Millions of smartphone users have been warned that hackers could bypass their facial recognition security feature and steal their data.
Mobile phones made by the likes of Samsung, Motorola and Nokia have face unlock systems that can be ‘tricked’ by a printed 2D image of the owner’s face.
That’s according to consumer experts at Which?, who warn that this flaw could lead to criminal exploitation of people’s personal information.
Facial recognition is often used as a security feature in smartphones, and is recognized as one of the safest ways to protect data.
But it could allow scammers to bypass the screen lock on certain Android phones and access apps that contain a range of sensitive information.
From August 2022, Which? sent 48 new smartphones to the lab for testing and of these, 19 new phones (40%) could easily be spoofed with a photo to get through the phone’s lock screen and gain access to the phone.
And user photos registered on the device are not particularly high resolution and are printed on a standard office printer on normal paper.
Most phones fail this simple biometric test by Which? is at the cheaper to mid-range end of the market, with prices starting at £89.99 for the Motorola Moto E13, but prices also rise to more expensive handsets, such as the Motorola Razr 2022, which launched in £1,000 (£949.99).
Xiaomi has seven phones that can be exploited, while Motorola has four. Nokia, Oppo and Samsung have two and Honor and Vivo have one affected model respectively.
This has raised concerns over certain apps on these phones, such as Google Wallet, which allows people to pay for things with an electronic version of their bank card.
People in the UK can make contactless payments with Google Wallet up to £45 without having to unlock the phone.
And Google said Which? that for larger transactions, users should use a more secure Class 3 biometric unlock. This means that people using models Which? cannot complete transactions over £45 if facial recognition is used to unlock the phone.
But by using a 2D image, scammers can access important information in this app.
The cards that are registered tell the scammer who the people are at the bank, and can reveal the last 4 digits of their card numbers.
The app may also contain information about recent transactions such as where users shopped and how much they paid which may help them answer security questions.
All Apple phones Which? tested to pass spoofing tests. Apple’s Face ID is a more robust system using sensors to create a 3D depth map of your face.
This may be why many banking apps only allow facial recognition as a security measure on Apple iPhones.
Today’s Top Top Stories
Lisa Barber, Which one? Tech Editor, said: “It’s unacceptable that brands are selling phones that can be fooled with a 2D image, especially if they don’t inform their customers of this vulnerability. Our findings really worrying implications for people’s security and susceptibility to scams.
“We strongly advise anyone using these phones to turn off facial recognition and use the fingerprint sensor, a strong password or a long PIN instead.
“This should be a wake up call for manufacturers – they need to strengthen and improve the security of their biometric systems against counterfeiting.”
Don’t miss the latest news from across Scotland and beyond – sign up to our daily newsletter here.