What Can Scammers Do if They Steal Your Fingerprints?
We’ve all heard that our fingerprints are unique. No two people have the same pattern. So, it only makes sense that we would use them to secure our most sensitive accounts, devices, and information.
When you use your fingerprint to unlock your phone, you’re using what’s called biometric security. Unlike a password that can be hacked, given up in a phishing scam, or stolen and leaked to the Dark Web, biometric information is much harder to steal.
As far as types of identity theft go, fingerprint hacking is difficult to pull off. But it’s not impossible.
Hackers have found ways to bypass biometric authentication and even steal your fingerprints.
Once they do, they’re able to access your most sensitive and vulnerable information. This includes digital wallets and bank accounts, as well as your SSN, date of birth, and other data that can be used for identity fraud.
In this guide, we’ll cover how hackers steal fingerprints, what can happen if they’re stolen, and how you can keep your devices and accounts secure and safe.
Is Your Fingerprint Really More Secure Than a Password?
Fingerprint ID uses a fingerprint scanner to verify your print against the fingerprint image stored on file. It’s sort of like a key in a lock. If the key you put in doesn’t match the shape of the lock, it won’t open.
But unlike a key, your fingerprint is physically attached to your body. So you can’t accidentally lose it or have it stolen. Hackers can’t trick you into giving them up as easily as they can with passwords and other personally identifiable information (PII).
Here are a few other reasons why a fingerprint is a secure way to safeguard your accounts and devices:
- Your fingerprints are non-transferable. You can’t share your prints with friends, family, or work colleagues. This also means that you, and only you, are responsible for maintaining the security of your accounts.
- Fingerprints are a single “code” for all your accounts. Many people don’t want to memorize long, complicated passwords, so they reuse the same one for all accounts. But this means if one account gets hacked, all your accounts are at risk. Your fingerprint is a single “code” that can be used across devices and accounts.
- Fingerprint identification is an almost foolproof secondary identification method. If you enable fingerprint ID as part of two-factor authentication (2FA), it makes your accounts especially secure. Hackers need both a password and your fingerprint in order to gain access.
- Fingerprint authentication is simple. You’re more likely to use a security measure that’s easy to use. Nearly half of people don’t even use a password to lock their phone [*].
Fingerprints aren’t the only physical attribute you can use for biometric identification. You can also use facial recognition, iris scans, and in some cases, physical behaviors — like how you move or talk.
But the uniqueness of biometric technology is also its downfall. You can always update a hacked password. But if someone steals your fingerprints, they’re potentially compromised forever.
How Do Fingerprints Get Hacked?
No form of biometric authentication is entirely secure. If a hacker wants to steal your fingerprints, they have methods of getting them.
As long as a hacker has direct access to your fingerprints (either in person or from a data breach) and the right tools, they can duplicate your prints.
The good news is that the trouble of stealing your fingerprint data makes them a lower-value target than other sensitive data like your health care information, Social Security numbers, or bank account password.
It’s more likely that a hacker wants to target a specific individual to fulfill a very specific goal. For example, they may want to gain access to a specific device or building that uses a fingerprint scanner as a security measure.
So how do hackers “steal” your fingerprints? Here are the three methods they can use (and how to protect yourself):
1. “Spoofing” prints with a synthetic fingerprint
If a hacker has access to your fingerprint data they can potentially create a copy and “spoof” biometric security systems.
The Kraken Security Labs team demonstrated how hackers can use a fingerprint photo to create a synthetic print. The only requirements for this technique are access to Photoshop, acetate paper, a laser printer, and wood glue. The kicker is that the team proved it only takes $5 to do this.
What’s more, a majority of fingerprint readers only read partial prints. This is why smartphones take multiple photos when you first enable fingerprint verification. So, a hacker doesn’t need a perfect, complete print to hack a fingerprint reader. A partial fingerprint will often do the trick.
How to protect yourself: Unless you wear gloves constantly, it’s pretty much impossible not to leave fingerprints out in the world. But the good news is that this technique is time-consuming and often difficult to replicate.
The hacker needs direct access to your prints, they can only target one individual at a time, and the prints have to be “clean” (i.e., undistorted).
2. Data breaches at biometric databases and security companies
In 2019, a major data breach at a security company used by banks, the police, and defense firms leaked the fingerprints and other biometric data of over a million people [*].
