Technology

Hackers are bypassing fingerprint scanners to steal your identity

Published

9 months ago

May 25, 2025

Hackers are bypassing fingerprint scanners to steal your identity

Fingerprint sensors have been around for quite some time, and they’ve become a standard feature in most smartphones. Apple introduced Touch ID on the iPhone 5s in 2013. Since then, it has appeared on 12 major iPhone models (and some iPads as well).

Though Apple removed it from most phones after the iPhone 8, it’s still found in the iPhone SE series. On the flip side, almost every Android phone on the market has a fingerprint scanner. But are fingerprint scanners impossible to bypass? Frank from Deerton, Michigan, asked a similar question that I want to highlight and address because it helps all of us:

“Can a website be hacked/compromised with password and fingerprint protection (multiple verification)?”

I get what you’re saying, Frank. You’d think that since a fingerprint scanner literally requires your fingerprint, it couldn’t be bypassed. But you’d be wrong. While fingerprint scanners are generally more secure than facial recognition and passwords, they’re not foolproof. In fact, there are several ways bad actors can bypass them to steal your identity.

Join The FREE CyberGuy Report: Get my expert tech tips, critical security alerts and exclusive deals — plus instant access to my free Ultimate Scam Survival Guide when you sign up!

A smartphone on a table (Kurt “CyberGuy” Knutsson)

5 ways bad actors can bypass fingerprint scanners

There are multiple ways hackers use to bypass fingerprint scanners. Below, I will discuss five of the more prominent methods.

1. Masterprints and DeepMasterPrints

Hackers exploit the concept of “masterprints,” which are fingerprints engineered to match multiple individuals’ prints. Researchers at NYU Tandon developed “DeepMasterPrints” using machine learning to generate synthetic fingerprints that can deceive sensors by mimicking common fingerprint features. These artificial prints can match with a significant percentage of stored fingerprints, especially on devices with less stringent security settings.

2. Forged fingerprints using 3D printing

Another trick hackers use is making fake fingerprints. They can lift prints off things you’ve touched and then use stuff like fabric glue or even 3D printers to make molds. For example, researchers at Cisco Talos tried out a bunch of different ways to do this using 3D printing and tested them on phones like the iPhone 8 and Samsung S10; laptops like the Samsung Note 9, Lenovo Yoga and HP Pavilion X360; and even smart gadgets like padlocks.

On average, the fake fingerprints worked about 80% of the time. They were able to fool the sensors at least once. Interestingly, they couldn’t crack the biometric systems on Windows 10 devices, but they pointed out that doesn’t necessarily mean those are more secure. It just means this particular method didn’t work on them.

19 BILLION PASSWORDS HAVE LEAKED ONLINE: HOW TO PROTECT YOURSELF

3. Brute force attacks via BrutePrint

Attackers have found a cheap way to break into smartphones by brute force fingerprint authentication. The method, called BrutePrint, lets attackers get around the usual limits that stop too many failed fingerprint attempts. It works by taking advantage of two previously unknown flaws in the fingerprint system. These flaws, named Cancel-After-Match-Fail (CAMF) and Match-After-Lock (MAL), exist because of weak protection for fingerprint data on a part of the hardware called the Serial Peripheral Interface (SPI).

Basically, BrutePrint uses a hardware-based man-in-the-middle attack to hijack fingerprint data. It sits between the fingerprint sensor and the phone’s secure area (called the Trusted Execution Environment) and tries as many fingerprint images as needed until it finds a match. The relieving part is that the attacker needs to have physical access to the phone for this method to work.

4. Side-channel attacks with PrintListener

PrintListener is a side-channel attack that captures the sound of a finger swiping on a screen to extract fingerprint features. It might sound like something out of a sci-fi movie, but researchers have already built a proof of concept. By analyzing the friction sounds, attackers can reconstruct fingerprint patterns, potentially enhancing the effectiveness of masterprint attacks.

5. Exploiting unsecured fingerprint data storage

Some devices store fingerprint data without adequate encryption. If attackers gain access to this unprotected data, they can replicate fingerprints to bypass authentication. For example, in 2024, a misconfigured server exposed nearly 500 GB of sensitive biometric data, including fingerprints, facial scans and personal details of law enforcement applicants.

