CLAIM: A WhatsApp message can steal your thumb print by asking you to unlock the message by placing your thumb on the screen. The message scans your thumb impression and will give app owners access to you biometric data, which may be linked to your Aadhaar, PAN and bank accounts etc.
A viral WhatsApp forward warns people of an alleged WhatsApp message that steals your thumb print by asking you to unlock it. The forward implies that by doing so scammers would get access to your biometric data.
The message has been circulating since the beginning of August this year with the below text.
“To all my friends, be careful of some msgs in WhatsApp that asks you to put your thumb in a screen to unlock a msg like happy Independence day or happy new year… Beware of these msgs and don’t put your thumb anywhere. Scanning your thumb impression will give the app owners access to your biometric data, this is very serious as your Aadhar biometric is linked to PAN, banks etc.. be very careful and spread the message !! cyber crime on the rise now. #TRAI”
It also uses the hashtag ‘#TRAI’ to make it sound like an official warning issued by the Telecom Regulatory Authority of India. However, no such message or warning has been issued by TRAI.
A variation of the forward claims that phishing messages pretend to wish people for Independence Day while tricking people into sharing their thumb impression to “unlock” the message. (The same post has also been shared in Hindi)
Posts such as the Facebook post below also include a link ( kamine-dost.com/?n=RAHUL-RR)
Clicking on the link takes you to a screen that looks like this (see screenshot below). The website kamine-dost.com auto plays a patriotic Bollywood song. It also states ‘Scan your finger to view surprising wish.’ On placing your finger on the portion where a fingerprint can be seen the website creates the illusion of a scanner collecting your print as a blue bar moves across the screen.
(Click here to view in a separate tab the below playing GIF )
The website then asks you to enter your name. We entered our name as ‘BoomLive.’
The website ‘kamine-dost.com’ is nothing but a click-bait site. Creators of the site earn through ad revenue (notice the ads at the top of the page) BOOM also looked up Whois data of the site and found out that it was created barely two weeks earlier on August 2, 2018 allegedly in Rajasthan. (Click here to view an archived record)
BOOM also reached out to a cyber security expert at Lucideus, an Indian digital security company based out of New Delhi.
“This is fake. Fingerprints are not saved on the application,” Rahul Tyagi, Vice President and Co-founder, Lucideus, told BOOM. He confirmed that the above website could not steal fingerprints by touching the phone screen or clicking on the site.
Devices such as laptops, iPads, smartphones etc., which currently have an option of fingerprint locks, use fingerprint sensors that are built as part of the hardware component. (In smartphones they are usually seen on the back panel of the phone or are placed below the home button) What that means is an app such as WhatsApp cannot scan your fingerprint and store it. Common sense of not clicking on anonymous links/URL which could contain malware still applies.
The technology of an ‘in-display’ sensor or a sensor below an OLED display panel is so new that it made headlines in January 2018. (See links below) Chinese phone manufacturer Vivo has only recently begun using the Clear ID sensor created by Synaptics, a California based human interface hardware and software maker. The Clear ID sensor scans fingerprints through the pixels of a smartphone’s OLED. But the technology is only limited to select handsets.