PayPal accounts linked to Samsung's Galaxy 5 smartphones are vulnerable to hackers, Ars Technica reports. The security risk lies in the phone's fingerprint sensor, according to researchers at Germany's Security Research Labs.
Using fingerprints, iris scans or other physical characteristics to identify a device's owner has been considered a safer alternative to passwords. However, Ars points out that this security flaw is just the latest, with other security experts able to bypass Apple's Touch ID fingerprint scanner less than 48 hours after it first became available.
"We expected we'd be able to spoof the S5's Finger Scanner, but I hoped it would at least be a challenge," Ben Schlabs, a researcher at SRLabs, wrote in an e-mail to Ars. "The S5 Finger Scanner feature offers nothing new except—because of the way it is implemented in this Android device—slightly higher risk than that already posed by previous devices."
The Samsung smartphone's fingerprint authenticator can be associated with sensitive banking or payment apps such as PayPal. Schlabs was able to gain complete control of a PayPal account, including access to money transfers and purchases, by using a spoofed fingerprint to bypass the device's lock.
The fake fingerprint was made using a photo of a fingerprint smudge left on a smartphone screen.
The team SRLabs is only one of several whitehat hackers reporting a successful hack of the Samsung phone. "Whitehat hackers" are those who attempt to exploit device and software flaws in order to improve security.
Meanwhile, Quixter, a small company in Sweden, has built a reader that goes beyond fingerprints to entire palm prints for use in mobile payment terminals, the Wall Street Journal reports. Since it scans and analyzes the structure of the blood veins inside the palm, the company is hopeful it will provide a safer form of identification than passwords.