Galaxy S5 Finger Scanner

The value of a strong password to protect your stuff is as high as ever

There's been a bit of a hubbub around the web about the "hack" of the Samsung Galaxy S5 Finger Scanner, and how "easy" it was.

First things first, it wasn't easy. If you're stealing a phone with the necessary equipment to also lift and reproduce someones fingerprint, then OK. You're also probably a more intense criminal than someone who randomly snatches peoples' phones.

It isn't a "hack" really, either. It's a "spoof," just as it was on the iPhone 5s. In fact, it's the exact same method that Apple's Touch ID was fooled by. So it's not so much an issue specifically with the Galaxy S5, more a flaw of fingerprint scanners in general. But that doesn't make for sensationalist headlines. So, just like the iPhone 5s and Touch ID before it, the Galaxy S5 falls into the spotlight.

And once more it highlights something we should already be aware of: use strong passwords on all of your private stuff.

The 'easy hack' and PayPal

To the right person, sure, it's easy. But if I stole your fingerprint protected Galaxy S5 out of your hand, I don't think I'll be doing this. But there's also been some sensationalizing on exactly what happens if you keep trying to scan the fingerprint in the PayPal app. Yes, you get more than one attempt at scanning the fingerprint — you get five, to be precise. If, like in the video above, you have a working copy of the fingerprint then you'll absolutely be able to get into someones PayPal account. That's not a by-product of having fooled the Finger Scanner. That's a by-product of having the right fingerprint.

After five attempts if PayPal hasn't authenticated you're given a message that states "Unable to recognize fingerprint. Please swipe again." Perhaps at this point you should require your password instead of continually swiping. But, if as in the video above you've created a working spoof of the right fingerprint, it doesn't matter how many swipe attempts you're allowed, you'll be able to get in. If PayPal locked you out completely after the first bad scan it wouldn't be a particularly user friendly experience, would it?

It's an issue, yes. But it's also an issue that isn't isolated to Samsung, or to the Galaxy S5.

No replacement for strong passwords

Google Authenticator

Just the same as with Touch ID, the Finger Scanner on the Galaxy S5 should be viewed as an assistant to your device security, adding convenience. It absolutely shouldn't be a replacement for a strong password, PIN code or screen lock pattern, which are still the best ways to secure your accounts and devices. And definitely use two-step authentication wherever you can.

Fingerprint scanning is extremely convenient, especially when it works well. For unlocking your phone, it's probably OK. And while it's pretty awesome that you can hook your PayPal account up with it, if you feel even remotely nervous about it, don't do it.

And if you need any help generating and managing strong passwords, there are a ton of options out there. LastPass, mSecure and 1Password are just a few of the options out there for various platforms that can help you generate some complex and unique passwords for your accounts.

The bottom line

Paypal on Galaxy S5

Fingerprints can be spoofed – this isn't new – and this method of spoofing was highlighted back when the iPhone 5s launched. And our advice remains the same: if any of this makes you feel at all uneasy, don't use it. Stick to strong passwords. Nobody's forcing you to use the fingerprint scanner.

If you happen to know a thing or two about biometrics and security and have anything to share, please do drop it into the comments below.

 

Reader comments

The Galaxy S5 Finger Scanner 'hack' reminds us of the value of strong passwords

44 Comments
Sort by Rating

This kind of makes Phil's article about nipple unlocking the HTC One Max seem less weird. Only kind of, and only a little less, but still, I don't think you could lift my nipple print from my phone.

Lol I've done that many times with a variety of phones. I've even "nipple" dialed. Try explaining that one to someone.

Posted via Android Central App

Neither do i .. i just dont use it. Wow. That was difficult.. would have been so much easier if my s5 was a nexus right... oh yeah, no it wouldnt. Thought i smelled troll breath around here.

I never get the point of finger scanners.

A better idea would be 2-factor authentication, but I think it's overly complicated for smartphones, IMO.

Guys... it's a phone. I just want to be able to put it down at home, and not have girlfriend #3 pick it up, unlock it (after secretly learning my pin) and start snooping. If you are a bachelor/bachelorette, you understand this completely. It's not a security measure, it's a privacy measure.

