April 15, 2014 -
The fingerprint sensor in the Samsung Galaxy S5 has been spoofed with a fake fingerprint made of wood glue.
Announced shortly after the phone hit the market, the circumstances of this latest hack are almost identical to that of the iPhone 5S last year.
Showed in a video from SRLabs (below), a finger is enrolled on the device, which is then unlocked with the dummy print. In addition to unlocking the phone, the same dummy fingerprint was used to access a PayPal wallet and show that money could even be transferred using the fake print.
SRLabs is a Berlin-based security research and consulting think tank.
As we reported previously in BiometricUpdate.com last year, German hacker collective, Chaos Computer Club claimed that it had spoofed the iPhone’s Touch ID sensor shortly after the phone’s launch and posted a similar video showing the spoof and explaining how it was done.
Though both the S5 and the 5S are easily fooled with dummy fingerprints, there are a few differences in terms of how the phone treats the embedded sensor. On the iPhone, once it’s turned off, a fingerprint alone can’t unlock the device – it requires a password input. On the S5, a fingerprint is all you need.
The iPhone’s Touch ID sensor can only be used to unlock the device or to authorize iTunes purchases. Samsung’s device uses the sensor to perform unlocks and also to make purchases and transfers through PayPal.
In a statement to Business Insider, a PayPal spokesperson acknowledged the spoof, but said the company was still confident in the security of the fingerprint sensor.
“While we take the findings from Security Research Labs very seriously, we are still confident that fingerprint authentication offers an easier and more secure way to pay on mobile devices than passwords or credit cards,” the statement reads. “PayPal never stores or even has access to your actual fingerprint with authentication on the Galaxy S5. The scan unlocks a secure cryptographic key that serves as a passwords replacement for the phone. We can simply deactivate the key from a lost or stolen devices and you can create a new one. PayPal also uses sophisticated fraud and risk management tools to try to prevent fraud before it happens. However, in the rare instances that it does, you are covered by our purchase protection policy.”