Like most data breaches, hackers don’t always need sophisticated cyber attacks like malware to bypass a company’s cybersecurity. Often, they only need to trick an employee into giving them access through phishing emails or other social engineering attacks.
How to protect yourself: Be cautious about who you share your biometric data with. It’s much safer to keep your fingerprints stored locally on a device (like your phone) rather than with an external biometric systems provider.
Unfortunately, this is getting harder to do as governments and smart cities start collecting more biometric data. For example, the Dubai airport uses a face scanning “tunnel” equipped with 80 cameras to scan departing passengers [*].
You can check to see if your information has been leaked to the Dark Web using Aura’s Identity Guard Dark Web scanner.
3. Using a 3D printer to hack a fingerprint scanner
Hackers can also create fake fingers to fool more sophisticated fingerprint scanners.
In 2016, a researcher used a 3D printer to create a mold of a fingerprint as part of a police investigation [*]. After grafting it onto a prosthetic finger, his lab successfully used the recreated fingerprint to unlock a phone.
Although this method is expensive, it’s not unlikely that a motivated hacker with the right tools can achieve the same results.
How to protect yourself: Again, the only way to completely secure your fingerprints is to make sure no one has access to them. Store them locally and not with companies that could get hacked.
Can Hackers Steal Your Identity With Your Fingerprints?
The short answer is, yes.
For most people, the greatest danger of fingerprint theft is identity fraud.
Stolen fingerprints can be used to access secure devices like your phone or laptop. Once a hacker is in, they can commit different types of fraud, including:
- Financial fraud from digital wallets and online banking. Hackers can use your fingerprints to unlock digital wallets or access credit card and bank account details. They can also buy items under your name if you’ve saved your payment information on sites like Amazon.
- Identity theft from hacked emails and other accounts. Your inbox on your phone probably doesn’t have a separate password. This means hackers can access any information in your emails or even receive password reset emails.
- Benefits fraud from government sites. If you’ve saved your login information for government sites (like the IRS), hackers can access these and commit tax or unemployment fraud.
- Medical identity theft. Your device might also have medical information that hackers can use to steal your health insurance benefits or sell on the Dark Web.
- Extortion from accessing sensitive photos and documents. If you have personal data or photos on your devices, hackers can use these to extort money or access to other accounts from you. Or, they could leak them online, like in the famous celebrity photo hacks.
Hackers can also use stolen fingerprints to access secure offices and buildings and steal company data or physical items.
There are also luxury residences that use fingerprints to verify the identity of every person entering. Once a hacker is able to replicate your fingerprints, they can bypass any security systems that use your fingerprints as an identity verification tool.
How To Secure Your Devices and Accounts From Hackers
Just because fingerprint-based ID can be hacked doesn’t mean it can’t make your devices and accounts more secure.
Here are a few ways to take advantage of biometrics to keep hackers out of your accounts:
Use multiple forms of identity verification (2FA/MFA)
Biometric authentication like fingerprint scanning, facial recognition, or retinal scans are only one of the three main types of identity verification that security experts suggest. The others include:
- Something you know. These are passwords, PINs, or special knowledge (like your mother’s maiden name or other security questions). Using strong passwords and a password manager makes these much more secure.
- Something you have. These are physical objects that you have access to, such as a key, smart card, or one-time use code that’s sent to your phone. For special codes, consider an authenticator app instead of using SMS, as hackers can bypass this if they have your phone.
- Something you are. This includes biometric information such as your fingerprints, eyes, or other biometric readings.
Most of us are used to using one of these types of identifiers (like a password or a fingerprint). For example, you unlock your iPhone or Android device with your fingerprints or by scanning your face.
But using multiple forms of identity verification (for example, a password and a fingerprint) makes accounts and devices much harder to hack.
This is what’s called two-factor or multifactor authentication. Even if a hacker has access to your phone and gets past your PIN, it’s hard for them to bypass an additional step that requires your fingerprint or uses a special code that’s sent to your email.
Don’t give out biometric information to companies
Your fingerprints and biometric data are only as safe as the location they’re stored in. If a company that’s storing your fingerprints or facial ID gets hacked or hit with a cyber attack, that information is likely to end up for sale on the Dark Web.
