The increased need for access control has motivated a widespread deployment of biometric systems in the last few years. However, recent works indicate that some modalities are fragile and more susceptible to malicious presentation attacks. This has in turn led to the exploration of alternative modalities such as electrocardiogram (ECG) due to its individualized and ubiquitous nature, difficulty in copying, stealing, and/or spoofing, and well-studied acquisition and analysis in the medical domain. In this study, we show that it is indeed possible to exploit previously captured ECG signals. First, we develop a novel “cross-subject attack” where a short template of the victim's ECG captured by an attacker is used to map the attacker's ECG into the victim's. Second, we explore “cross-device attacks” where mapping functions are used to replay ECGs collected on a device other than the victim's device. Third, we explore countermeasures that utilize ECG signal characteristics such as heart rate variability and PPG signal to detect and reject fake samples. Simulation experiments are carried out using two freely available ECG databases under popular fiducial and non-fiducial features. Our proposed cross-device attack framework achieves 45% improvement in success rate compared with the previous state-of-the-art. Moreover, the attack success rate is degraded by 100% when our proposed countermeasure is employed.