When Apple launched its iPhone 5s it came with a fingerprint scanner which gave the impression that Apple is in another league technology wise among the smartphone makers and it is way ahead of Samsung. Samsung was under lots of pressure to catch-up with Apple and thus they also launched recently Galaxy S5 with a fingerprint scanner. However, it seems that Samsung included this feature hastily and comprehensive usage scenarios were not looked into before making the fingerprint scanner a feature of the Galaxy 5S.
The fingerprint scanner of Galaxy S5 is already hacked and it puts users at risk of their PayPal accounts being compromised as noted in a blog post of Germany-based ‘heise Security’. However, it is important to note that the fingerprint scanner of Apple iPhone 5s was also hacked using the same method but there is a big difference between the two smartphones when it comes to using fingerprint scanner. In iPhone5s, Apple’s Touch ID system asks users for password before the fingerprint scanner is used and also each time after the device is re-booted. Thus, iPhone 5s never relies entirely on fingerprint scanner as opposed to Samsung Galaxy S5 which does not asks for password in addition to the fingerprint. Thus, providing direct access to payment services such as PayPal.
The hacking process is very simple. Just create a dummy copy of the fingerprint using a wood glue and then you can use it as many times as you want to log into Samsung Galaxy S5 as is shown in a video by Ben Schlabs of the SRLabs. The dummy finger can be used as many times as one wants and can also transfer money from the PayPal account. PayPal responded to BGR in an email with the following statement about the issue:
“While we take the findings from Security Research Labs very seriously, we are still confident that fingerprint authentication offers an easier and more secure way to pay on mobile devices than passwords or credit cards. PayPal never stores or even has access to your actual fingerprint with authentication on the Galaxy S5. The scan unlocks a secure cryptographic key that serves as a password replacement for the phone. We can simply deactivate the key from a lost or stolen device, and you can create a new one. PayPal also uses sophisticated fraud and risk management tools to try to prevent fraud before it happens. However, in the rare instances that it does, you are covered by our purchase protection policy.”