It turns out the fingerprint scanner, lock or sensor feature of the Samsung Galaxy S5, the company's latest flagship device, is a double-edged sword.
Latest data from a security research firm proved that the said mobile phone is susceptible to hacking activities. The trial came from a researcher at Security Research Labs, a firm based in Berlin, Germany.
Although the company video didn't state the name of the researcher,reports say the researcher was SRLabs' Ben Schlabs, as assisted by a white hat hacker-colleague who goes by the name Dexter.
As demonstrated in a YouTube video, they came to bypass the security requirement of the fingerprint feature through the use of what they called as wood glue spoof. The wood glue spoof was a fake fingerprint taken from the fingerprint smudge on the screen of a smartphone. Yes, in short, a duplicated fingerprint.
"The finger scanner feature in Samsung's Galaxy S5 raises additional security concerns to those already voiced about comparable implementations," Schlabs narrated in the video.
In an attempt to test the vulnerability of the phone unit, the two successfully gained access to the device and the PayPal account linked to the device. It was the same method employed by SRLabs to hack Apple's iPhone 5S fingerprint scanner sometime in 2013, only days after its official release.
"Perhaps most concerning is that Samsung does not seem to have learned from what others have done less poorly," Schlabs added.
Schlabs disagreed with critics who expressed doubts over the hacking attempt posted and called it unrealistic in real-life settings.
PayPal's Brett McDowell, head of ecosystem security, acknowledged the authenticity of the hack and said it has been a known challenge in such fingerprint-based technology. He, however, noted that it should not raise alarm among the public.
PayPal also issued a statement, following SRLab's test. It said they do take the findings from SRLabs very seriously but, at the same time, expressed confidence in its fingerprint authentication feature.
"PayPal never stores or even has access to your actual fingerprint with authentication on the Galaxy S5. The scan unlocks a secure cryptographic key that serves as a password replacement for the phone. We can simply deactivate the key from a lost or stolen device, and you can create a new one. PayPal also uses sophisticated fraud and risk management tools to try to prevent fraud before it happens," PayPal said.
PayPal added that, in cases of fraud, the company has a purchase protection policy that covers mobile phone users.
Meanwhile, the video narrator said that using biometrics for convenience should be the responsibility of the manufacturer to implement it in such a way that doesn't put at risk the crucial data and financial accounts of the users.
Samsung, especially with this add-on fingerprint security feature that can make payments, supposedly securely, through PayPal, has marketed the S5 heavily. Further research, however, reveals that wireless carrier Verizon has disabled the service on the S5 model.
Earlier this month, Samsung has also included other anti-theft security features to the Galaxy S5, such as the "Reactivation Lock" and "Find My Mobile" to curb what has been a growing problem of mobile robberies in the U.S. in response to authorities seeking all mobile manufactures to include such security features.
Watch SRLabs video here: