Researchers at Germany’s Security Research Labs (SRLabs) have reportedly hacked the highly promoted fingerprint sensor feature in Samsung’s recently launched Galaxy 5 smartphone by spoofing fingerprint.
The white hat researchers bypassed the Galaxy S5’s fingerprint authentication mechanism using a mould with owner’s fingerprint impression, which is a similar method used earlier to parody the Touch ID scanner on the Apple’s iPhone 5S.
SRLabs researcher Ben Schlabs was cited by Ars as saying that the S5 Finger Scanner feature offers nothing new except — because of the way it is implemented in this Android device — slightly higher risk than that already posed by previous devices.
"We expected we’d be able to spoof the S5’s Finger Scanner, but I hoped it would at least be a challenge," Schlabs said.
"Not only is it possible to spoof the fingerprint authentication, even after the device has been turned off, but the implementation also allows for seemingly unlimited authentication attempts without ever requiring a password.
A feature in Samsung Galaxy S5 allows users to transfer funds to other PayPal accounts just with a swipe of a finger, while the latest hack enables hackers to access users’ PayPal account as well as associated bank accounts without even entering credentials.
"Incorporation of fingerprint authentication into highly sensitive apps such as PayPal gives a would-be attacker an even greater incentive to learn the simple skill of fingerprint spoofing," Schlabs adds.
The latest hack demonstrates the disadvantages of using fingerprints, iris scans, and other physical features to authenticate device owner’s identity to any of the computing devices.