Image of a smartphone (Kurt “CyberGuy” Knutsson)

TOP 20 APPS TRACKING YOU EVERY DAY

So, can you trust fingerprint scanners?

Fingerprint scanners make it easy and fairly secure to unlock your devices. Since everyone has unique fingerprints, you don’t need to remember complicated passwords. Just a quick touch and you are in. Most modern devices store your fingerprint data in secure parts of the system, and they use things like liveness detection to make sure someone is not trying to trick the scanner with a fake finger.

Still, no security method is perfect. Skilled attackers have found ways to get past fingerprint scanners using high-resolution photos or 3D-printed fingers or by taking advantage of flaws in how the scanner communicates with the rest of the device. The risk really depends on how well the scanner is designed and how much effort someone puts into breaking it. For most people, fingerprint authentication is quick, easy and secure enough. However, if you are dealing with very sensitive information, relying only on biometrics might not be the best idea.

HOW TO REMOVE YOUR PERSONAL INFO FROM PEOPLE SEARCH SITES

A person using a fingerprint for security verification purposes (Kurt “CyberGuy” Knutsson)

10 SIMPLE STEPS TO IMPROVE YOUR SMARTPHONE’S SECURITY AND PRIVACY

6 ways to protect your fingerprint data

Safeguard your biometric identity with these essential security measures.

1. Choose trusted phone brands: If you’re buying a phone, stick with well-known brands like Apple, Samsung or Google. These companies take extra steps to protect your fingerprint data by storing it in secure areas of the phone that are harder to access. Cheaper or lesser-known brands may not have these protections, which makes it easier for attackers to steal your data.

2. Keep your phone updated: Phone updates are not just about new features. They fix security problems that hackers might use to break into your device. If your phone asks you to install an update, do it. Most phones also let you turn on automatic updates, so you don’t have to worry about remembering. Keeping your software updated is one of the easiest and most important ways to stay protected.

3. Use strong antivirus software: Install strong antivirus software to detect malware that could compromise biometric data storage. Strong antivirus software offers real-time threat detection, anti-phishing and privacy features to block unauthorized access to fingerprint data. The best way to safeguard yourself from malicious links that install malware, potentially accessing your private information, is to have strong antivirus software installed on all your devices. This protection can also alert you to phishing emails and ransomware scams, keeping your personal information and digital assets safe. Get my picks for the best 2025 antivirus protection winners for your Windows, Mac, Android and iOS devices.

WHAT IS ARTIFICIAL INTELLIGENCE (AI)?

4. Don’t rely only on your fingerprint: Using a fingerprint to unlock your phone is convenient, but it shouldn’t be your only line of defense, especially for sensitive apps like banking or email. Always set up a PIN, password or pattern as a backup on your iPhone and Android. This way, even if someone manages to copy your fingerprint, they still need another piece of information to get in.

5. Be careful about who handles your phone: If someone else uses your phone, especially a stranger or someone you don’t know well, they might be able to copy your fingerprint from the screen. It’s rare, but it happens. To reduce this risk, avoid handing your phone to people unnecessarily and wipe your screen occasionally to remove any clear fingerprints.

6. Only use fingerprint login with trusted apps: Not every app that asks for your fingerprint is trustworthy. It’s safest to use fingerprint login only with apps from known and reliable companies, like your bank, phone manufacturer or email provider. If an unfamiliar app asks for fingerprint access, it’s better to skip it and use your password instead.

7. Consider using a personal data removal service: Even fingerprint scanners can be bypassed, and large amounts of personal and biometric data have been exposed in breaches. Using a personal data removal service helps reduce your risk by removing your sensitive information from public databases and data broker sites, making it harder for hackers to piece together details that could be used to steal your identity. Check out my top picks for data removal services here.

Get a free scan to find out if your personal information is already out on the web.

WHAT HACKERS CAN LEARN ABOUT YOU FROM A DATA BROKER FILE

Kurt’s key takeaway

Passwords are generally easier to hack than biometric data like fingerprints or facial recognition. However, the key difference is that passwords can be changed if they’re compromised. Your biometrics cannot. Most modern devices allow both options, and biometrics can offer an extra layer of security by making it harder for someone else to access your phone or apps. They’re also fast and convenient, since you don’t need to remember or type anything. That said, in most cases, your device still falls back on a password or PIN when biometric identification doesn’t work, so both systems often go hand in hand.

