The value of a strong password to protect your stuff is as high as ever
There's been a bit of a hubbub around the web about the "hack" of the Samsung Galaxy S5 Finger Scanner, and how "easy" it was.
First things first, it wasn't easy. If you're stealing a phone with the necessary equipment to also lift and reproduce someones fingerprint, then OK. You're also probably a more intense criminal than someone who randomly snatches peoples' phones.
It isn't a "hack" really, either. It's a "spoof," just as it was on the iPhone 5s. In fact, it's the exact same method that Apple's Touch ID was fooled by. So it's not so much an issue specifically with the Galaxy S5, more a flaw of fingerprint scanners in general. But that doesn't make for sensationalist headlines. So, just like the iPhone 5s and Touch ID before it, the Galaxy S5 falls into the spotlight.
And once more it highlights something we should already be aware of: use strong passwords on all of your private stuff.
The 'easy hack' and PayPal
To the right person, sure, it's easy. But if I stole your fingerprint protected Galaxy S5 out of your hand, I don't think I'll be doing this. But there's also been some sensationalizing on exactly what happens if you keep trying to scan the fingerprint in the PayPal app. Yes, you get more than one attempt at scanning the fingerprint — you get five, to be precise. If, like in the video above, you have a working copy of the fingerprint then you'll absolutely be able to get into someones PayPal account. That's not a by-product of having fooled the Finger Scanner. That's a by-product of having the right fingerprint.
After five attempts if PayPal hasn't authenticated you're given a message that states "Unable to recognize fingerprint. Please swipe again." Perhaps at this point you should require your password instead of continually swiping. But, if as in the video above you've created a working spoof of the right fingerprint, it doesn't matter how many swipe attempts you're allowed, you'll be able to get in. If PayPal locked you out completely after the first bad scan it wouldn't be a particularly user friendly experience, would it?
It's an issue, yes. But it's also an issue that isn't isolated to Samsung, or to the Galaxy S5.
No replacement for strong passwords
Just the same as with Touch ID, the Finger Scanner on the Galaxy S5 should be viewed as an assistant to your device security, adding convenience. It absolutely shouldn't be a replacement for a strong password, PIN code or screen lock pattern, which are still the best ways to secure your accounts and devices. And definitely use two-step authentication wherever you can.
Fingerprint scanning is extremely convenient, especially when it works well. For unlocking your phone, it's probably OK. And while it's pretty awesome that you can hook your PayPal account up with it, if you feel even remotely nervous about it, don't do it.
And if you need any help generating and managing strong passwords, there are a ton of options out there. LastPass, mSecure and 1Password are just a few of the options out there for various platforms that can help you generate some complex and unique passwords for your accounts.
The bottom line
Fingerprints can be spoofed – this isn't new – and this method of spoofing was highlighted back when the iPhone 5s launched. And our advice remains the same: if any of this makes you feel at all uneasy, don't use it. Stick to strong passwords. Nobody's forcing you to use the fingerprint scanner.
If you happen to know a thing or two about biometrics and security and have anything to share, please do drop it into the comments below.
