The hack is identical to the one that would allow a thief to get around the Apple iPhone 5S Touch ID fingerprint sensor. All it takes is some wood glue and a fingerprint smudge of the true owner on the glass of the device. In a video of the hack posted on YouTube, Security Research Labs demonstrates how, after making a printed mold from a photo of the fingerprint smudge using thick toner, a wood glue casting of the print can easily fool the device.
"Despite being one of the premium phone's flagship features, Samsung's implementation of fingerprint authentication leaves much to be desired," the researcher in the video said. "The finger scanner feature in Samsung's Galaxy S5 raises additional security concerns to those already voiced about comparable implementations."
In other words, a thief could steal the smartphone, use this technique to cast a print and have access to the user’s mobile money via PayPal within a matter of hours. Not to mention any online banking apps and other sensitive widgets that have been “secured” with the fingerprint.
SRLabs also pointed out that, unlike Apple iPhone 5S, the Galaxy’s fingerprint scanner doesn’t require a password after multiple incorrect finger sensor attempts, widening the thief’s window for success. The iPhone requires a password to be typed in after three attempts.
Samsung has thus far said nothing in response to the hack, but PayPal has issued a statement.
"While we take the findings from Security Research Labs very seriously, we are still confident that fingerprint authentication offers an easier and more secure way to pay on mobile devices than passwords or credit cards,” it said. “PayPal never stores or even has access to your actual fingerprint with authentication on the Galaxy S5. The scan unlocks a secure cryptographic key that serves as a password replacement for the phone. We can simply deactivate the key from a lost or stolen device, and you can create a new one. PayPal also uses sophisticated fraud and risk management tools to try to prevent fraud before it happens. However, in the rare instances that it does, you are covered by our purchase protection policy."