The group says it used a camera-phone photo of a fingerprint on a smartphone screen to create a "fake finger" sheet out of a wood-glue mold. That allowed them to access the S5's home screen and even send money via the PayPal app, which uses fingerprint authentication.
The cost to build a Samsung Galaxy S5
"Samsung does not seem to have learned from what others have done less poorly," Security Research Labs said.
"Incorporation of fingerprint authentication into highly sensitive apps such as PayPal gives a would-be attacker an even greater incentive to learn the simple skill of fingerprint spoofing."
Samsung(SSNLF) did not immediately respond to a request for comment.
In a statement Tuesday PayPal said it took the SRL findings "very seriously," but was "still confident that fingerprint authentication offers an easier and more secure way to pay on mobile devices than passwords or credit cards."
The company says it can quickly deactivate fingerprint keys on lost or stolen devices, and that users are covered in case of fraud by its purchase protection policy.