Security researchers from SR Labs have cracked the Samsung Galaxy S5’s fingerprint reader, gaining access to the handset and using it to make PayPal transactions. The fingerprint sensor on Samsung’s Galaxy S5 handset has been hacked less than a week after the device went on sale.
A crude fake fingerprint molded using wood glue, and based on a photo taken by a smartphone was enough to fool the much-hyped fingerprint sensor in Samsung’s new Galaxy S5. SR Labs, the German company behind the hack, used the same equipment – and fingerprint – they used in a hack of Apple’s iPhone 5S last year.
The researchers point out, however, that the Galaxy S5 carries its own risks, “Including highly sensitive apps such as PayPal gives an attacker an even greater incentive to learn the simple skill of fingerprint spoofing. This includes making purchases and unsolicited purchases from the victim’s account.”
“Samsung does not seem to have learned from what others have done, less poorly,” the researchers said.
The implementation seems to allow a limitless number of attempts to access the device via the biometric sensor (although whether this applies to all Galaxy S5s is unclear, as ESET testers have found that the device forces a six-digit password after a number of failed attempts.)
SR Labs said, “While biometrics will always carry with them a trade-off of security for convenience, it is the manufacturer’s responsibility to implement them in a way that does not put their user’s crucial data and payment accounts at risk.”
PayPal were quick to play down the risks, although there is considerably more opportunity for theft using the Galaxy S5’s sensor. Any store or shopping site that accepts PayPal’s S5 system is vulnerable.
“While we take the findings from Security Research Labs [SRL] very seriously, we are still confident that fingerprint authentication offers an easier and more secure way to pay on mobile devices than passwords or credit cards.”
PayPal told the BBC that it would reimburse customers for any losses caused by hacks directed against the scanner. It added that even if users were hacked it would cover their losses.
This SR Labs video below demonstrates how flaws in the implementation of fingerprint authentication in the Samsung Galaxy S5 expose users’ devices, data, and even bank accounts to thieves or other attackers.
ESET Senior Researcher Stephen Cobb says that such hacks do not “prove” that biometric security cannot work.
“Bear in mind the effort required to defeat the biometric, and also to crack your iPhone password, then ask yourself how many people want your iPhone data that badly,” Cobb says.
“There is a constant tension between claims of security and efforts to undermine that security. It is clearly true that having to supply a fingerprint as well as a password to access the iPhone 5S, or anything else, makes the data on the device more secure against certain types of attack than only requiring one form of authentication. Whether that added level of security is enough for you to trust “sensitive” information to your iPhone is a question for each user to answer. Would I put priceless IP on a mobile phone? No. But read what it takes to beat the fingerprint reader and ask yourself who would go to that trouble for the stuff you do have on your phone.”
Banking 4.0 – „how was the experience for you”
„So many people are coming here to Bucharest, people that I see and interact on linkedin and now I get the change to meet them in person. It was like being to the Football World Cup but this was the World Cup on linkedin in payments and open banking.”
Many more interesting quotes in the video below: