Hackers have managed to bypass the fingerprint scanner which is found on the new Samsung Galaxy S5 smartphone.
Researchers from Security Research Labs (SRL) in Germany have demonstrated how it is possible to easily trick the Samsung Galaxy S5's fingerprint scanner. They used a fake fingerprint is made from a mould based simply on a photo of a fingerprint smudge left on a smartphone screen.
"This video demonstrates how flaws in the implementation of fingerprint authentication in the Samsung Galaxy S5 expose users' devices, data, and even bank accounts to thieves or other attackers." says the blurb.
The technique, called 'fingerprint spoofing', is the same one which was used to thwart the iPhone 5s Touch ID fingerprint scanner.
While it's the same method, SRL said that Samsung's implementation of the technology was less safe than others. The researcher in the video states that it seemly allows for unlimited authentication attempts without requiring a password.
The Galaxy S5's lockscreen allows five attempts before asking for a password but simply switching the screen off and waking it back up allows for another - this can be repeated.
In the video, we can see how a hacker can use the PayPal app to transfer money from the owner's account using just the fake fingerprint.
Samsung says fingerprint scanner hack is nothing to worry about
"This is a scenario that is widely regarded in the industry as posing no critical risk for general consumers. This artificial experiment requires a rare combination of highly specialized equipments, materials and conditions. Samsung takes security matters very seriously. We are continuously taking measures to vigorously enhance security of the device." said the firm in a statement.
"While we take the findings from Security Research Labs very seriously, we are still confident that fingerprint authentication offers an easier and more secure way to pay on mobile devices than passwords or credit cards. PayPal never stores or even has access to your actual fingerprint with authentication on the Galaxy S5." said PayPal in response.
"The scan unlocks a secure cryptographic key that serves as a password replacement for the phone. We can simply deactivate the key from a lost or stolen device, and you can create a new one. PayPal also uses sophisticated fraud and risk management tools to try to prevent fraud before it happens. However, in the rare instances that it does, you are covered by our purchase protection policy."
Sign up for Computerworld eNewsletters.