Less than a week after it hit the market, a team of German researchers were able to defeat the Samsung Galaxy S5’s fingerprint scanner using a mold created from an image of a latent fingerprint they had previously produced to gain access to Apple’s iPhone 5S.
“The fingerprint mould was actually one I made for the Apple device back in September,” project manager Ben Schlabs told the BBC. “All I had to do was take it out of the reject pile as it wasn’t one of the ones that ended up working on the iPhone 5S for whatever reason. It was the first one I tried and it worked immediately on the S5.”
The researchers created a video demonstrating the security bypass procedure, stating “this video demonstrates how flaws in the implementation of fingerprint authentication in the Samsung Galaxy S5 expose users’ devices, data, and even bank accounts to thieves or other attackers.”
The researchers also note that in general, fingerprint authentication has two serious drawbacks:
- Limited revocation. Once a fingerprint gets stolen, there is no way to change it. To offset this high compromise penalty, fingerprints would need to be very hard to steal. However:
- Credential spread. Users leave copies of their fingerprints everywhere; including on the devices they protect. Fingerprints are not fit for secure local user authentication as long as spoofs (“fake fingers”) can be produced from these pervasive copies.
There are also concerns that such bypass techniques could make targets vulnerable to unauthorized financial transactions, but e-payment giant PayPal attempted to play down the risk.
“While we take the findings from Security Research Labs [SRL] very seriously, we are still confident that fingerprint authentication offers an easier and more secure way to pay on mobile devices than passwords or credit cards,” PayPal said.
Read More Here…