Samsung Galaxy S5 fingerprint authentication is vulnerable to hack, German security experts showed on Wednesday.
Researchers from Security Research Labs (SR Labs) have found the fingerprint scanner can be fooled using a fingerprint mould. The researchers also found that the vulnerability extends to sensitive apps like Paypal on the device as it allows fingerprint authentication. The exposé comes less than a week after the device's launch, PC Magazine reported.
"Flaws in the implementation of fingerprint authentication in the Samsung Galaxy S5 expose users' devices, data, and even bank accounts to thieves and other attackers," PC Mag said while speaking about the vulnerability.
In a Youtube video, a mould made from fingerprint photograph is seen authenticating the device. The mould was created from a photo of an unprocessed latent fingerprint on a smartphone screen, Techweek Europe said. The video also shows the vulnerability in Paypal.
"Samsung does not seem to have learned from what others have done less poorly. Incorporation of fingerprint authentication into highly sensitive apps such as PayPal gives a would-be attacker an even greater incentive to learn the simple skill of fingerprint spoofing," CNN Money quoted SR Labs.
Techweek Europe quoted a Paypal spokesperson saying, "While we take the findings from Security Research Labs very seriously, we are still confident that fingerprint authentication offers an easier and more secure way to pay on mobile devices than passwords and PINs. PayPal never stores or even has access to your actual fingerprint with authentication on the Galaxy S5. The scan unlocks a secure cryptographic key that serves as a password replacement for the phone."
There is some consolation for owners of stolen S5 devices as Paypal says the cryptographic key can be isolated. It also said a new key can be created a new one besides pointing out that it uses sophisticated rules and covers thefts under its purchase protection policy.