Banks move to contain impact of Samsung biometric flaw

NatWest has temporarily blocked some Samsung users from being able to download or use its mobile banking app, and building society Nationwide has restricted a number of features of its own, after the disclosure of a flaw in how certain Samsung devices detect user fingerprints to unlock themselves.

This follows in the footsteps of South Korea’s online-only KakaoBank, which has told users to switch to different methods of authentication while they await a fix. According to Reddit users, at least one Israeli bank has also taken action.

The vulnerability centres on the ultrasonic fingerprint scanners used on Samsung’s Galaxy S10, S10+ and S10 5G devices, as well as its Note 10 and 10+ devices, which have been shown to unlock devices after recognising 3D patterns appearing on a number of after-market silicone screen protectors as user fingerprints.

Samsung confirmed the issue on Friday 18 October 2019, and advised any users of those devices who use screen protector covers to remove them, delete any previous fingerprints, and re-register their biometrics. Users should also refrain from using their covers until the devices can be patched.

NatWest’s social media team responded to users on Twitter, asking why they were unable to access banking services using its mobile app.

“We’ve removed the app from the Play Store for customers with Samsung S10 devices,” it said. “This is due to reports that there are security concerns regarding these devices. We hope to have our app available again shortly once the issue has been resolved.”

A Nationwide spokesperson said: “We are aware of reports in the news that suggest Samsung S10 devices with a screen protector can be unlocked with any fingerprint. While we are confident in the security measure we have in place, we know some of our members have this device and may use TouchID to access their banking app. That is why we have placed warnings on the app alerting of the issue and suggesting they may want to consider turning TouchID off until a fix is in place from Samsung.”

Samsung said its software update was likely to come in the next few days. “Once updated, please be sure to scan your fingerprint in its entirety, so that all portions of your fingerprint, including the centre and corners have been fully scanned,” it said in a statement. Some devices are already receiving this patch as part of an over-the-air (OTA) update.

Although it’s unlikely this particular flaw has been seriously exploited by cyber criminals, the incident serves to highlight some concerns about the use of biometrics as a method of identity and access management (IAM).

While helpful to some extent as an element of a multi-factor authentication solution, the use of biometrics is not without its own risks.

Writing on Computer Weekly’s sister site SearchMobileComputing in September 2019, US-based consultant Robert Sheldon highlighted some of these risks.

Sheldon said malicious actors could, for example, lift impressions of user’s fingerprints from glass, door handles or smartphones, that they could then use to spoof a device’s fingerprint reader. Malicious actors could potentially fool facial recognition systems by piecing together photos of their target available online, which plays into wider concerns about deepfakes.

Biometrics also rely heavily on the physical features of the user remaining constant, said Sheldon, which is not always the case if a user is injured, ill, has undergone dramatic weight loss, or even has a paper cut on their forefinger, for example.

Consumers in the UK are however reported to be broadly in favour of the use of fingerprints as a means to prove their identity.