x PhoneArena is looking for new authors! To view all available positions, click here.
  • Home
  • News
  • Samsung Galaxy S5 fingerprint scanner hacked, PayPal reaffirms confidence in biometrics

Samsung Galaxy S5 fingerprint scanner hacked, PayPal reaffirms confidence in biometrics

Samsung Galaxy S5 fingerprint scanner hacked, PayPal reaffirms confidence in biometrics
Just like the Apple iPhone 5s, it has only taken a couple days after the release of the Samsung Galaxy S5 before the fingerprint scanner has been hacked. This will more than likely be a relatively common theme as biometric sensor technology matures; but it does seem to confirm that right now, fingerprint sensors are designed more for convenience than true security.

If you remember, soon after the release of the iPhone 5s, a European group had found a way to hack the fingerprint scanner, and just a couple days after release, there were videos showing the TouchID sensor being trained and unlocking the phone with nipples and paw prints. The latter is more for amusement, but the former was a real security concern. The best that could be said was that the method for hacking the scanner was somewhat involved and difficult. 

Unfortunately for Samsung, the method used to hack its sensor isn't quite as difficult. The difficulty in actually obtaining the fingerprint is still tough. The potential hacker would need to know which finger you use, obtain that fingerprint, and make a "dummy fingerprint" as shown in the video below by SRLabs. From there it is actually easier to hack the Galaxy S5, because right now Samsung's software allows for access to the device without ever needing to put in a password. Apple requires password input every time the device is rebooted. Worse, Samsung doesn't ever require a password input when using PayPal's new app either, meaning your PayPal account would be compromised. 


For its part, PayPal has reaffirmed its commitment to biometrics and the Galaxy S5 specifically. In a statement to BGR, PayPal said that its service never has access to your fingerprint and uses a generated cryptographic key for security. If your device is compromised, that key can be reset, and presumably (PayPal doesn't say) a new key could not be generated using a fingerprint scan from the same device. And, if fraud does occur, there is protection in PayPal's purchase protection policy.

All in all, biometrics may eventually lead to better security, but we're not quite there yet. As the Chaos Computer Club said after hacking the iPhone 5s, "It is plain stupid to use something that you can´t change and that you leave everywhere every day as a security token." It may be difficult for someone to obtain your fingerprints in order to perform this hack, but when it comes to security, "difficult" isn't good enough. 

source: H Security via BGR

39 Comments
  • Options
    Close




posted on 15 Apr 2014, 11:38 3

1. PunyPoop (Posts: 741; Member since: 18 Jan 2013)


Again?

posted on 15 Apr 2014, 14:11 3

18. akki20892 (Posts: 3555; Member since: 04 Feb 2013)


Nothing is better than password.

posted on 15 Apr 2014, 14:22 1

21. Ashoaib (Posts: 2283; Member since: 15 Nov 2013)


I dont want someone take my finger... but if a beautiful girl, then its an exception :))

posted on 17 Apr 2014, 08:17

39. MobileGuru (Posts: 80; Member since: 18 Jan 2014)


Fast and Furious 5 anyone?

posted on 15 Apr 2014, 17:23 2

29. Chaseism (Posts: 79; Member since: 08 May 2013)


Finger prints should never stand in for a password, it should only stand in for a username.

posted on 15 Apr 2014, 11:44 1

2. SAO101789 (Posts: 123; Member since: 10 Feb 2014)


Never used it on my iphone 5S. I care about the cera and I think I shouldn't have gone with iphone now

posted on 15 Apr 2014, 13:34 1

16. mrblah (Posts: 455; Member since: 22 Jan 2013)


troll alert

posted on 15 Apr 2014, 11:46 2

3. jaytai0106 (Posts: 1301; Member since: 30 Mar 2011)


I wouldn't call it a hack... That's like you have your phone lock via password and someone somehow got your password **cough*girlfriend*cough* and unlock your phone... Beside, nothing is unhackable.

posted on 15 Apr 2014, 11:52 8

4. shuaibhere (Posts: 1550; Member since: 07 Jul 2012)


NO one is going to use Fingerprint scanner....it's just for the sake of marketing...

posted on 15 Apr 2014, 11:54

5. jaytai0106 (Posts: 1301; Member since: 30 Mar 2011)


