It’s no secret that consumer-grade fingerprint unlocking mechanisms aren’t the most secure things ever. They’re easily spoofed, something we learned with the iPhone 5S’ own implementation late last year.
The Samsung Galaxy S5 is not an exception to the rule, unfortunately, with one security researcher from successfully able to use a lifted print to bypass the Galaxy S5’s fingerprint security without the original finger that set it up. SRLabs has demonstrated it here on video:
They used a latex molding of an actual print to swipe the authenticated “finger” over the Galaxy S5’s embedded fingerprint scanner, successfully gaining access to the device. The researcher acknowledges that Apple’s implementation is subject to the same spoofing, but it’s Samsung’s lack of added security layers that makes theirs especially troubling:
- The device allows you to make as many attempts as you need to unlock it, so being locked out after a number of incorrect tries is one nonexistent layer of added security.
- The device doesn’t require a password after you first set it up, even if you reboot it.
Even more troubling is the fact that the built-in Paypal integration is subject to the same pitfalls, so if someone has access to your phone, they potentially have access to your funds. All it’d take is a few minutes (after doing whatever they do to get the image if your fingerprint) to have your bank account wiped out.
Paypal’s already responded to the claims, though, stating that they have taken great measures to ensure consumers are protected in the event of a malicious attack.
While we take the findings from Security Research Labs very seriously, we are still confident that fingerprint authentication offers an easier and more secure way to pay on mobile devices than passwords or credit cards. PayPal never stores or even has access to your actual fingerprint with authentication on the Galaxy S5.
The scan unlocks a secure cryptographic key that serves as a password replacement for the phone. We can simply deactivate the key from a lost or stolen device, and you can create a new one. PayPal also uses sophisticated fraud and risk management tools to try to prevent fraud before it happens. However, in the rare instances that it does, you are covered by our purchase protection policy.
Long story short, Paypal is well-equipped to help you if any of this happens after the fact. For what it’s worth, not many people will be knowledgeable enough to be able to mold your fingerprint, and if you happen to know someone who is then chances are they won’t be able to get access to your actual phone.
And if they do, well, you’d be one very odd apple out of a whole bunch of them. Still, the likelihood of the risk not applying to you doesn’t mean it doesn’t exist, so be careful. Watch the video above for a quick demonstration, and stay tuned as we reach out to Samsung to see if they have anything to say about these claims.