Samsung Galaxy S5 Fingerprint Scanner Hacked, PayPal Accounts at Risk

Samsung Galaxy S5

The new Samsung Galaxy S5 may not be the smartphone of choice if one is to use it to store sensitive information because its fingerprint scanner, one of the most appealing selling points of the phone, has fallen prey to “hackers.” However, these are not the usual cyber crime hackers looking to steal a person’s personal information for misuse; instead they are the researchers at the Germany’s Security Research Labs who tested the Galaxy S5 for any flaws and risks. What they discovered was that a bit of wood glue and graphite spray are enough to create a fake print of the phone’s owner and therefore, allow access to all of phone’s information, including PayPal accounts.

The Berlin-based Security Research Labs had first pointed out similar flaws in the iPhone 5s’ fingerprint security system, the Touch ID feature, when that was launched last year. They tried the same this week with the Samsung Galaxy S5, using old reject piles of the mold from the experimentation with the iPhone 5s, and were easily able to get past the fingerprint scanner to hack the device user’s bank account information, PayPal accounts and other data, putting all them at risk of misuse.

More alarming than the idea of a possible hack is the fact that the Samsung Galaxy S5 seems to have no limitations to the authentication attempts and a person can go on trying to hack into the phone for, seemingly, forever without ever requiring to put in a password or any other means of verification.

Project Manager of the testing system, Ben Schlabs, said that he had gotten past the Galaxy S5 security feature the first time he tried the latent prints from the reject pile of the iPhone 5s experiment. He said that even though a similar security lapse was in the iPhone 5s, the latter had a limit to the number of attempts a potential hacker can make. However, in the Galaxy S5, five failed swipe attempts can be made, following which, a person can turn off and then on the screen and have another go at trying to access the phone, which is a security threat and a major flaw in the phone by the Korean manufacturers.

It may be worth mentioning here that Apple’s Touch ID is a two-step verification process as it requires users to input their password before proceeding to the fingerprint authentication process. Moreover, a password is required every time the iPhone 5s is rebooted.

Meanwhile, in a video demonstration of the hacking of a Samsung Galaxy S5 phone, the researchers showed how they could access the PayPal account, which also relies on the phone’s biometrics system of authentication. The researchers were concerned that unauthorized people and thieves can exploit the flaw into their favor and transfer money to other accounts through the PayPal.

However, payments firm, PayPal, stood by the Galaxy S5 and its fingerprint scanner. A statement of PayPal said that while the finding of the Security Research Labs was being taken very seriously by them, the firm still has confidence on the fingerprint authentication process of the Samsung smartphone. PayPal also said they are confident on the security this system provides and called it to be better than passwords, further adding that the fingerprint authentication system is an easier and more secure way to pay on mobile devices over credit cards.

PayPal also said the “scan unlocks a secure cryptographic key that serves as a password replacement for the phone… We can simply deactivate the key from a lost or stolen device, and you can create a new one.”

The payment firm further assured that their firm has “sophisticated fraud and risk management tools to try to prevent fraud before it happens.” Should any theft occur or a breach in security is made, PayPal said their purchase protection policy covers all losses and a customer would be compensated accordingly.

When Samsung Group was contacted about the Samsung Galaxy S5 fingerprint scanner hack and the possibilities of PayPal accounts being at risk, no comment was received from the spokesperson and the firm has yet to issue an official statement on the matter.

By Faryal Najeeb

PC Mag
BBC News

You must be logged in to post a comment Login