Gummy Bears can be used by hackers to make a counterfeit fingerprint to fool your scanner

According to a report published on Thursday, smartphone users who employ a device with a fingerprint scanner are in danger of having their fingerprints stolen from their handset. That could lead to financial and other transactions taking place without the approval of a phone's owner. When the user of a phone like the Samsung Galaxy S5 touches the fingerprint scanner, the print is compared to the one stored in the phone to see if there is a match. Yulong Zhang and Tao Wei of security firm FireEye say that they have discovered a way for hackers to obtain a phone user's fingerprint information whenever a fingerprint is being scanned on a handset.

In essence, a hacker could post a fake lock screen on a phone and while the phone owner thinks he is using his fingerprint to unlock the device, the hacker could really be stealing a copy of the user's fingerprint for future use. FireEye's Zhang says that every time the phone's owner touches the fingerprint sensor, his print can be stolen. A Stolen print can be used to authorize a transaction requiring verification, making this a potentially expensive problem.

With more and more handsets employing a fingerprint scanner, this could turn into a major issue. Zhang and Wei are giving a talk on Friday at the RSA Security conference in San Francisco and have released in advance some of the slides that they will use for their presentation. As one of the slides points out, if your password falls into the wrong hands, a new one can be created. But if your fingerprint falls into the wrong hands (so to speak), that is a problem that can last with you for the rest of your life.

The scary thing is that fingerprints can be taken from smooth surfaces like a glass or a touchscreen. Prints can even be extracted from a picture of a person waving his hand. Touch ID can be tricked into accepting counterfeit fingerprints made using Gummi Bears. Considering that Touch ID is an important part of verifying a user's identification when using Apple Pay, this vulnerability will need to be addressed by Apple as well as other companies offering a smartphone with a fingerprint scanner.

Consider a situation where you might think that you are merely swiping your finger on your phone's touchscreen in order to unlock it. In actuality, you might be authorizing the wire transfer of a large sum of money to an account that you are not familiar with. And instead of confusing users in order to get them to mistakenly approve a transaction, some hackers will embed false fingerprints into a user's account so that they can approve an illicit transaction over the unsuspecting victim's handset.

FireEye suggests that users stick to mobile device vendors that update often. Make sure that your phone is updated every time one is offered, and install apps from reliable sources. Lastly, if you are an enterprise or government user, seek out professional help to get protection from such hackers.


source: RSAConference via TheRegister