"Samsung's implementation of fingerprint authentication leaves much to be desired," researchers from Berlin-based security firm Security Research Labs (SRLabs) noted, and demonstrated how these flaws can be used to expose users' devices, data, and even bank accounts to thieves or other attackers.
The researchers used the same fingerprint mould they employed to fool iPhone 5s' TouchID last year. The spoof was made under lab conditions, they noted, but is based on a camera phone photo of an unprocessed latent print lifted off a smartphone screen.
"Perhaps most concerning is that Samsung does not seem to have learned from what others have done less poorly," they pointed out. "Not only is it possible to spoof the fingerprint authentication even after the device has been turned off, but the implementation also allows for seemingly unlimited authentication attempts without ever requiring a password."
They demonstrated how the fingerprint authentication incorporated into sensitive apps such as PayPal's gives the attacker the ability to make purchases and unsolicited money transfers.
PayPal reacted to this news by noting that the company never stores or even has access to users' actual fingerprint with authentication on the Galaxy S5.
"The scan unlocks a secure cryptographic key that serves as a password replacement for the phone. We can simply deactivate the key from a lost or stolen device, and you can create a new one," the company explained, then reassured users: "PayPal also uses sophisticated fraud and risk management tools to try to prevent fraud before it happens. However, in the rare instances that it does, your eligible transactions are covered by our buyer protection policy."
Samsung has yet to comment on SRLabs' findings.