Samsung Galaxy S5 fingerprint scanner hacked, PayPal reaffirms confidence in biometrics

Samsung Galaxy S5 fingerprint scanner hacked, PayPal reaffirms confidence in biometrics
Just like the Apple iPhone 5s, it has only taken a couple days after the release of the Samsung Galaxy S5 before the fingerprint scanner has been hacked. This will more than likely be a relatively common theme as biometric sensor technology matures; but it does seem to confirm that right now, fingerprint sensors are designed more for convenience than true security.

If you remember, soon after the release of the iPhone 5s, a European group had found a way to hack the fingerprint scanner, and just a couple days after release, there were videos showing the TouchID sensor being trained and unlocking the phone with nipples and paw prints. The latter is more for amusement, but the former was a real security concern. The best that could be said was that the method for hacking the scanner was somewhat involved and difficult. 

Unfortunately for Samsung, the method used to hack its sensor isn't quite as difficult. The difficulty in actually obtaining the fingerprint is still tough. The potential hacker would need to know which finger you use, obtain that fingerprint, and make a "dummy fingerprint" as shown in the video below by SRLabs. From there it is actually easier to hack the Galaxy S5, because right now Samsung's software allows for access to the device without ever needing to put in a password. Apple requires password input every time the device is rebooted. Worse, Samsung doesn't ever require a password input when using PayPal's new app either, meaning your PayPal account would be compromised. 


For its part, PayPal has reaffirmed its commitment to biometrics and the Galaxy S5 specifically. In a statement to BGR, PayPal said that its service never has access to your fingerprint and uses a generated cryptographic key for security. If your device is compromised, that key can be reset, and presumably (PayPal doesn't say) a new key could not be generated using a fingerprint scan from the same device. And, if fraud does occur, there is protection in PayPal's purchase protection policy.

All in all, biometrics may eventually lead to better security, but we're not quite there yet. As the Chaos Computer Club said after hacking the iPhone 5s, "It is plain stupid to use something that you canĀ“t change and that you leave everywhere every day as a security token." It may be difficult for someone to obtain your fingerprints in order to perform this hack, but when it comes to security, "difficult" isn't good enough. 

source: H Security via BGR

Related phones

Galaxy S5
  • Display 5.1" 1080 x 1920 pixels
  • Camera 16 MP / 2.1 MP front
  • Processor Qualcomm Snapdragon 801, Quad-core, 2500 MHz
  • Storage 32 GB + microSDXC
  • Battery 2800 mAh(21h 3G talk time)

FEATURED VIDEO

40 Comments

1. PunyPoop

Posts: 752; Member since: Jan 18, 2013

Again?

18. akki20892

Posts: 3902; Member since: Feb 04, 2013

Nothing is better than password.

21. Ashoaib

Posts: 3288; Member since: Nov 15, 2013

I dont want someone take my finger... but if a beautiful girl, then its an exception :))

39. MobileGuru

Posts: 82; Member since: Jan 18, 2014

Fast and Furious 5 anyone?

29. Chaseism

Posts: 82; Member since: May 08, 2013

Finger prints should never stand in for a password, it should only stand in for a username.

2. SAO101789

Posts: 123; Member since: Feb 10, 2014

Never used it on my iphone 5S. I care about the cera and I think I shouldn't have gone with iphone now

16. mrblah

Posts: 577; Member since: Jan 22, 2013

troll alert

3. jaytai0106

Posts: 1888; Member since: Mar 30, 2011

I wouldn't call it a hack... That's like you have your phone lock via password and someone somehow got your password **cough*girlfriend*cough* and unlock your phone... Beside, nothing is unhackable.

4. shuaibhere

Posts: 1986; Member since: Jul 07, 2012

NO one is going to use Fingerprint scanner....it's just for the sake of marketing...

5. jaytai0106

Posts: 1888; Member since: Mar 30, 2011

Yeah, when I had my Motorola Atrix 4G... never used the finger scanner.

10. PapaSmurf

Posts: 10457; Member since: May 14, 2012

Speak for yourself. I do, and it works 9/10 times. Faster than typing a password or a pattern.

12. jaytai0106

Posts: 1888; Member since: Mar 30, 2011

Swipe is my lock security o.O my phone never leaves my sight. I know it's very important... but for my situation locking my phone is just annoying.

13. Finalflash

Posts: 4063; Member since: Jul 23, 2013

I dont even have a lock screen because there is nothing on my phone I care that much about.

15. jaytai0106

Posts: 1888; Member since: Mar 30, 2011

Same here :D I have cerberus so I can erase my phone if I needed.

19. bestmvno

Posts: 251; Member since: Mar 07, 2014

I hope you don't have email on your phone and it never gets stolen or lost. Otherwise, all one would then have to do is go to sites you go to, claim "lost password", put in your email address and start collecting your passwords and financial information when the password reset gets sent to your email.

22. jaytai0106

Posts: 1888; Member since: Mar 30, 2011

Yeah I know. :P I like to gamble a little in life haha. However, a lot of sites that I have important information with do ask for security questions before they send out a reset password e-mail. Nevertheless, Cerberus is my last line of defense when the case of stolen or lost. I could send a command to it and wipe the entire phone clean.

28. shuaibhere

Posts: 1986; Member since: Jul 07, 2012

I'm talking for the majority..... Even those who use fingerprint scanner in ip5s...don't use it got security purpose....it makes unlocking the easier so they use it... From what I've heard...unlocking the phone with fingerprint scanner is hard so I see no use of it...

30. PapaSmurf

Posts: 10457; Member since: May 14, 2012

You heard wrong then. It takes less than a second on the iPhone 5S and about one or two on the S5. Don't go by what you hear because when you spread false information, your credibility goes down.

32. shuaibhere

Posts: 1986; Member since: Jul 07, 2012

I have seen ip5s fingerprint scanner in action...my friend has one.... He uses it unlock phone easily not for security.... But reviewers say it is hard to unlock in s5... I had a hands on s5...but didn't test fingerprint scanner...as I have ni interest in it.... S5 is really awesome though...the best display I have ever seen...

33. refillable

Posts: 1071; Member since: Mar 10, 2014

Well I do, it's just the security that needs to be improved. For now, it's just for convenience.

35. docxx

Posts: 63; Member since: Feb 27, 2014

don't say that the NSA guys will be very sad!

6. doejon

Posts: 411; Member since: Jul 31, 2012

i would only use the fingerprintsensor on the s5 for loking up my pic/movie gallery

7. maherk

Posts: 6889; Member since: Feb 10, 2012

they make it sound as if it is easy to obtain and create a copy of someone's fingerprint. Smartphone thieves are usually not bank thieves, they aren't that smart. Btw, once you're logged into your paypal account, you won't need to retype the password unless the phone is rebooted. Still, if I had the S5, I don't see myself using the fp scanner other for unlocking the phone, surely not for my paypal or any other account.

8. ToxiD

Posts: 54; Member since: Feb 27, 2014

I didn't think the gimmick can be more useless until now.

20. bestmvno

Posts: 251; Member since: Mar 07, 2014

It's not a gimmick. Biometrics are here to stay. It's just an infant technology at this point that will continue to improve and evolve.

27. ToxiD

Posts: 54; Member since: Feb 27, 2014

It is. Instead of it they could work on better battery optimization resulting longer life on 1 charge as well as OS optimization that would be appreciated in Samsung case.

38. bestmvno

Posts: 251; Member since: Mar 07, 2014

They did work on better battery life. They have a deal with a company and are using that technology in the phone. They've also improved the os and cut back on some of the software gimmicks. Biometrics such as this may replace passwords altogether one day. The technology is not quite ready for that just yet though.

9. ianbbaa

Posts: 332; Member since: Mar 20, 2013

When somebody is watching you how you enter your pin via keyboard, or slide tha pattern - as soon as the other person remember that pin and will use it on your phone he will unlock it. (therefore you do not show your device while typing pin) So what should basically a FingerPrint scanner do when you have a copy of your finger??? If iPhone or S5 or somebody else - untill it wont meassure your DNA via touch, it will just unlock your fake finger. BUT - how easy is to obtain your finger copy??? So all in all, FingerPrint still can be considered as a safer way to lock your device.

11. JMartin22

Posts: 2371; Member since: Apr 30, 2013

Uh... This is an exploit, not a hack. We should stop throwing around the term "hacking" in such a loose context. No systematic altering, via compromise was involved here. Some people merely stumbled among a method (that anyone could recreate), that's all. For the record, this exploit is situational at best.

14. AfterShock

Posts: 4146; Member since: Nov 02, 2012

I'd bet, it never happens.

Latest Stories

This copy is for your personal, non-commercial use only. You can order presentation-ready copies for distribution to your colleagues, clients or customers at https://www.parsintl.com/phonearena or use the Reprints & Permissions tool that appears at the bottom of each web page. Visit https://www.parsintl.com/ for samples and additional information.