Just when we thought fingerprint sensors were making our smartphones safer, a group of friendly hackers in Germany announce it's pitifully easy to trick the Samsung Galaxy S5 fingerprint sensor. The researchers even found they could access the PayPal account registered to the smartphone with their fake fingerprint.
Fans of biometric security would have us believe that our fingerprints are sacred, that there's no way they can be stolen and used to bypass the sensors on new smartphones such as the Samsung Galaxy S5,iPhone 5S and others. White hat hackers at Security Research Labs in Germany are more than happy to dispel this peaceful vision.
In a recent test, Security Research Labs was able to lift a copy of the Galaxy S5 owner's fingerprint, attach it to their finger and use it to unlock the smartphone. The researchers then took it one step further and accessed the smartphone owner's PayPal account. It was all pitifully easy.
"We expected we'd be able to spoof the S5's Finger Scanner, but I hoped it would at least be a challenge," Ben Schlabs, a researcher at Security Research Labs, said. "The S5 Finger Scanner feature offers nothing new except - because of the way it is implemented in this Android device-slightly higher risk than that already posed by previous devices."
In its report, Security Research Labs lamented Samsung didn't learn from the hack incident that occurred with the iPhone 5S just 48 hours after its release.
"Samsung does not seem to have learned from what others have done less poorly," Security Research Labs said. "Incorporation of fingerprint authentication into highly sensitive apps such as PayPal gives a would-be attacker an even greater incentive to learn the simple skill of fingerprint spoofing."
Unlike the iPhone 5S, the Galaxy S5 doesn't question multiple incorrect fingerprint swipes, making it even easier to fake it. All the friendly hacker had to do is reboot the Galaxy S5 and it was like nothing bad had ever happened. The sensor assumed the fake fingerprint was real and unlocked right away.
Since PayPal was the target of this demo, the company quickly responded to the hackers' report and reassured its customers about its careful monitoring of fraudulent activity on accounts.
"The scan unlocks a secure cryptographic key that serves as a password replacement for the phone," PayPal said in a statement. "We can simply deactivate the key from a lost or stolen device, and you can create a new one. PayPal also uses sophisticated fraud and risk management tools to try to prevent fraud before it happens. However, in the rare instances that it does, you are covered by our purchase protection policy."
