Gummy Bears can be used by hackers to make a counterfeit fingerprint to fool your scanner29
In essence, a hacker could post a fake lock screen on a phone and while the phone owner thinks he is using his fingerprint to unlock the device, the hacker could really be stealing a copy of the user's fingerprint for future use. FireEye's Zhang says that every time the phone's owner touches the fingerprint sensor, his print can be stolen. A Stolen print can be used to authorize a transaction requiring verification, making this a potentially expensive problem.
With more and more handsets employing a fingerprint scanner, this could turn into a major issue. Zhang and Wei are giving a talk on Friday at the RSA Security conference in San Francisco and have released in advance some of the slides that they will use for their presentation. As one of the slides points out, if your password falls into the wrong hands, a new one can be created. But if your fingerprint falls into the wrong hands (so to speak), that is a problem that can last with you for the rest of your life.
The scary thing is that fingerprints can be taken from smooth surfaces like a glass or a touchscreen. Prints can even be extracted from a picture of a person waving his hand. Touch ID can be tricked into accepting counterfeit fingerprints made using Gummi Bears. Considering that Touch ID is an important part of verifying a user's identification when using Apple Pay, this vulnerability will need to be addressed by Apple as well as other companies offering a smartphone with a fingerprint scanner.
FireEye suggests that users stick to mobile device vendors that update often. Make sure that your phone is updated every time one is offered, and install apps from reliable sources. Lastly, if you are an enterprise or government user, seek out professional help to get protection from such hackers.
source: RSAConference via TheRegister