As banks increasingly turn to biometrics to secure ATM transactions, Kaspersky Lab is warning that crooks are already selling skimming devices that they claim can steal fingerprints.
Old-school skimmers which stole mag-stripe data have made way in recent years to so-called 'shimmers' that can glean enough information from EMV chips for online relay attacks.
In response, some banks are turning to biometric authentication but Kaspersky Lab says that this could simply play into criminals' hands, offering them a new opportunity to steal sensitive information.
The security outfit has found at least 12 sellers offering skimmers capable of stealing victims’ fingerprints. Several other underground crooks are already researching devices that could illegally obtain data from palm vein and iris recognition systems.
The first wave of biometric skimmers was spotted in 'pre-sale testing' last September but developers discovered several bugs, with the main problem being the use of GSM modules for biometric data transfer - they were too slow to transfer the large volume of data obtained.
Kaspersky warns that new versions of skimmers will use different, faster data transfer technologies.
And thieves are also discussing how to fool facial recognition biometrics, looking into the development of mobile applications based on placing masks over human faces and imposing photos taken from social media.
Olga Kochetova, security expert, Kaspersky Lab, says: "The problem with biometrics is that unlike passwords or pin codes, which can be easily modified in the event of compromise, it is impossible to change your fingerprint or iris image.
"Thus, if your data is compromised once, it won’t be safe to use that authentication method again. That is why it is extremely important to keep such data secure and transmit it in a secure way."