In the video, the researchers showed how the fingerprint scanner on the smartphone could be bypassed by using a “wood glue spoof”. This was easily made from a mould of a fingerprint smudge left on a smartphone screen. What is even more disturbing is that this same hack was used on the iPhone 5s last year as well.
According to the researchers, the spoof allowed them to easily bypass the S5 security. Where the spoof is made from nothing “but a camera phone photo of an unprocessed latent print on a smartphone screen.”
The video showcases how Samsung’s integration of the fingerprint security into apps like PayPal is worrying, especially since the phone allows users multiple attempts to log in.
The researchers say that this gives hackers even more incentive to learn how to spoof the fingerprint scanner.
“We expected we’d be able to spoof the S5′s Finger Scanner, but I hoped it would at least be a challenge. The S5 Finger Scanner feature offers nothing new except—because of the way it is implemented in this Android device—slightly higher risk than that already posed by previous devices,” Ben Schlabs, a researcher at SRLabs, wrote in an e-mail to Ars Technica.
According to the researchers Samsung has executed the fingerprint authentication quite poorly and has not learnt much from other Android device manufacturers.
Cnet reports that PayPal has already issued a statement on the same, saying, “While we take the findings from Security Research Labs very seriously, we are still confident that fingerprint authentication offers an easier and more secure way to pay on mobile devices than passwords or credit cards.”
“PayPal never stores or even has access to your actual fingerprint with authentication on the Galaxy S5. The scan unlocks a secure cryptographic key that serves as a password replacement for the phone. We can simply deactivate the key from a lost or stolen device, and you can create a new one. PayPal also uses sophisticated fraud and risk management tools to try to prevent fraud before it happens. However, in the rare instances that it does, you are covered by our purchase protection policy.”