SRLabs: Samsung Galaxy S5 fingerprint scanner is not safe

By  | 

Recent report has revealed that the fingerprint scanner on the new Samsung Galaxy S5 is not really all that secure.

Germany’s Security Research Labs (SRLabs) researchers in a video posted on YouTube demonstrated that “how flaws in the implementation of fingerprint authentication in the Samsung Galaxy S5 expose users’ devices, data, and even bank accounts to thieves and other attackers.”

They claimed that the fingerprint scanner on the smartphone could be fooled by using a “wood glue spoof”. Samsung is yet to comment on the report.

The researchers said they used the same spoof that was used last year to show off vulnerabilities within fingerprint security systems using the Apple iPhone 5s and its Touch ID feature. They said the spoof was made from nothing “but a camera phone photo of an unprocessed latent print on a smartphone screen.”

Although the researchers used the same method, SRLabs said that Samsung’s fingerprint scanner technology was less safe than others. The researcher in the video showed that Samsung’s fingerprint scanner allowed for unlimited authentication attempts without requiring a password.

The researchers in the video showed how hackers could exploit the flaw in Samsung’s device to trigger money transfers via PayPal.

“Samsung does not seem to have learned from what others have done less poorly,” Security Research Labs said. “Incorporation of fingerprint authentication into highly sensitive apps such as PayPal gives a would-be attacker an even greater incentive to learn the simple skill of fingerprint spoofing.”

In a statement on Tuesday PayPal said “While we take the findings from Security Research Labs very seriously, we are still confident that fingerprint authentication offers an easier and more secure way to pay on mobile devices than passwords or credit cards. PayPal never stores or even has access to your actual fingerprint with authentication on the Galaxy S5.”

PayPal added “The scan unlocks a secure cryptographic key that serves as a password replacement for the phone. We can simply deactivate the key from a lost or stolen device, and you can create a new one. PayPal also uses sophisticated fraud and risk management tools to try to prevent fraud before it happens. However, in the rare instances that it does, you are covered by our purchase protection policy.”