“By spoofing the scanner, one can also get access to the user’s PayPal account. As the account is configured to accept the fingerprint authentication, one will be able to make any payments via the app”
Samsung Galaxy S5 fingerprint scanner hacked using a “dummy finger”
Wednesday April 16, 2014, 11:08 AM
It has barely been a week since the Samsung Galaxy S5 hit stores in more than 125 countries, and already one of its newest features is under the scanner. The flagship device’s fingerprint scanner has been hacked, which invariably also puts a user’s PayPal account at risk.
German security blog H Security has found a way to spoof the fingerprint scanner using a lifted print. So essentially, by picking up the print from the scanner, the group was able to make a dummy finger and use it unlock the device. They have put up a video (embedded below) to show the entire process.
If you remember, last year a German hacking group CCC used the same method to fool the fingerprint scanner on the iPhone 5S. The only one, yet potentially dangerous difference between the two devices is that after rebooting the device, the iPhone 5S needs one to enter the passcode once before giving access to the device. Samsung, on the other hand, doesn’t ask for any such thing and right away gives access to the device.
By spoofing the scanner, one can also get access to the user’s PayPal account. As the account is configured to accept the fingerprint authentication, one will be able to make any payments via the app.
A PayPal spokesperson contacted our colleagues at BGR Classic via email with the following statement:
While we take the findings from Security Research Labs very seriously, we are still confident that fingerprint authentication offers an easier and more secure way to pay on mobile devices than passwords or credit cards. PayPal never stores or even has access to your actual fingerprint with authentication on the Galaxy S5. The scan unlocks a secure cryptographic key that serves as a password replacement for the phone. We can simply deactivate the key from a lost or stolen device, and you can create a new one. PayPal also uses sophisticated fraud and risk management tools to try to prevent fraud before it happens. However, in the rare instances that it does, you are covered by our purchase protection policy.