One of the marquee features found on the Samsung Galaxy S5 - the fingerprint scanner integrated into the home button - can easily be fooled by hackers looking to gain access to the device, according to a report from Germany's Security Research Labs.
To bypass the fingerprint scanner's security lock, the team created a wood glue spoofed fingerprint from an etched PCB mold, using a latent print on a smartphone display photographed by an iPhone 4S. With very little effort this spoofed fingerprint can be swiped across the sensor, with the Galaxy S5 believing it's a real finger and giving immediate access.
Even more concerning is that the fake fingerprint can be used to access a victim's PayPal account, as the app found on the Galaxy S5 supports authentication through fingerprint. The Security Research Labs team was able to access a PayPal account, transfer funds and make purchases using their wood glue spoofed fingerprint; a process made easier by the fact you're allowed unlimited swipe attempts, giving hackers plenty of time to perfect their spoof if it was rejected the first few times.
The system would be made more secure if it required a password after a number of failed attempts to use a fingerprint, like is the case on the iPhone 5S. With that said, the iPhone 5S' fingerprint scanner is still vulnerable, falling to hackers in under 48 hours after its release.
Responding to security concerns, a PayPal spokesperson said that each fingerprint scan "unlocks a secure cryptographic key that serves as a password replacement for the phone [...] We can simply deactivate the key from a lost or stolen device, and you can create a new one. PayPal also uses sophisticated fraud and risk management tools to try to prevent fraud before it happens. However, in the rare instances that it does, you are covered by our purchase protection policy."
Some people criticized the fingerprint hacking method used as unrealistic in the real world, however Security Research Labs dismissed these claims, stating that a hackers have "incentive to steal digital fingerprint scans and learn how to mass-produce spoofs" when fingerprint security is implemented poorly. Anyone that steals a device may have access to a high quality fingerprint on the handset itself, and the method to produce a spoof isn't highly complex.