With the increasing sophistication of methods to bypass fingerprint security, what should companies be doing to stay ahead of these threats and better protect user data? Let us know by writing us at Cyberguy.com/Contact

For more of my tech tips and security alerts, subscribe to my free CyberGuy Report Newsletter by heading to Cyberguy.com/Newsletter

Ask Kurt a question or let us know what stories you’d like us to cover

Follow Kurt on his social channels

Answers to the most asked CyberGuy questions:

New from Kurt:

Kurt “CyberGuy” Knutsson is an award-winning tech journalist who has a deep love of technology, gear and gadgets that make life better with his contributions for Fox News & FOX Business beginning mornings on “FOX & Friends.” Got a tech question? Get Kurt’s free CyberGuy Newsletter, share your voice, a story idea or comment at CyberGuy.com.

Technology

Tired of websites blocking your VPN? A dedicated IP fixes that

Published

8 minutes ago

March 1, 2026

Press Room

Tired of websites blocking your VPN? A dedicated IP fixes that

NEWYou can now listen to Fox News articles!

If you have ever turned on your VPN and suddenly could not log in to your bank, email, streaming service or work portal, you are not imagining things. In fact, this is one of the most common frustrations VPN users face today.

However, the issue is not that VPNs stopped working. Instead, websites have become far more aggressive about blocking traffic that looks suspicious.

As a result, the way your VPN is built now matters just as much as whether you use one at all.

Sign up for my FREE CyberGuy Report
Get my best tech tips, urgent security alerts, and exclusive deals delivered straight to your inbox. Plus, you’ll get instant access to my Ultimate Scam Survival Guide – free when you join my CYBERGUY.COM newsletter

Shared VPN IPs often trigger red flags, which is why banks, email providers and streaming sites sometimes block access. (Kurt “CyberGuy” Knutsson)

Why websites block many VPN connections

Most VPNs give you a shared IP address. As a result, hundreds or even thousands of people can appear online from the same address at the same time. From a website’s perspective, that traffic pattern raises red flags. When platforms detect too many logins, rapid location changes or unusual activity tied to one IP, they step in quickly. In many cases, they respond by:

Blocking access
Triggering captchas
Requiring extra verification codes
Temporarily locking accounts

Meanwhile, you did nothing wrong. Instead, you end up dealing with restrictions caused by other users sharing that same IP address.

What a dedicated IP does differently

With a dedicated IP, you get an address that belongs only to you. Unlike shared VPN connections, no one else uses it.

Each time you connect, you use the same IP address. As a result, you avoid sharing traffic, rotating locations or competing with random users whose activity could trigger blocks.

Because of that consistency, your connection looks much more like a typical home or office internet setup. And that simple difference can dramatically reduce website suspicion and login headaches.

NEW YORK HALTS ROBOTAXI EXPANSION PLAN

A dedicated IP gives you a consistent address that looks more like a normal home connection, reducing captchas and login alerts. (Kurt “CyberGuy” Knutsson)

What a dedicated IP can do that shared VPN IPs usually can’t

That consistency does more than reduce suspicion; it improves how smoothly you access the sites and services you use every day.

Access more websites without blocks

Banks, government portals, healthcare sites, and streaming services are far less likely to block a dedicated IP because it does not show heavy or erratic traffic patterns.

Reduce captchas and security challenges

Those endless “prove you’re human” messages are usually triggered by shared IP abuse. A dedicated IP dramatically reduces them.

Make banking and email logins smoother

Financial institutions and email providers often flag constantly changing IP addresses as suspicious. A dedicated IP stays consistent, so login alerts and lockouts happen far less often.

Support remote work and secure systems

Some employers only allow access from approved IP addresses. Shared VPN IPs cannot be approved. Dedicated IPs can.

Improve streaming reliability

Shared VPN IPs are often the first to get blocked when streaming services crack down. Dedicated IPs are less likely to be flagged because traffic looks normal and predictable.

What a dedicated IP does not do

A dedicated IP:

Does not remove encryption
Does not expose your identity
Does not weaken your privacy

Your traffic remains encrypted, and your real location stays hidden. You simply get a connection that websites trust more.

