Date: Thursday, April 17th, 2014, 08:17
Category: Android, Hacks, privacy, Samsung, security
It was only a matter of time before someone found a weakness in the fingerprint scanner found on the new Samsung Galaxy S5. Too bad Samsung didn’t learn anything from Apple’s experiences with fingerprint hacking. The very same hack that was used to bypass the iPhone 5S’s scanner, that we reported on last September, has now been used to get past the one on the Galaxy S5. The security blog SRlabs has posted a video of a fake fingerprint, which was copied from a photo image and reproduced, being used to unlock a Galaxy S5.
Even though the hack is exactly the same for both the Galaxy and the iPhone, there is one important difference. Apple’s Touch ID system requires users to input their password one time before using a fingerprint for authentication. The password must be used again once each time the device is rebooted. Once the fingerprint scanning is set up on the Galaxy S5, no password is required to access the phone, and after rebooting the phone a swipe of a finger will still unlock it.
I am frequently irritated when the iPhone asks for my password instead of using my fingerprint for purchases on the App Store, but now I’m glad it does. To add an additional layer of security scariness (as shown in the video), the Galaxy already comes with a PayPal app that uses fingerprint scanning to log into your account, so that anyone executing the hack not only has access to your phone, but also has access to your PayPal account. PayPal responded to concerns by noting that once you realize your phone is missing, you can contact them to have the security key changed to prevent the phone from accessing your account, assuming you do so before the thief accesses it. They have also said that this type a fraud is covered by their purchase protection policy. That said, it’s still disturbing.