Whenever a company asks for biometric information, ask why they need it, how it will be stored, and how they protect it. It’s much safer to store this information locally. For example, Apple’s iPhone and computers keep your fingerprint info on the device, not a central server.
And remember, you can always check to see if your personal information has been compromised using Aura’s Identity Guard Dark Web scanner.
Use a privacy screen on your devices
Fingerprints and biometric information can be more secure than passwords and PINs in many cases. If you’re using your phone or laptop in public and type in your passcode, someone can shoulder surf and watch you enter it.
If you’re using a password instead of or in combination with your fingerprint, make sure you keep it private. Use a privacy screen on your phone or tablet so people can’t easily see what you’re typing.
Sign up for identity theft protection that monitors your accounts
It’s impossible to completely secure your devices and accounts from hackers. And if they get in, they can do serious damage to your financial accounts and identity.
An identity theft protection service monitors your accounts for signs of fraud and alerts you so you can shut down an identity thief.
For example, with Aura’s identity theft protection, you get:
- Financial account monitoring and fraud alerts that are 4X faster than the competition. We monitor your bank accounts, credit cards, and credit report for signs of fraud. If a criminal tries to open new accounts, spend your money, or take out loans in your name, we’ll alert you in near-real time.
- Identity theft protection including online account and SSN monitoring. Aura alerts you if your online accounts are compromised and helps you store secure passwords. We also help reduce the amount of spam emails and calls you get.
- Device and Wi-Fi protection including phishing and malware. Aura protects your devices from hackers with military-grade encryption and network security. We’ll also alert you of potential phishing sites and keep your devices safe from viruses and malware.
- 24/7 U.S.-based support and White Glove Fraud Resolution. We’re around for any questions or concerns and can walk you through the steps of how to recover after your identity is stolen.
- A $1,000,000 insurance policy for eligible losses due to identity theft. If the worst happens, you’re covered for eligible losses, legal fees, and lost wages.
Were You the Victim of Biometric Identity Theft? Do This
Being a victim of biometric identity theft is not easy to deal with. Unfortunately, the most troubling part of having your fingerprints stolen is that, unlike a password, you can’t change them. Once your biometric data is stolen, it’s gone.
If you think you’re a victim of identity theft, here are some steps you can take:
Look for the warning signs of identity theft
The best way to protect yourself from identity theft is to learn to recognize the warning signs so you can act fast.
Keep track of your financial statements with diligence and make sure you review each line item in the statement. If you see suspicious activity, you should report the activity immediately.
Additional signs of identity theft include:
- New inquiries from creditors on your credit report.
- Unauthorized activity on your financial statements.
- Receiving bills from service providers you’re unfamiliar with.
- Random calls from debt collectors without warning.
Report the identity theft to local law enforcement
If there’s even a little bit of doubt that you’re a victim of identity theft, go to your local law enforcement agency and file a police report immediately. In some cases, your local police station may recommend filing a report with the Federal Bureau of Investigation (FBI).
File an official identity theft report with the FTC
You should also file a report with the Federal Trade Commission (FTC) through IdentityTheft.gov. An FTC report is essential for disputing fraudulent charges. They’ll also help you set up a personalized recovery plan.
Review your credit report and consider a credit freeze
It’s critical that you review your credit report for fraudulent transactions after identity theft. You should also contact all three credit bureaus —TransUnion, Equifax, and Experian — so they can place a fraud alert on your credit report.
You can also freeze your credit to prevent others from opening accounts in your name, since a creditor won’t be able to access your credit file. Freezing, and unfreezing, your credit is free of charge.
Pro Tip: Use a credit monitoring service to automatically alert you of potential fraud. Aura monitors your accounts and credit report for any suspicious activity and alerts you 4X faster than the competition.
Update all your passwords and set up 2FA
If your biometric information has been compromised, you need to rely on passwords and other security measures. Make sure all your accounts use long, complicated passwords that combine letters, numbers, symbols, and cases.
The Bottom Line: Fingerprint Identity Theft Can Happen
Fingerprint ID is convenient. But like all security measures, there’s no way for it to be 100% secure.
To keep your devices and accounts safe from hackers, consider signing up for Aura.
We’ll track and monitor all your most sensitive information, so you don’t have to worry that someone is stealing your identity.