Samsung Galaxy S5 fingerprint scanner hacked, PayPal reaffirms confidence in biometrics
Just like the Apple iPhone 5s, it has only taken a couple days after the release of the Samsung Galaxy S5 before the fingerprint scanner has been hacked. This will more than likely be a relatively common theme as biometric sensor technology matures; but it does seem to confirm that right now, fingerprint sensors are designed more for convenience than true security.
If you remember, soon after the release of the iPhone 5s, a European group had found a way to hack the fingerprint scanner, and just a couple days after release, there were videos showing the TouchID sensor being trained and unlocking the phone with nipples and paw prints. The latter is more for amusement, but the former was a real security concern. The best that could be said was that the method for hacking the scanner was somewhat involved and difficult.
Unfortunately for Samsung, the method used to hack its sensor isn't quite as difficult. The difficulty in actually obtaining the fingerprint is still tough. The potential hacker would need to know which finger you use, obtain that fingerprint, and make a "dummy fingerprint" as shown in the video below by SRLabs. From there it is actually easier to hack the Galaxy S5, because right now Samsung's software allows for access to the device without ever needing to put in a password. Apple requires password input every time the device is rebooted. Worse, Samsung doesn't ever require a password input when using PayPal's new app either, meaning your PayPal account would be compromised.
For its part, PayPal has reaffirmed its commitment to biometrics and the Galaxy S5 specifically. In a statement to BGR, PayPal said that its service never has access to your fingerprint and uses a generated cryptographic key for security. If your device is compromised, that key can be reset, and presumably (PayPal doesn't say) a new key could not be generated using a fingerprint scan from the same device. And, if fraud does occur, there is protection in PayPal's purchase protection policy.
All in all, biometrics may eventually lead to better security, but we're not quite there yet. As the Chaos Computer Club said after hacking the iPhone 5s, "It is plain stupid to use something that you can´t change and that you leave everywhere every day as a security token." It may be difficult for someone to obtain your fingerprints in order to perform this hack, but when it comes to security, "difficult" isn't good enough.