• Skip to main content
  • Skip to secondary menu
  • Skip to primary sidebar
  • Skip to footer
  • Our Services
  • Contact Us
  • Newsletter
  • Top Nav Social Icons

Mobile ID World

Mobile ID World

Identification Revolution

  • Mobile ID
    • What Is Mobile ID?
    • Identity Associations
    • Premier Partners
    • FAQ
  • News
  • Solutions
    • Behavioral
    • Facial Recognition
    • Fingerprint Biometrics
    • Iris Biometrics
    • Second Factor
    • Smart Cards
    • Smartphones
    • Vital
    • Voice
    • Wearable Tech
    • Other
  • Applications
    • Access Control
    • Cloud Technology
    • Commerce
    • Enterprise
    • Healthcare
    • Identification
    • Internet of Things
    • Law Enforcement
    • Strong Online Authentication
  • Exclusive
    • Interviews
    • Featured Articles
    • Podcasts
  • Companies
  • Events

What To Learn From The Samsung Galaxy S5 Sensor Spoof

April 16, 2014

“The biggest thing that can be learned from this break-in is that for the sake of public image, and also the peace of mind of potential biometric tech consumers, manufacturers of this technology need to put anti-spoofing and liveness detection on the top of their lists of things to develop.”

Less than a week after its public consumer release, the Samsung Galaxy S5 smartphone has had its fingerprint sensor technology spoofed using the same method that is used by the hacking group who fooled their way past the iPhone 5S Touch ID feature last September.

The process is the classic wood glue spoof, in which a fingerprint is lifted off of the device, etched onto a copper plate which has glue applied to it to create a fake fingerprint with enough capacitive properties to fool a sensor.

Unlike its iPhone competitor, the Galaxy S5 fingerprint sensor authenticates payments through the PayPal app instead of just on iTunes. Therefore, the risk in losing a new Samsung phone that is set up for its biometric mCommerce payment feature is greater, making this spoof a tad bit more concerning than the Touch ID predecessor.

The most concerning aspect of this attack – as the hacker in the video mentions – is that it appears that Samsung has not taken the precautions telegraphed by its main competitor’s public embarrassment. Providers of biometric security alternatives in the form of software are particularly taking advantage of this, advertising advanced anti-spoofing capabilities in addition to platform agnosticism as leverage.

Here is why this is not too big of a deal:

Yes, security on the two most publicly visible fingerprint sensor sporting smartphones can be compromised by a spoof (which can be called simple only in terms of the art of spoofing, which is complicated at best) and yes, on one of them this means that they have access to the owner’s PayPal account, but there are some key things to keep in mind.

First of all, in order for the spoof to even be of relevant concern to the average user, their phone must first be stolen and have on its surface a usable fingerprint. Smartphone biometrics benefit from being device mutli-factor by design, no device equals no spoof. A forged fingerprint is useless if there is no sensor to even fool. Easy fix: keep your phone safe and authenticate only with your off-hand (the one you don’t use to interface with the touch screen).

Secondly, the economics don’t seem to make much sense in terms of practical thievery. Stealing a Galaxy S5 and forging a fingerprint in order to gain access to a PayPal account that the victim has already had time to flag as compromised seems to make much less sense than stealing a credit card – many of which can be used to make payments with contactless features like PayPass that require no authentication at all. Criminals simply have better ways to spend their time than spoofing smartphones.

Finally, as Michael Barrett of the FIDO Alliance pointed out in the Mobile ID Word webinar The Password is Dead!, a wood glue spoof (or any kind for that matter) is not scalable. Hacking can be monetized on the principle that every password and PIN can be broken into in the same virtual method. Though a fingerprint sensor spoof is shown to be relatively simple in that it doesn’t require too much MacGyvering to perform, it is still in no way to run a cyber crime racket.

The biggest thing that can be learned from this break-in is that for the sake of public image, and also the peace of mind of potential biometric tech consumers, manufacturers of this technology need to put anti-spoofing and liveness detection on the top of their lists of things to develop. The hacking community has made it loud and clear that if you present a post-password solution it will be put to the test, and they will broadcast any failures they find.

Related News & Articles

My Lockey USB Dongles Feature Synaptics’ Natural ID Fingerprint Sensors

Precise Biometrics Revises 2017 Revenue Prediction

Cuscal Partnership Dramatically Extends Reach of Samsung Pay in Australia

Primary Sidebar

Register For the Next Virtual Identity Summit

Register now!

Tweets

Sponsored Links

FACEPHI is a global leader in Facial Recognition technology and in Mobile Biometrics technologies. With a strong concentration in the financial sector, FacePhi's product is rapidly becoming a service used by banks all over the world. Its implementation doesn’t just save money, it is also a way to attract clients and build loyalty, while increasing the security of transactions for both the customer and the business. To learn more about FacePhi, visit https://www.facephi.com/en/

Recent Posts

  • Onfido Explains How UK Privacy Bill Is ‘Positive Step’ In Global Patchwork
  • Greek Ministry of Digital Governance Delivers On Mobile ID Promise
  • Poll Results Show Android Users’ Surprising Biometric Preferences
  • New UK Border Control Scheme to Require Selfies From EU Visitors
  • IDnow Provides Onboarding Tech for Maritime Employment Service

Footer

  • About Us
  • Company Directory
  • Advertise With Us
  • Contact Us
  • Privacy Policy
  • Terms of Use
  • Archives
  • CCPA: Do not sell my personal info.

Follow Us

Copyright © 2022 MobileIDWorld