Germany-based security blog H Security found that using a wood glue mold from the fingerprint already set on the Galaxy S5, someone else could gain unauthorized access to your phone. Given Samsung’s fingerprint scanner tie-ins with the PayPal app, this means not only contacts and photos are up for grabs, but mobile payments, as well.
H Security used the same mold as it did for the iPhone 5s’ Touch ID, but the Galaxy S5 has more security concerns. The mold was taken from a photo of a fingerprint on a smartphone screen, rather than directly from a person’s finger.
Apple requires users input their password one time after rebooting their iPhone 5s, however, the Galaxy S5 doesn’t require a password and lets you use your finger – or a spoof to gain unauthorized access – right off the bat. You don’t even need a password on the PayPal app on the Galaxy S5, once again, just your finger.
“Despite being one of the premium phone’s flagship features, Samsung’s implementation of fingerprint authentication leaves much to be desired,” a SRLabs researcher said in a video on Tuesday. “The finger scanner feature in Samsung’s Galaxy S5 raises additional security concerns to those already voiced about comparable implementations.”
Samsung’s Galaxy S5 has made it into the Fast Online Alliance that works to ensure mobile security, which essentially means Samsung isn’t sending your fingerprint to the cloud, and is instead storing it locally like on the iPhone 5s.
“While we take the findings from Security Research Labs very seriously, we are still confident that fingerprint authentication offers an easier and more secure way to pay on mobile devices than passwords or credit cards,” PayPal said in a statement to BGR on Tuesday. “PayPal never stores or even has access to your actual fingerprint with authentication on the Galaxy S5. The scan unlocks a secure cryptographic key that serves as a password replacement for the phone.”
While it may not sound likely that someone’s going to lift your fingerprint, the fact that there isn’t another safety check on the Galaxy S5 could be a cause for concern.