Security researchers from SRLabs posted a video on YouTube demonstrating how they tricked the scanner with a fake fingerprint made of wood glue.They stated in the video that the same approach was used in the iPhone 5s Touch ID last year.According to the researchers, fingerprints left by the owner on the phone can be snapped with a camera giving an image of sufficient quality to print a usable mold.The wood glue is then poured into it and the replica received is then swiped on the scanner.After authentication, the attacker can use sensitive application on the phone,such as PayPal. The video below shows how the security researcher managed to trick the fingerprint scanner and uses PayPal.
PayPal responded to this video by issuing the following statement,
"PayPal never stores or even has access to your actual fingerprint with authentication on the Galaxy S5. The scan unlocks a secure cryptographic key that serves as a password replacement for the phone. We can simply deactivate the key from a lost or stolen device, and you can create a new one. PayPal also uses sophisticated fraud and risk management tools to try to prevent fraud before it happens. However, in the rare instances that it does, your eligible transactions are covered by our buyer protection policy."