Samsung Galaxy 5 fingerprint sensor ensures an extra layer of security for your smartphone, which also lets you make payments through PayPal. But how far is this true?
Four days after Samsung released its much awaited Galaxy S5, German Security researchers at Security Research Labs have managed to break the smartphone’s fingerprint sensor by using a fingerprint spoof.
In a video of the hack, Ben Schlabs, a researcher at SRLabs demonstrated how he was able to bypass the fingerprint security.
The researcher employed the same trick used to spoof the fingerprint sensor in Apple’ s iPhone 5S last year. The researcher used a “wood glue spoof” made from an etched PCB mold taken from a photo of an unprocessed fingerprint smudge left on a smartphone screen.
However, there are minor differences in how both fingerprint scanners operate. Touch ID requires you to enter your password once before you can use the sensor as a way to unlock your phone. In addition, every time you reboot the iPhone 5S, it prompts you for a password once. Galaxy S5 has no such security measure in place at this time even after rebooting the phone.
What’s equally alarming is, even after a reboot, you are not prompted for a password to access PayPal account and you are able to gain complete control over money transfers and purchases. As demonstrated in the video, the person is able to log in to PayPal, giving him the ability to access the owner’s account.
“Despite being one of the premium phone’s flagship features, Samsung’s implementation of fingerprint authentication leaves much to be desired,” the researcher in the video said. “The finger scanner feature in Samsung’s Galaxy S5 raises additional security concerns to those already voiced about comparable implementations.”
Schlabs said Samsung could have improved its fingerprint sensor by building a strict password lockout after a series of failed swipes attempts.
PayPal commented on SRLabs’ findings, saying,
“While we take the findings from Security Research Labs very seriously, we are still confident that fingerprint authentication offers an easier and more secure way to pay on mobile devices than passwords or credit cards. PayPal never stores or even has access to your actual fingerprint with authentication on the Galaxy S5. The scan unlocks a secure cryptographic key that serves as a password replacement for the phone. We can simply deactivate the key from a lost or stolen device, and you can create a new one. PayPal also uses sophisticated fraud and risk management tools to try to prevent fraud before it happens. However, in the rare instances that it does, you are covered by our purchase protection policy.”
SRLabs is one of the several security research groups that has investigated mobile networks, SIM cards, payment terminals and other services for security issues, the report added.