When Samsung debuted its flagship Galaxy S5 smartphone last week, there was little buzz and hype over the gadget’s fingerprint scanning technology. The feature, however, made headlines a few days later, not for its cutting-edge quality in terms of security, but for the exact opposite to that: the system is not secured.
Security Research Labs researchers have been able to apparently hack the smartphone, bringing to light a flaw that could expose the users’ personal data, bank accounts, credit card numbers and other sensitive information to hackers.
The hackers first indexed a genuine fingerprint onto the Galaxy S5 scanner and then used a latent mold of the same fingerprint to bypass the security system, unlocking everything inside a critical infrastructure as easily as reciting the alphabet. Now here is the more alarming part of the flaw: the S5 scanner is directly linked to PayPal and subsequently directs real users, or hackers, to other online payment services.
What is equally troubling about this flaw is that there seems to be an unrestricted number of attempts to enter a fingerprint, false or genuine. Samsung did not seem to have learned from a similar previous pitfall that the Apple’s iPhone 5s TouchID fingerprint scanner has fallen into shortly after the smartphone was released in 2013.
All this puts in question the feasibility of fingerprint scanning features compared to the traditional password as a means of securing our online credentials. Both have their innate weaknesses, of course. Fingerprint reading, for one, can be alarming when it is stolen in the form of a mold as in the case of the test performed by SRLabs.
Although it is an innovative approach to security, offering more convenience and personal touch because all that is involved is a part of your body, but the strength of safeguard required can never be understated.
As imperfect as every technological advancement is, the S5’s fingerprint reader is just one example of how a lax security system is bound for failure. There are other alternatives to fingerprint scanning and password that are underway, such as Google’s USB-based security token. But even that is an unprecedented feature, leaving so many rooms for enhancement.
There is eventually a one-size-fits-all to all our online security needs. Nothing seems to be capable of complete security nowadays, not even the encryption. But the options we have so far are better than nothing at all, only that the onus of boosting their strength remains our responsibility in the end.