Yeah, when I had my Motorola Atrix 4G... never used the finger scanner.

posted on 15 Apr 2014, 12:23 7

10. PapaSmurf (Posts: 8614; Member since: 14 May 2012)


Speak for yourself. I do, and it works 9/10 times. Faster than typing a password or a pattern.

posted on 15 Apr 2014, 12:30

12. jaytai0106 (Posts: 1301; Member since: 30 Mar 2011)


Swipe is my lock security o.O my phone never leaves my sight. I know it's very important... but for my situation locking my phone is just annoying.

posted on 15 Apr 2014, 13:10 1

13. Finalflash (Posts: 1799; Member since: 23 Jul 2013)


I dont even have a lock screen because there is nothing on my phone I care that much about.

posted on 15 Apr 2014, 13:25

15. jaytai0106 (Posts: 1301; Member since: 30 Mar 2011)


Same here :D I have cerberus so I can erase my phone if I needed.

posted on 15 Apr 2014, 14:15

19. bestmvno (Posts: 150; Member since: 07 Mar 2014)


I hope you don't have email on your phone and it never gets stolen or lost. Otherwise, all one would then have to do is go to sites you go to, claim "lost password", put in your email address and start collecting your passwords and financial information when the password reset gets sent to your email.

posted on 15 Apr 2014, 14:24

22. jaytai0106 (Posts: 1301; Member since: 30 Mar 2011)


Yeah I know. :P I like to gamble a little in life haha. However, a lot of sites that I have important information with do ask for security questions before they send out a reset password e-mail. Nevertheless, Cerberus is my last line of defense when the case of stolen or lost. I could send a command to it and wipe the entire phone clean.

posted on 15 Apr 2014, 17:08

28. shuaibhere (Posts: 1550; Member since: 07 Jul 2012)


I'm talking for the majority.....
Even those who use fingerprint scanner in ip5s...don't use it got security purpose....it makes unlocking the easier so they use it...
From what I've heard...unlocking the phone with fingerprint scanner is hard so I see no use of it...

posted on 15 Apr 2014, 18:33

30. PapaSmurf (Posts: 8614; Member since: 14 May 2012)


You heard wrong then. It takes less than a second on the iPhone 5S and about one or two on the S5. Don't go by what you hear because when you spread false information, your credibility goes down.

posted on 15 Apr 2014, 20:58

32. shuaibhere (Posts: 1550; Member since: 07 Jul 2012)


I have seen ip5s fingerprint scanner in action...my friend has one....
He uses it unlock phone easily not for security....
But reviewers say it is hard to unlock in s5...
I had a hands on s5...but didn't test fingerprint scanner...as I have ni interest in it....
S5 is really awesome though...the best display I have ever seen...

posted on 15 Apr 2014, 22:17

33. refillable (Posts: 641; Member since: 10 Mar 2014)


Well I do, it's just the security that needs to be improved. For now, it's just for convenience.

posted on 16 Apr 2014, 05:58

35. docxx (Posts: 63; Member since: 27 Feb 2014)


don't say that the NSA guys will be very sad!

posted on 15 Apr 2014, 12:02

6. doejon (Posts: 357; Member since: 31 Jul 2012)


i would only use the fingerprintsensor on the s5 for loking up my pic/movie gallery

posted on 15 Apr 2014, 12:04 2

7. maherk (Posts: 1029; Member since: 10 Feb 2012)


they make it sound as if it is easy to obtain and create a copy of someone's fingerprint. Smartphone thieves are usually not bank thieves, they aren't that smart. Btw, once you're logged into your paypal account, you won't need to retype the password unless the phone is rebooted. Still, if I had the S5, I don't see myself using the fp scanner other for unlocking the phone, surely not for my paypal or any other account.

posted on 15 Apr 2014, 12:09 1

8. ToxiD (Posts: 41; Member since: 27 Feb 2014)


I didn't think the gimmick can be more useless until now.

posted on 15 Apr 2014, 14:17

20. bestmvno (Posts: 150; Member since: 07 Mar 2014)


It's not a gimmick. Biometrics are here to stay. It's just an infant technology at this point that will continue to improve and evolve.

posted on 15 Apr 2014, 16:56

27. ToxiD (Posts: 41; Member since: 27 Feb 2014)


It is. Instead of it they could work on better battery optimization resulting longer life on 1 charge as well as OS optimization that would be appreciated in Samsung case.

posted on 16 Apr 2014, 09:22

38. bestmvno (Posts: 150; Member since: 07 Mar 2014)


They did work on better battery life. They have a deal with a company and are using that technology in the phone. They've also improved the os and cut back on some of the software gimmicks. Biometrics such as this may replace passwords altogether one day. The technology is not quite ready for that just yet though.

posted on 15 Apr 2014, 12:18 3

9. ianbbaa (Posts: 198; Member since: 20 Mar 2013)


When somebody is watching you how you enter your pin via keyboard, or slide tha pattern - as soon as the other person remember that pin and will use it on your phone he will unlock it. (therefore you do not show your device while typing pin)

So what should basically a FingerPrint scanner do when you have a copy of your finger??? If iPhone or S5 or somebody else - untill it wont meassure your DNA via touch, it will just unlock your fake finger.

BUT - how easy is to obtain your finger copy??? So all in all, FingerPrint still can be considered as a safer way to lock your device.

posted on 15 Apr 2014, 12:29 7

11. JMartin22 (Posts: 1221; Member since: 30 Apr 2013)


Uh... This is an exploit, not a hack. We should stop throwing around the term "hacking" in such a loose context. No systematic altering, via compromise was involved here. Some people merely stumbled among a method (that anyone could recreate), that's all.

For the record, this exploit is situational at best.

posted on 15 Apr 2014, 13:10 2

14. AfterShock (Posts: 2812; Member since: 02 Nov 2012)


I'd bet, it never happens.

posted on 15 Apr 2014, 13:35

17. solidsnake695 (Posts: 69; Member since: 04 Jan 2013)


I think some of the staff of phonearena died after reading this u know what I mean

posted on 15 Apr 2014, 22:18

34. refillable (Posts: 641; Member since: 10 Mar 2014)


Old boring joke.

posted on 15 Apr 2014, 14:30 3

23. taz89 (Posts: 2014; Member since: 03 May 2011)


Just like touch id this isn't a proper hack.. Just look at how much trouble one has to go through, steel phone, get the right finger print somehow, do some high tech stuff and make a mold etc etc. This isn't like a security hole where anyone with little knowledge can break it, you need to have the right equipments etc..

posted on 15 Apr 2014, 14:43 1

24. jroc74 (Posts: 4936; Member since: 30 Dec 2010)


Exactly...the methods involved in the scanner exploits...if it takes all this to bypass it....its still doing its job.

But...my concern is once its done on the GS 5...the phone is basically wide open. Apple has a 2 step approach. If there ever was a time to copy Apple....this would be it....

posted on 15 Apr 2014, 14:56 1

26. taz89 (Posts: 2014; Member since: 03 May 2011)


Yh I was thinking for those who want to be extra secure a 2 step verification would be nice as an option. Ie finger print and a 4 or 5 digit pin. I would definitely use that for payments.

posted on 15 Apr 2014, 14:53 2

25. flipjzn (Posts: 173; Member since: 22 Jun 2012)


Samsung should c̶o̶p̶y̶ implement password after reboot just like on iPhone 5s for more security.

posted on 15 Apr 2014, 19:19 1

31. edelxander (Posts: 38; Member since: 01 Oct 2013)


yeah.. now that fingerprint is hackable next technology would be retina verification, blood sample and child sacrifice, demon summoning etc to unlock your smartphone.

posted on 16 Apr 2014, 08:39 1

36. mark_ray (banned) (Posts: 35; Member since: 26 May 2013)


When they hacke the Face Unlock on Nexus phones, by using a picture of the owner, Google added security measure which is Blink Checker. Let's see how will they overtake this issue

posted on 16 Apr 2014, 08:41 1

37. brasstax (Posts: 144; Member since: 16 Apr 2014)


Looks like somebody's been watching jean claude van damme's fingerprint hack from the movie Double Team ;) on a more serious note, it makes sense for the phone manufacturer's to make their FP tech as fool proof as possible, before encouraging customers into using the same for authenticating payments online. this will prevent a lot of early anguish for sure.

Want to comment? Please login or register.

Latest stories