Fingerprint Scanner on Galaxy S5 Can Be Spoofed for Unauthorized PayPal Transfers Michael Kwan April 15, 2014 Uh oh! First, we got Heartbleed and now we’ve got this. One of the key new features on the Samsung Galaxy S5 is the fingerprint scanner. You simply slide your finger across the home button to unlock your phone, rather than inputting a password or pattern. This same kind of biometric technology is used for authorizing your PayPal transactions on the phone, but it looks like it has already been compromised. This doesn’t necessarily mean that your S5 or your PayPal account has been hacked. What we have learned is that the system is flawed in that the Galaxy S5’s fingerprint scanner can be “spoofed” with a lifted fingerprint. The hacker can then create a “dummy finger” with your fingerprint, slide it across the home screen, and do whatever malicious thing that hackers would do with such access. The Touch ID fingerprint scanner system on the iPhone can be similarly hacked, but the Apple system requires users to enter their password before a fingerprint can be used for authentication and again if the phone is rebooted. On the S5, even after a reboot, all you need is the fingerprint; no password required. Thankfully, PayPal has indicated that your fingerprint data is not actually stored on their servers at all. Instead, a secure cryptographic key is generated that replaces your password and the powers associated with that key can be deactivated if you report your phone lost or stolen. Via BGR Share This With The World!