To show just how sensitive today’s world is, one need look no further than an incident which took place in Germany on the morning of April 16, 2014, and led to seven firings by the afternoon in Seoul, South Korea. It seems that the fingerprint security on Samsung‘s flagship Galaxy S5 phone was hacked by a German security team, who fired off a dire warning that its implementation is far less secure than the company has claimed and the predicted dire consequences are potentially far worse than those plaguing Apple’s iPhone 5S.
At any rate the Berlin company Security Research Labs has posted on YouTube, showing just how simple it was for them to use a rubber mold with a high-resolution image of a fingerprint lifted from a smartphone screen. In fact, it turns out to be the same print used by the same company to show up the aforementioned iPhone’s once vulnerable fingerprint sensors, which, by the way, are fully secure now.
Further to that, SRL researchers pointed out what they archly refer to as “additional concerns” about Samsung’s security system. Anyone, for example, who deals with Apple knows that moving around requires constant vigilance on both sides, nicknames, addresses and passwords need too be used and reused constantly. This is not the case with Samsung. Any would-be hacker’s attempts at spoofing the fingerprint, could also link in to payment systems such as PayPal, which can then be easily used to wire money to the attacker’s account.
“Samsung‘s implementation of fingerprint authentication leaves much to be desired,” SRE said, according to The Guardian. “They do not seem to have learned what others have done… while biometrics will always carry with them the trade of security for convenience, it is the manufacturers responsibility to implement them in a way that does not put their users crucial data and payment accounts at risk.”
What’s worrisome is the lack of a ‘lock-out’ function compared with the iPhone 5S, the only other mass-market phone offering fingerprint authentication. Rivals, including HTC (the new model of which does come with fingerprint recognition devices) and Motorola also offer fingerprint unlocking as a paid extra, but few members of the public so far are buying in. Au contraire, a savvy Apple implementation, known as Touch ID, locks out any user after three attempts; or, if the phone has been turned off; if more than 48 hours have passed since the phone was unlocked; or if there’s been an attempt to change or remove the Touch ID setting. Once locked out, any user has to start a new process all over again and enter a brand-new password or code to access the phone. Apple also only links its Touch ID system to unlocking the phone or its App Store, though; once a phone is unlocked, any app is accessible.
Having made some Samsung connections at the CES show in Las Vegas over the New Year, I got in touch with them about this. “Well,” I was told, “the most cash PayPal will pass on per transaction is US$500. This is not so serious.” My friend told me that the threat to both Samsung and Apple users was largely theoretical, because it requires a high-quality fingerprint lifted from clean glass, and scanned at high resolution, and then printed on to latex rubber to do the damage we speak of.
Since the iPhone 5S went on sale in September 2013, there have been no recorded cases where the fingerprint has been spoofed to hack into the phone beyond laboratory tests such as those by SRE. This flies in the face of scores of warnings I keep reading from the NSA about organized Russian criminals already firing a warning shot across our bows during an attack on Target.
Samsung have not made an official comment by the time of publication. A very concerned PayPal PR department, however, has already released a statement to the Android Community. “While we take the findings from Security Research Labs very seriously, we are still confident that fingerprint authentication offers an easier and more secure way to pay on mobile devices than passwords or credit cards.” The PayPal integration adds a cryptographic ‘key’, not the actual password, it said: “We can simply deactivate the key from a lost or stolen device, and you can create a new one.” In the event of fraud, the company said, “you are covered by our purchase protection policy.”