It has been only four days since Samsung Electronics Co. (KRX:005935) released the Galaxy S5, but a security flaw has already been discovered that makes the fingerprint scanner, featured in the handset, vulnerable to hacking, in much the same way as the iPhone 5s’ Touch ID sensor was previously compromised.
SRLabs, a Germany-based security research firm, claimed that anyone can gain unauthorized access to a Galaxy S5 by using a wood glue mold from the fingerprint already set on a particular phone. Considering the fact that the Galaxy S5’s fingerprint scanner is tied up with the PayPal app, the new flaw can also be exploited to target mobile payments, in addition to compromising contacts, photos and other confidential data stored on the device.
“Despite being one of the premium phone’s flagship features, Samsung’s implementation of fingerprint authentication leaves much to be desired,” a SRLabs researcher said, in a video on Tuesday. “The finger scanner feature in Samsung’s Galaxy S5 raises additional security concerns to those already voiced about comparable implementations.”
As part of the hacking process, the researchers first took a photo of a latent fingerprint using an iPhone 4S, processed it on to a wood-glue mold and then used the mold to successfully bypass the fingerprint scanner of the Galaxy S5.
Users of the iPhone 5s are required to enter their password once after rebooting their device. But, the Galaxy S5 doesn’t require a password and allows users to user their fingerprint to gain access. Users do not even need a password on the PayPal app on the Galaxy S5, iDownloadBlog reported.
If a hacker does not successfully bypass the fingerprint scanner on the first attempt, the phone provides multiple attempts to scan the fingerprint, after which a hacker could even transfer money from a user’s bank account if it is linked to the phone, according to SamMobile.
Meanwhile, PayPal has issued a statement to Boy Genius Report, or BGR, an online publication, stating that the company is watching for any fraud related to fingerprint authentication.
Here is PayPal’s statement:
While we take the findings from Security Research Labs very seriously, we are still confident that fingerprint authentication offers an easier and more secure way to pay on mobile devices than passwords or credit cards. PayPal never stores or even has access to your actual fingerprint with authentication on the Galaxy S5.The scan unlocks a secure cryptographic key that serves as a password replacement for the phone. We can simply deactivate the key from a lost or stolen device, and you can create a new one. PayPal also uses sophisticated fraud and risk management tools to try to prevent fraud before it happens. However, in the rare instances that it does, you are covered by our purchase protection policy.
Check out the video here: