Samsung's fingerprint bug could drain your bank account unless you take action

Samsung's fingerprint bug could drain your bank account unless you take action
The other day, we told you about an issue that affects the ultrasonic in-display fingerprint reader on several newer Samsung phones. The bug was discovered by a woman named Lisa Neilson in England. She had paid the equivalent of $3.45 USD to purchase a cheap silicone screen protector from eBay for her Galaxy S10. After properly covering the display with the protector, Lisa realized that she could unlock the device with her left thumb. That wouldn't be a big deal except for the fact that she never registered her left thumb with the biometric reader on her phone.

Neilson soon discovered that with this screen protector on her phone's display, anyone could unlock her handset using any finger. After investigating the situation, Samsung issued a statement noting that the in-display fingerprint scanner on the Galaxy S10, Galaxy S10+, Galaxy S10 5G, Galaxy Note 10, and Galaxy Note 10+ incorrectly view "three-dimensional patterns on certain silicone screen protecting cases as users' fingerprints." Samsung says that it will exterminate this bug with a future software update that could be rolled out as soon as this week.

The ultrasonic in-display fingerprint sensor is supposed to be more accurate and secure than the optical version. The latter uses light to verify a fingerprint and can be tricked by hi-res photos of a fingerprint. Yet, in this situation, it is the ultrasonic technology that is being fooled because of a cheap screen protector. And earlier this year, we told you that the image of a  fingerprint can be taken off of a surface and with a 3D printer, lead to the creation of an image that will trick an ultrasonic fingerprint scanner.

This bug can affect any app that you wouldn't want a stranger to open with a touch of a finger


Meanwhile, this issue opens the door for a bad actor to swipe one of the affected phones and make an unauthorized purchase using Samsung Pay. Any fingerprint will be verified allowing the purchase to go through. In the same vein, apps that require a fingerprint verification to open are now not secure. And that has led a couple of banking apps in the U.K. to take action to prevent their customers from getting swindled out of their hard-earned cash. Reddit posts (via Android Police) indicate that NatWest has removed its app from the Google Play Store for Galaxy S10 users. Once Samsung has corrected the problem, the banking app will return for all Android users. Nationwide Building Society has taken a more measured approach and has disabled the fingerprint log-in option from its app. Again, this action will be reversed once Samsung exterminates the bug. After Sammy's update is installed, those with an affected handset will need to re-register their fingerprints.


Interestingly, while this bug can also affect U.S. versions of the aforementioned phones, as far as we know no U.S. bank has made any announcement related to its app. Even if U.S. banks aren't concerned, if you own one of the Samsung Galaxy phones that have this bug, you might want to delete any banking app or disable the fingerprint sign-in option until Samsung's solution has been released. And this advice actually should be heeded by anyone anywhere who has one of these handsets and has a banking app installed on it. In fact, why stop at banking apps? If you trade stocks on your phone and use your fingerprints to log-in, you might soon discover a number of unauthorized trades on your account. Some way with malicious intent could steal your phone, slap a silicone screen protector on it, and possibly break into any app using their fingerprint.

Look at it this way. Any app that you would hate to see opened by a stranger's finger should either be uninstalled for the duration, or the fingerprint log-in should be disabled. The news here is that the two U.K. banking companies recognize the seriousness of the situation and are taking matters into their own hands to protect their customers.

What started out as a bizarre bug discovered by a woman in the U.K. has turned out to be something with the potential of being much more serious. If all goes well, this will just be a bad dream by the end of the week.

FEATURED VIDEO

34 Comments

1. toukale

Posts: 668; Member since: Jun 10, 2015

Oh boy, not again.

2. denmcdon

Posts: 91; Member since: Jun 07, 2009

Expect an update in about 2 months

30. tbreezy

Posts: 123; Member since: Aug 11, 2019

2months if you are lucky, some may wait longer

4. MsPooks

Posts: 214; Member since: Jul 08, 2019

It's not a bug. You literally have to have the screen protector in question and register ITS pattern by applying it to your screen during fingerprint registration. Unless you've registered the protector's pattern like the lady did, your phone, and every app that uses fingerprint authentication, is as safe as ever.

9. Alan01

Posts: 640; Member since: Mar 21, 2012

Samsung itself is sending an update to fix what it says is causing "three-dimensional patterns on certain silicone screen protecting cases as users' fingerprints." Sure sounds like a bug to me. Regards, Alan

10. Dr.Phil

Posts: 2482; Member since: Feb 14, 2011

I don’t think you understand how it works. The fingerprint can be registered BEFORE applying the screen protector and it can still be fooled after application. https://youtu.be/e-uG8ZO28hU This guy tested it himself. Take a look.

17. CTHR100

Posts: 24; Member since: May 12, 2017

But they then need a similar screen protector on the device for it be fooled. If you're using a Samsung screen protector or other higher quality screen protector it is fine. Is this an issue? Yes. Is it something being blown out of proportion by blogs? Yes. It will get fixed.

21. Dr.Phil

Posts: 2482; Member since: Feb 14, 2011

I am willing to bet that the overwhelming majority of consumers use cheap screen protectors. And I think the fact that this issue has potentially been around for 6 months or longer is the reason a lot of these blogs are blowing this up. It's no different than when it was discovered that the iPhone X could be unlocked by similar looking individuals and the resulting press on that. I will say it's a good thing no bad actors used this flaw to their advantage - most likely due to the fact that they themselves were unaware of it. However, anytime a flaw like this is discovered you have the potential for those individuals to act on the new information. I also believe the reason this is blowing up is that it shows that the under-the-screen fingerprint sensor is perhaps not as reliable as the old method. I know there have been people that have questioned how secure something like Face Unlock versus the tried and true method of fingerprint scanning. In fact, just recently, people were upset with Google for not offering a fingerprint scanner for the Pixel 4. So this brings up points for that debate to happen.

25. sachouba

Posts: 267; Member since: Jun 08, 2014

Does the screen protector need to have been used for some time by the owner of the phone (to have their fingerprint "printed" onto it)?

26. cmdacos

Posts: 4313; Member since: Nov 01, 2016

There looks to be a screen protector on the screen already. There is peeling on the lower right side. Looks to me like the fps was registered with the screen protector on.

32. slashas

Posts: 146; Member since: Jul 17, 2017

Not quite true, you can register finger without the screen protector and just apply after and any finger can open your phone, the are multiple videos even just covering the screen with TPu sheet and any finger can open your phone which isn’t registered.

6. Rafishant

Posts: 402; Member since: Oct 13, 2015

Would there be any risk to my bank accounts if my S10+ doesn't have a screen protector and I'm the only user??

15. Vokilam

Posts: 1347; Member since: Mar 15, 2018

Yes, because I can steal your phone, apply a cheap protector on and access your phone, your bank app, and anything else that requires your FP to access. You don’t have to apply a screen protector - the thief will do that himself.

18. CTHR100

Posts: 24; Member since: May 12, 2017

That's if the thief can get a hold of the phone. And also, it is dependant on the person not changing the lock settings after the phone has been taken.

22. Vokilam

Posts: 1347; Member since: Mar 15, 2018

The problem is that it’s not a hack -like usual problems with security today.. but it is a hardware problem that can hopefully be fixed with software. So yes it does require physical access, but unlike the expensive machines that break into phones over days or weeks, this takes a few moments and about $3.00usd.

24. Cicero

Posts: 1144; Member since: Jan 22, 2014

If you had have your phone stolen please do asap a factory reset remotely. With Google's Find My Device or Bitdefender app, my case, or whatever security app you may have.

27. cmdacos

Posts: 4313; Member since: Nov 01, 2016

No you cant.

7. pupkin

Posts: 150; Member since: Feb 04, 2015

Disappointing, disable the fingerprint sensor for the meantime and use password instead.

8. Locked-n-Loaded

Posts: 42; Member since: Sep 13, 2019

They have SOOOO many blunders, it's borderline absurd.

12. Poptart2828

Posts: 459; Member since: Jan 23, 2018

So should I worry if I don't have a screen protector installed and my phone never gets touched by anyone let alone stangers. Seems like a lot of things need to happen before your bank accounts get flushed.

14. stferrari

Posts: 64; Member since: Dec 15, 2014

Poptart2828 you have you finger on the pulse of the situation (pun intended). By the time most of the required variables come together to allow the hack mated with the fact you don't allow your phone to be fondled by strangers, the fix will probably be in place. You can bet Samsung will be all over this issue like stink on you know what. As Douglas Adam's wrote "don't panic".

19. Tizo101

Posts: 597; Member since: Jun 05, 2015

Samsung is a big enough company to get criticized for this...

28. cmdacos

Posts: 4313; Member since: Nov 01, 2016

Clickbait if you don't use screen protectors.

33. slashas

Posts: 146; Member since: Jul 17, 2017

Give me your phone and I will open your phone with applying cheap screen protector and my finger, please read more carefully how hack works ;)

35. darkkjedii

Posts: 31529; Member since: Feb 05, 2011

This is an issue Samsung should be immediately addressing, just like they are. It also shouldn't have happened, and they deserve any and all criticism they get. Bad on you Samsung.

36. Rahulkaw001

Posts: 32; Member since: Oct 22, 2019

it is very serious issue

* Some comments have been hidden, because they don't meet the discussions rules.

Latest Stories

This copy is for your personal, non-commercial use only. You can order presentation-ready copies for distribution to your colleagues, clients or customers at https://www.parsintl.com/phonearena or use the Reprints & Permissions tool that appears at the bottom of each web page. Visit https://www.parsintl.com/ for samples and additional information.