Who benefits most from a dedicated IP

A dedicated IP is especially helpful if you:

Use online banking regularly
Travel and access sites from different locations
Work remotely
Stream often
Get tired of captchas and blocked pages
Want a VPN that feels normal to use

GOOGLE DISMANTLES 9M-DEVICE ANDROID HIJACK NETWORK

With fewer blocks and smoother logins, a dedicated IP helps your VPN work quietly in the background instead of getting in your way. (Kurt “CyberGuy” Knutsson)

How to choose a VPN that offers a dedicated IP

If you want these benefits, look for a VPN provider that offers a dedicated IP option built directly into its service. Some providers include it in premium plans, while others offer it as an add-on. Either way, the process should be simple. You should be able to select your dedicated IP inside the app without advanced setup or manual configuration. Before signing up, check that the provider also offers strong speeds, reliable uptime and clear privacy policies. A dedicated IP improves access, but overall performance still matters.

What to look for beyond a dedicated IP

A dedicated IP reduces blocks. However, a quality VPN should also deliver strong security and smooth performance.

Fast, stable connections: Speed matters for streaming, video calls and everyday browsing. Look for providers known for consistent performance.

Wide server coverage: More server locations give you flexibility when traveling and help reduce location errors.

Clear privacy practices: Choose a VPN with a strict no-logs policy and independent audits when possible.

Secure server technology: Modern VPNs often use RAM-based servers that automatically wipe data on reboot.

Easy-to-use apps: Protection should feel simple, not technical. Clean apps across major devices make daily use effortless.

For the best VPN software, see my expert review of the best VPNs for browsing the web privately on your Windows, Mac, Android & iOS devices at Cyberguy.com

Kurt’s key takeaway

If your VPN keeps getting blocked, the problem may not be the VPN itself. It may be the shared IP address behind it. Websites are increasingly aggressive about suspicious traffic. When hundreds of users share the same IP, banks, email providers and streaming platforms take notice. That is when the captchas, verification codes and account lockouts start. A dedicated IP changes that experience. You still get encryption. You still protect your real location. But your connection looks stable and predictable, which helps you avoid constant interruptions.

CLICK HERE TO DOWNLOAD THE FOX NEWS APP

Should protecting your privacy really mean fighting with your bank, email, and streaming apps? Let us know by writing to us at Cyberguy.com

Technology

Polymarket defends its decision to allow betting on war as ‘invaluable’

Published

12 hours ago

February 28, 2026

Press Room

Polymarket defends its decision to allow betting on war as ‘invaluable’

It might be World War III, but at least I won $20. | Image: Polymarket / The Verge

Polymarket has been allowing people to bet on when the US would strike Iran next. Obviously, now that it’s actually happened and people have died, the prediction betting market is feeling some pressure. The site has been at the center of controversy before, including suspicions of insider trading on the Super Bowl halftime show and the capture of Venezuelan President Nicolás Maduro.

In a statement posted on its site, Polymarket defended its decision to allow betting on the potential start of a war, saying that it was an “invaluable” source of news and answers, before taking shots at traditional media and Elon Musk’s X. The statement reads:

…

Read the full story at The Verge.

Technology

Google dropped dark web monitoring: Should you care?

Published

12 hours ago

February 28, 2026

Press Room

Google dropped dark web monitoring: Should you care?

NEWYou can now listen to Fox News articles!

Google has officially discontinued its Dark Web Report feature, a free tool that once scanned known dark web breach dumps for personal information tied to a user’s Google account. The service delivered notifications when email addresses and other identifiers appeared in leaked datasets.

According to Google’s support page, the system ceased scanning for new dark web data Jan. 15, 2026, and the reporting function was removed entirely on Feb. 16, 2026, meaning users can no longer access the feature.

The company said the decision reflects a shift toward security tools it believes provide clearer guidance after exposure, rather than standalone scan alerts.

If you previously relied on the free dark web scan as an early warning signal for leaked data, this change removes one of your sources.

Sign up for my FREE CyberGuy Report
Get my best tech tips, urgent security alerts and exclusive deals delivered straight to your inbox. Plus, you’ll get instant access to my Ultimate Scam Survival Guide — free when you join my CYBERGUY.COM newsletter.

