A team of German researchers have figured out a way to dupe the Samsung Galaxy S5’s fingerprint sensor, less than a week after the smartphone’s launch.
“Samsung’s implementation of fingerprint authentication leaves much to be desired,” SRLabs said in a video that reused a previous mold used to spoof the fingerprint authentication on the iPhone 5s.
Spoofing a fingerprint to log into the device is bad enough, but the S5’s fingerprint scanner is also used in authenticating payments using PayPal. This can potentially cost you thousands if you use PayPal for business transactions, as a hacker could decide to empty your coffers with a transfer to his bank account.
To add insult to injury, the S5 also allows for unlimited authentication attempts, giving any hacker a theoretically limitless amount of time to try the spoofing attempt, all without asking for an actual password.
Apple’s iPhone 5s uses its fingerprint scanner to log in to the device and purchase content from Apple’s iTunes Store and App Store. After five failed attempts, you must enter a password to continue.
According to PC World, PayPal said the fingerprint scanner as a method of payment authentication could be disabled. “PayPal never stores or even has access to your actual fingerprint with authentication on the Galaxy S5. The scan unlocks a secure cryptographic key that serves as a password replacement for the phone. We can simply deactivate the key from a lost or stolen device, and you can create a new one.”
So how do you prevent this from happening to you? Well, chances are you’ll probably never have to deal with this issue. While the fingerprint mold used in the study was taken from a picture of a print on a smartphone screen, it was produced under laboratory conditions, making this hack incredibly complex.
You can also simply disable the fingerprint scanning feature and opt to use regular passwords.
And if you’re worried about someone with laboratory access hacking into your smartphone, you’ve probably got bigger problems.
You can check out the video of the hack below.