This doesn't really concern me at all. Sure, fingerprint scanners are fundamentally beatable, but I'm much more worried about someone just watching me enter my PIN and then swiping my phone. Unless you take an incredible amount of caution to not be seen when you're entering your PIN (and be honest, you don't), it's much more likely that someone is going to swipe your phone after looking over your shoulder for two minutes than it is that someone will grab your phone and then go to the trouble of lifting your fingerprint from it.

It's pretty easy to conceal your PIN or password from view. I do it all the time whether it's my mobile devices, at the ATM or when using my debit card at a point of sale terminal. :)

Seems like you missed the point... it'd be easier to catch you off guard entering your pin once, than it would be to lift a clean fingerprint and duplicate it.

If I see you enter your pin, then steal your phone, I have instant access to the $12.50 in your paypal account. The alternative is much more laborious.

If you see my pin and steal my phone, you'd still have to crack the password to every single account worth breaking into and they're all protected as well as any debit/credit card. I don't care if a theif sees my unsecured emails, d*ck picks, and my lady naked. I care that my phone is gone, and a lockscreen password will never, ever change that or bring it back. If they would make something that will shock the sh*t out of anyone that's not me touching my phone when locked I'd be all over it lol.

Again... it's not a matter of accessing your ACCOUNTS, it's a matter of accessing your PHONE. If someone wants your credit/debit cards, what makes you think they'll lift your phone and not your wallet? Isn't your wallet where you keep the unsecured versions of the cards that you password protect on your device? See why a theif would steal your wallet instead of your phone if your cards were the target?

A thief couldn't give a damn whats on your device; if they're stealing it, they need access to it in order WIPE the data and SELL it before you can track them down. If I steal your $600 phone and sell it for a loss at $400, I just made $400 at your expense... and you're over there talking about unsecured emails and d*ck pics that are worthless to EVERYONE, including you, because you dont care who sees them.

I care who sees my ladies naked.

A fingerprint is more secure than a pin code if you're worried about getting your phone stolen... in the real world.

Well, account access can be an issue. For any app that uses the fingerprint scanning security API, there's only one layer of security between your locked phone and complete access to that app. That's a problem, since as it is now, they'd need both your phone's PIN and the application-specific PIN or password. If you have your fingerprint linked to PayPal or Amazon (I don't know how many apps actually allow fingerprint-scanning), they could add a whole lot of insult to injury after stealing your phone.

Also, keep your naked pictures in a secure gallery app, for god's sake. :) I recommend Photo Locker.

Wow buddy....you clearly missed the point. Yes, I do use Google Wallet, Paypal, and Mint which are linked directly to bank accounts, credit cards, etc. That aside THE POINT was that a lockscreen pin/pattern/face unlock/fingerprint scanner WILL NOT keep a theif from stealing my device. It's only for privacy it is not a security measure. I can use caps too, see? Never go full retard.

If someone does manage stealing your phone and pin then you can use android device manager to either re-lock the phone using another pin or completely wipe the phone.

Posted via Android Central App

Next, Apple sues Samsung for violating their patent on fingerprint spoofability.

Posted via Android Central App

The only reason we didn't go through this back in Feb of like 2010 (or whenever it launched) with the Motorola Atrix on AT&T was because it wasn't quite as mainstream as Apple's products and, now, Samsung's. (Back then Samsung was more even among the manufacturers producing Android-powered phones).

That's right...password123 is my password for everything and no one will ever crack that. I don't need no fingerprint scanner

Posted from my newly Kit Katted Droid Ultra

Oh my, people love to complain on the web for nothing. Data shows about 50% of users do not have a password on their phone. The fingerprint scanner is a way to combat that. That fingerprint scanner is better than not having one at all. Besides, the time it would take someone to do all that's required to gain access to your phone is long enough that you would notice your phone is gone and a remote wipe is in order. We should not let perfection be the enemy of good enough.

Is that a logical answer I just read?!

We dont like your kind around here... thinking with your brain and whatnot. Skedaddle!

"And if you need any help generating and managing strong passwords, there are a ton of options out there. LastPass, mSecure and 1Password are just a few of the options out there for various platforms that can help you generate some complex and unique passwords for your accounts."

Those will only provide you with hard to remember and easy to crack passwords. As usual, xkcd has all the answers.

http://xkcd.com/936/

D'Oh, shocker! Let's use just a fingerprint for security on a device that probably has your fingerprints all over it. What could possible go wrong with that setup?

This is an example of failing to follow the basic security model where something you know (PIN, password) or something you have (ex. card, token) are best used as primary authentication methods (they're often used together as primary/secondary too). Biometrics are at best used as a secondary authentication, could be used as a primary, but they should NEVER be used alone!

Reason being; the first two (something you know and something you have) are typically much more secure methods (or harder to hack), whereas the third (something you are) is not as secure, especially something like a fingerprint that may be left on something you've touched, which could then be lifted and used.

I challenge your to lift a useful fingerprint off your phone. You've got multiple smears. Multiple prints. Out of those you have to find the one of 10 fingers the person used for their print. Granted if the phone has a removable cover you might be able to get a good one off the inside or the battery.
Real life isn't like tv. Lifting useful prints off of commonly used items is improbable. You have to have a good reference.

Posted via Android Central App

Not to mention that most of us tend to use the "tip" of our finger to interact with our devices, not the pad, where the actual finger print is.

Guess what. Passwords ate beatable to. Every way to secure your device can be beat.

Posted via Android Central App

I refuse to lock my phone. I drive all day in heavy equipment and can't afford the distraction. I keep nothing sensitive enough on there that would put me into a tizzy of stolen. I have my information for credit cards or business ID's hidden in notes inside files that a thief would need time to even find them, much benefit from them before I wipe the device. Which never leaves my body or sight. But, I love the tech of this fingerprint scanning. Fun to see all this stuff happening.

Posted via Android Central App

Authentication methods only slow down access. They never prevent it. Finger print scanners are the easiest to spoof. The hardest part is getting a good copy of a fingerprint of the finger your are needing. It doesn't have to be perfect since finger print recognition uses points of similarty. They don't actually compare the ridge details to achieve a perfect match just a probable match.

If someone spoofs your fingerprint, you are being deliberately targeted. So for most of us it works to keep people out. Oh don't forget you are leaving fingerprints all over your phone. Fortunately real life isn't like tv. Those fingerprints are more than likely useless due to being smeared or multiple overlapping prints. Of course you might be able to recover one off the battey. Is it the right one you used for the scanner?
That brings up another point in your favor. A would be thief needs to have a good copy of all your fingerprints if he doesn't know which one you use for authentication. Granted most people will use their thumb or forefinger.
For most of us its good enough and no worry. Here's a tip use your off hand for the fingerprint. You are less likely to leave off hand fingerprints lying around.

Posted via Android Central App

Yes I too was concerned about someone actually trying to duplicate your finger print. That's worse than Identity theft. They should work extremely hard to lock it on a vault, serious firewall, like dell, I still have my Dell M1530 laptop with a finger print scanner, so if I forget my password by no using it for a while, I can scan my finger print and open the welcome screen. My friend was helping me with something on my laptop, even he tried but he couldn't do it. I definitely go for strong password for all places and account, I definitely go for two forms of authentic for the mere fact that only you know, anybody else don't. They tighten up the screws to help them track down the person doing it, perhaps they need a booster from life lock. I like the finger print scanner, however, when they get something solid and totally secure I probably will use it, but on the mean time, because of, I just will stick with my code unlocking my phone, because nobody knows it but me.

I feel like if you have it set up right by the time the criminal has the chance to even try to lift a legitimate fingerprint you would have the phone locked down or wiped. Yeah you can spoof a fingerprint but you set a particular finger for the finger print on these kinds of scanners. The Criminal would have to be lucky get a solid finger print lift of the correct finger on the first try or after multiple tries for that matter.

the thing about fingerprint scanning and passwords for unlocking phone...You don't even need the fingerprint, so it's as secure as your password.

If dude passes out can paypal up some purchases from his phone ! Same thing with the secret files or locked phone..wifey will wait til im asleep then unlock it ...or drug me - heh !

Kenny

These are all to keep honest people honest. But the real question is, as in the new iPhone, has anyone beat the scanner without using a lifted finger print done under somewhat controlled condititions? I think not.

I also have no intentions of buying the newish iphone or the SGS5.