Samsung after Apple launched a fingerprint scanner in its iPhone 5S handset last year. Samsung took the feature one step further than Apple by allowing people to use it to authenticate purchases.
However, that is increasingly looking like a bad idea after security researchers found a way to fool the Galaxy S5’s fingerprint reader less than a week after it hit retailers.
The fingerprint reader in Apple’s iPhone 5S has also been hacked with a similar method. However, as Apple doesn’t allow users to make third party purchases with the feature, the security problem isn’t a big an issue.
The print used to unlock the phone was one that the iPhone 5S managed to refuse to authenticate raising questions about the quality of the scanner in the Galaxy S5.
PayPal is the first company that Samsung has allowed to access the fingerprint scanner to authorise payments. It has indicated that it wants to expand the number of companies it allows access to the fingerprint scanner in the near future.
PayPal has played down the risk to Galaxy S5 owners.
Speaking to the BBC, a spokesperson said: “While we take the findings from Security Research Labs [SRL] very seriously, we are still confident that fingerprint authentication offers an easier and more secure way to pay on mobile devices than passwords or credit cards”. It added that owners would be covered if the money was stolen by hackers in that way.
Security researchers at SRL said that the hack involves lifting a real fingerprint of the user off the phone. It then takes that fingerprint and creates a mould out of glue and graphite. The resulting print is then swiped across the sensor that sits on the home button.
“The fingerprint mould was actually one I made for the Apple device back in September,” project manager Ben Schlabs told the news agency. "All I had to do was take it out of the reject pile as it wasn’t one of the ones that ended up working on the iPhone 5S for whatever reason.
“It was the first one I tried and it worked immediately on the S5.”
SRL’s Schlabs also criticised Samsung for its failure to protect owners against repeated attempts to hack the fingerprint scanner. “Samsung could have enforced a password [lock-out] after five failed swipe attempts,” he said. “But the way it works is that if it fails five times and asks for a password, if you just turn the screen off and back on again you can have another try.”
The iPhone 5S does lock users out of the phone after a number of failed attempts.