Millions of smartphone users have been warned that hackers may be able to get past their facial recognition security feature and steal their data.
Mobile phones manufactured by the likes of Samsung, Motorola and Nokia have face unlock systems that can be 'fooled' by a printed-out 2D photograph of the owner's face.
That's according to consumer experts at Which?, who have warned that this flaw could lead to criminals exploiting people's personal information.
Face recognition is often used as a security feature on smartphones, and is hailed as one of the safest way to protect data.
But this could allow scammers to get past the screen lock on certain Android phones and access apps which contain a range of sensitive information.
Since August 2022, Which? has sent 48 new smartphones to the lab for testing and of these, 19 new phones (40%) can be easily spoofed with a photo to get through the phone’s lock screen and gain access to the phone.
And the photos of the user registered to the device were not particularly high resolution and were printed on a standard office printer on normal paper.
The majority of the phones that failed this simple biometric test by Which? were at the cheaper to mid-range end of the market, with prices from £89.99 for the Motorola Moto E13, but prices go up to much more expensive handsets too, such as the Motorola Razr 2022, which launched at almost £1,000 (£949.99).
Xiaomi had seven phones that could be exploited, while Motorola had four. Nokia, Oppo and Samsung each had two and Honor and Vivo had one affected model respectively.
This has led to concerns over certain apps on these phones, such as Google Wallet, which allows people to pay for things using an electronic version of their bank card.
People in the UK can make contactless payments with Google Wallet up to £45 without needing to unlock the phone.
And Google told Which? that for larger transactions, users must use a more secure Class 3 biometric unlock. This should mean that people using the models that Which? was able to spoof are not able to complete transactions over £45 if face recognition is being used to unlock the phone.
But by using the 2D photo, scammers can access valuable information on this app.
The cards registered tell the scammer who people bank with, and may display the last 4 digits of their card numbers.
The app may also contain information about recent transactions like where users shopped and how much they paid that might help them answer security questions.
All the Apple phones Which? tested passed the spoofing tests. Apple’s Face ID is a more robust system using sensors to create a 3D depth map of your face.
This could be why a lot of banking apps only allow face recognition as a security measure on Apple iPhones.
Lisa Barber, Which? Tech Editor, said: “It’s unacceptable that brands are selling phones that can easily be duped using a 2D photo, particularly if they are not making their customers aware of this vulnerability. Our findings have really worrying implications for people’s security and susceptibility to scams.
“We would strongly advise anyone using these phones to turn off face recognition and use the fingerprint sensor, a strong password or long PIN instead.
“This needs to be a wake up call for manufacturers – they need to step up and improve the security of their biometric systems against spoofing.”
Don't miss the latest news from around Scotland and beyond - sign up to our daily newsletter here.