News broke last week that security researchers from SR Labs had been able to hack the fingerprint sensor on Samsung's Galaxy S5, allowing them to conduct PayPal transactions from the device. Whilst this may be alarming to some, it should not be seen as a major security flaw for several issues.
Firstly, as with any biometric solution, these are implemented to increase security and very few are completely foolproof, particularly in a standalone implementation. The Galaxy S5's implementation still does this, and whilst a work-around has been found, not many people have the know-how and capability to use a camera phone image of a latent print to create a mould from wood glue to then be read by the scanner. This immediately reduces the level of risk by narrowing the field of potential hackers, especially when you consider that this had to be conducted under laboratory conditions. And, as with any system, if someone really wants in then there is little you can do to stop them - you simply make it as difficult as possible.
Secondly, there are still measure to shut down and lock off the device or certain functionality. This can be done via the PayPal app or through the mobile connection and service provider. Both of these points limit the timeframe that a device can be exploited.
Thirdly, the level of information accessible is limited. Furthermore, with secure elements and trusted execution environments featuring in more devices, then the fingerprint sensor is simply the first layer of hardware-based security in mobile devices. Software and back-end analytics can further aid this by detecting and acting upon any abnormal or suspicious usage.
This isn't the first case, Apple's iPhone 5S was subject to a similar hack after its release last year. When both devices were announced my own view was that this was an interesting development, but not primarily one relating to security. They do that but the bigger benefit is that it enables a more convenient and quicker way for users to access applications and authenticate themselves to authorise transactions. Samsung took this further and worked with PayPal to incorporate this capability into the app. It may not solve all problems but for mass market consumer applications it appeals to end-users and, when all is said and done, it still increases security whilst making the service better to use. And we can't ask for much more than that.
