves as a password replacement for the phone. We can simply deactivate the key from a lost or stolen device, and you can create a new one. PayPal also uses sophisticated fraud and risk management tools to try to prevent fraud before it happens. However, in the rare instances that it does, you are covered by our purchase protection policy.