Google officially ended its Dark Web Report tool, removing free breach alerts tied to user accounts. (Kurt “CyberGuy” Knutsson)

So what did users really lose?

Google’s Dark Web Report acted as a basic exposure scanner. It checked whether personal information linked to a Google account had surfaced in known breach collections circulating on the dark web.

When a match is found, users receive a notification identifying which type of data appeared in a leak. Depending on the data breach, that could include an email address, phone number, date of birth or other identifying details commonly harvested during large-scale hacks.

The report did not display stolen credentials or provide access to the leaked database itself. It also did not trace the origin of the compromise beyond referencing the breached service when available.

After an alert was issued, the next steps were left to the user. Google recommended actions such as changing passwords, enabling stronger authentication methods and reviewing account security settings. With the tool now removed, that automated breach check tied directly to a Google account is no longer available.

What you still have access to

Google directs users to its Security Checkup, a dashboard that scans your account for weak settings and unusual sign-in activity.

Its built-in Password Manager includes Password Checkup, which scans saved credentials against known breach databases and prompts you to change exposed passwords. Google also supports passkeys and two-factor verification to lock down account access.

The Results About You tool lets users search for personal information in Google Search and submit removal requests for certain publicly indexed details.

149 MILLION PASSWORDS EXPOSED IN MASSIVE CREDENTIAL LEAK

Without the automatic scan, users must now check for leaked data using other security tools. (iStock)

Alerts don’t always mean protection

Once personal information is compromised, it often ends up far beyond the breach itself. Stolen credentials and identity data are regularly trafficked on underground platforms where buyers can search for information tied to real people.

The BidenCash dark web marketplace was taken down by U.S. authorities in June 2025, and the Justice Department confirmed that the platform peddled stolen personal information and credit card data.

These illicit markets operate with a level of organization not unlike legitimate online stores. Search tools and bulk data sets are up for grabs and can be used to target any online account. This makes credential stuffing easier, where attackers test leaked passwords across multiple services in hopes of barreling into your account.

A breach alert tied to a dark web scan points to a leak at one moment in time; it does not follow whether that information has been sold to third parties or used in subsequent fraud attempts. For everyday users, this means that just knowing your data appeared in a leak doesn’t help much.

THINK YOUR NEW YEAR’S PRIVACY RESET WORKED? THINK AGAIN

Stolen personal information can circulate for years, making ongoing monitoring more important than a one-time alert. (Kurt “CyberGuy” Knutsson)

Identity monitoring may be a better option

With Google’s scan gone, some people may consider dedicated identity protection services instead. Many of these services offer continuous monitoring of your personally identifiable information and send alerts about changes to your credit reports from all three major U.S. credit bureaus. That can include notifications about new inquiries, newly opened accounts and monthly credit score updates. Some plans also monitor a broader range of personal identifiers, such as driver’s license numbers, passport numbers and email addresses.

Beyond credit monitoring, certain services track linked bank, credit card and investment accounts for unusual activity. They may also monitor public records for changes to addresses or property titles and alert you if your information appears in those filings.

Many providers include identity theft insurance to help cover eligible out-of-pocket recovery costs. Coverage limits vary by plan and provider. Additional features often include spam call and message protection, a password manager, a virtual private network (VPN) and antivirus software.

No service can prevent every form of identity theft. However, ongoing monitoring and recovery support can make it easier to respond quickly if your information is misused.

See my tips and best picks on Best Identity Theft Protection at Cyberguy.com.

Kurt’s key takeaways

Google’s decision to drop its Dark Web Report may seem small. But it removes a tool many users relied on. For some, those alerts were the first warning that their data appeared in a breach. That automatic scan is now gone. Google still offers Security Checkup, Password Checkup, passkeys and two-step verification. However, none of them actively scan dark web breach dumps for you. Stolen data does not disappear. Criminals copy, sell and reuse it. One alert shows a single moment. Ongoing identity theft monitoring helps you stay aware over time.

Now that Google has dropped its dark web monitoring feature, will you actively check your data exposure or assume someone else is watching it for you? Let us know your thoughts by writing to us at Cyberguy.com

CLICK HERE TO DOWNLOAD THE FOX NEWS APP