14 DAY TRIAL // One of the features that the new Samsung Galaxy S5 flagship device was unveiled with in February during the Mobile World Congress in Barcelona, Spain, was a fingerprint scanner, designed to both increase the security of the device and to allow for new applications to be built for it.
However, only three days after the device landed on shelves, the first proof-of-concept showing how the scanner can be hacked has emerged online.
Coming from German research firm SRLabs, the proof-of-concept shows that it is very easy for a hacker to fool the device into thinking they are the owner.
Moreover, they show that the process can also be applied to the very first app designed to take advantage of the feature, which comes from PayPal.
To bypass the security check, the researchers snapped a photo of a latent fingerprint and then processed it into a wood-glue mold, which was then used successfully to unlock the device and access various options in the aforementioned PayPal application.
Those who would like to have a better understanding of what this hack is all about should have a look at the video embedded below.
As SamMobile notes, it is rather disturbing that SRLabs used in the hacking process the same mold that was used to compromise the Touch ID sensor on the iPhone 5S. Moreover, the fact that they were able to make digital payments via PayPal with this hack should be worrying too.
Apparently, even if the first authentication attempt is unsuccessful, the hacker is provided with the possibility to perform fingerprint scans unlimited times without requiring a password, which should allow them, in the end, to transfer money from the user’s linked bank account.
According to PayPal, however, the fingerprint authentication is still seen as an easier and more secure way to pay on mobile devices than it would be when using passwords or credit cards, a recent article on SlashGear reads.
Moreover, it appears that PayPal doesn’t even have access to the user’s fingerprint information and that the device uses its own system designed to see the fingerprint and to unlock a cryptographic key that is then passed along to PayPal.
The company says that this key is the only info it has access to, and that it is capable of deactivating it at any time, should it be necessary.
A PayPal spokesperson also noted that the company makes use of a “sophisticated fraud and risk management tools to try to prevent fraud before it happens,” and that users will also be covered by the company’s purchase protection policy if fraud does happen.
