Samsung's fingerprint bug could drain your bank account unless you take action

34comments
Samsung's fingerprint bug could drain your bank account unless you take action
The other day, we told you about an issue that affects the ultrasonic in-display fingerprint reader on several newer Samsung phones. The bug was discovered by a woman named Lisa Neilson in England. She had paid the equivalent of $3.45 USD to purchase a cheap silicone screen protector from eBay for her Galaxy S10. After properly covering the display with the protector, Lisa realized that she could unlock the device with her left thumb. That wouldn't be a big deal except for the fact that she never registered her left thumb with the biometric reader on her phone.

Neilson soon discovered that with this screen protector on her phone's display, anyone could unlock her handset using any finger. After investigating the situation, Samsung issued a statement noting that the in-display fingerprint scanner on the Galaxy S10, Galaxy S10+, Galaxy S10 5G, Galaxy Note 10, and Galaxy Note 10+ incorrectly view "three-dimensional patterns on certain silicone screen protecting cases as users' fingerprints." Samsung says that it will exterminate this bug with a future software update that could be rolled out as soon as this week.

The ultrasonic in-display fingerprint sensor is supposed to be more accurate and secure than the optical version. The latter uses light to verify a fingerprint and can be tricked by hi-res photos of a fingerprint. Yet, in this situation, it is the ultrasonic technology that is being fooled because of a cheap screen protector. And earlier this year, we told you that the image of a  fingerprint can be taken off of a surface and with a 3D printer, lead to the creation of an image that will trick an ultrasonic fingerprint scanner.

This bug can affect any app that you wouldn't want a stranger to open with a touch of a finger


Meanwhile, this issue opens the door for a bad actor to swipe one of the affected phones and make an unauthorized purchase using Samsung Pay. Any fingerprint will be verified allowing the purchase to go through. In the same vein, apps that require a fingerprint verification to open are now not secure. And that has led a couple of banking apps in the U.K. to take action to prevent their customers from getting swindled out of their hard-earned cash. Reddit posts (via Android Police) indicate that NatWest has removed its app from the Google Play Store for Galaxy S10 users. Once Samsung has corrected the problem, the banking app will return for all Android users. Nationwide Building Society has taken a more measured approach and has disabled the fingerprint log-in option from its app. Again, this action will be reversed once Samsung exterminates the bug. After Sammy's update is installed, those with an affected handset will need to re-register their fingerprints.


Interestingly, while this bug can also affect U.S. versions of the aforementioned phones, as far as we know no U.S. bank has made any announcement related to its app. Even if U.S. banks aren't concerned, if you own one of the Samsung Galaxy phones that have this bug, you might want to delete any banking app or disable the fingerprint sign-in option until Samsung's solution has been released. And this advice actually should be heeded by anyone anywhere who has one of these handsets and has a banking app installed on it. In fact, why stop at banking apps? If you trade stocks on your phone and use your fingerprints to log-in, you might soon discover a number of unauthorized trades on your account. Some way with malicious intent could steal your phone, slap a silicone screen protector on it, and possibly break into any app using their fingerprint.

Recommended Stories
Look at it this way. Any app that you would hate to see opened by a stranger's finger should either be uninstalled for the duration, or the fingerprint log-in should be disabled. The news here is that the two U.K. banking companies recognize the seriousness of the situation and are taking matters into their own hands to protect their customers.

What started out as a bizarre bug discovered by a woman in the U.K. has turned out to be something with the potential of being much more serious. If all goes well, this will just be a bad dream by the end of the week.
Create a free account and join our vibrant community
Register to enjoy the full PhoneArena experience. Here’s what you get with your PhoneArena account:
  • Access members-only articles
  • Join community discussions
  • Share your own device reviews
  • Build your personal phone library
Register For Free

Recommended Stories

Loading Comments...
FCC OKs Cingular\'s purchase of AT&T Wireless