Samsung Galaxy S5 fingerprint scanner 'hacked', PayPal defends biometrics

It seems Samsung's much-anticipated fingerprint scanner on the Galaxy S5 flagship has now met the same fate as Apple's Touch ID sensor on the iPhone 5s.

Within a week of being globally released on 11 April, the Galaxy S5's fingerprint scanner has been hacked. A German blog named H Security has posted a video on YouTube showing the Galaxy S5's fingerprint scanner hacking process.

Notably, shortly after Apple started selling the iPhone 5s, a German hacking group managed to bypass the fingerprint scanner, the Touch ID by using a household printer and some wood glue to create an artificial copy of a genuine fingerprint.

(Also see: Samsung Galaxy S5 fingerprint scanner: First impressions)

The video posted by Security Research Labs (H Security) on YouTube shows how easily the Galaxy S5's fingerprint scanner was hacked using a lifted fingerprint. The video shows how a 'dummy finger' or 'spoof' was used on the fingerprint scanner to gain access to the smartphone, and then PayPal, the popular electronic payment solution provider.

It's worth mentioning that Apple's Touch ID requires users to input their password once before proceeding to the fingerprint scanner authentication, making it a two-step process. Further, the iPhone 5s requires password each time after the reboot.

Unfortunately, the Galaxy S5 does not have any such security measures and the video shows how the hackers spoofed the device's PayPal system using a dummy finger and the one-step process authentication that does not require any password.

Recently, PayPal announced its certified fingerprint-based authentication system for the Galaxy S5 and revealed that the system is now available in 25 countries.

PayPal's spokesperson in a statement to BGR has defended its implementation of a biometric authentication system on the Galaxy S5:

While we take the findings from Security Research Labs very seriously, we are still confident that fingerprint authentication offers an easier and more secure way to pay on mobile devices than passwords or credit cards. PayPal never stores or even has access to your actual fingerprint with authentication on the Galaxy S5. The scan unlocks a secure cryptographic key that serves as a password replacement for the phone. We can simply deactivate the key from a lost or stolen device, and you can create a new one. PayPal also uses sophisticated fraud and risk management tools to try to prevent fraud before it happens. However, in the rare instances that it does, you are covered by our purchase protection policy.