Like the iPhone 5S, the Galaxy S5 has a fingerprint sensor. Like the iPhone 5S, the Galaxy S5’s fingerprint sensor has been hacked to allow access. The part responsible for the hack is — as you may have guessed — the same person who found the vulnerability on the iPhone 5S when it was launched.
The hack is simple, but unlikely to occur in the real world. A would-be thief or identity thief (or whoever, we’re spitballing ideas) gets your latent fingerprint, then makes a copy of it. The video, which you can see below, shows a clay-like mold and wood glue being used to fool the Samsung Galaxy S5 into submission.
Further complicating matters is that the Galaxy S5 doesn’t have some of the stopgap security features of the iPhone. It’s possible to fool the Galaxy S5 on restart, and it allows for an unlimited amount of scans, which smacks as an admission of guilt on Samsung’s part, essentially saying the fingerprint scanning hardware is less-than.
It goes without saying that this instance is highly sophisticated for the layperson, and unlikely to occur unless someone close to you really wants your info. In the case where someone could get a fingerprint and your phone, all you’d really have to do is remotely wipe it using Android Device Manager — if you use it, that is.
In the video, you can clearly see the would-be hacker taking advantage of PayPal, noting it would allow someone to perform “any task he wishes, including making purchases and unsolicited money transfers”. The company recently promised to bring a “secure” fingerprint payment option to the Galaxy S5, so this is especially concerning. PayPal has reached out to us with a statement to that end, and we’ll let them have the last word here:
While we take the findings from Security Research Labs very seriously, we are still confident that fingerprint authentication offers an easier and more secure way to pay on mobile devices than passwords or credit cards. PayPal never stores or even has access to your actual fingerprint with authentication on the Galaxy S5. The scan unlocks a secure cryptographic key that serves as a password replacement for the phone. We can simply deactivate the key from a lost or stolen device, and you can create a new one. PayPal also uses sophisticated fraud and risk management tools to try to prevent fraud before it happens. However, in the rare instances that it does, you are covered by our purchase protection policy.