Samsung Galaxy S5 fingerprint scanner can be tricked
Posted on 16 April 2014.
Samsung's newly released Galaxy S5 phone sports a fingerprint scanner embedded in the home button that works well but unfortunately, like iPhone 5S' TouchID before it, can be tricked with a mould of the user's fingerprint.

"Samsung's implementation of fingerprint authentication leaves much to be desired," researchers from Berlin-based security firm Security Research Labs (SRLabs) noted, and demonstrated how these flaws can be used to expose users' devices, data, and even bank accounts to thieves or other attackers.


The researchers used the same fingerprint mould they employed to fool iPhone 5s' TouchID last year. The spoof was made under lab conditions, they noted, but is based on a camera phone photo of an unprocessed latent print lifted off a smartphone screen.

"Perhaps most concerning is that Samsung does not seem to have learned from what others have done less poorly," they pointed out. "Not only is it possible to spoof the fingerprint authentication even after the device has been turned off, but the implementation also allows for seemingly unlimited authentication attempts without ever requiring a password."

They demonstrated how the fingerprint authentication incorporated into sensitive apps such as PayPal's gives the attacker the ability to make purchases and unsolicited money transfers.

PayPal reacted to this news by noting that the company never stores or even has access to users' actual fingerprint with authentication on the Galaxy S5.

"The scan unlocks a secure cryptographic key that serves as a password replacement for the phone. We can simply deactivate the key from a lost or stolen device, and you can create a new one," the company explained, then reassured users: "PayPal also uses sophisticated fraud and risk management tools to try to prevent fraud before it happens. However, in the rare instances that it does, your eligible transactions are covered by our buyer protection policy."

Samsung has yet to comment on SRLabs' findings.









Spotlight

Bash Shellshock bug: More attacks, more patches

Posted on 29 September 2014.  |  As vendors scramble to issue patches for the GNU Bash Shellshock bug and companies rush to implement them, attackers around the world are probing systems for the hole it opens.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Tue, Sep 30th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //