Slashdot Mirror
Doctors Bypass Biometric Scanners With Fake Fingers
jfruh writes "At a Brazilian hospital, doctors were required to check in with a fingerprint scanner to show that they've showed up for work. Naturally, they developed a system to bypass this requirement, creating fake fingers so that they could cover for one another when they took unauthorized time off. Another good example of how supposedly foolproof security tech can in fact be fooled pretty easily."
All the security experts who think that biometrics are the end-all-be-all of security are mistaken. Biometrics are not secrets, so once one knows your biometric id, they can impersonate you and you can't change your password!
Oh, alright, the security tech *is* foolproof, it's just that the doctors are no fools. :-) (Just like a bulletproof vest won't protect you from a baseball bat. See, it's not a bullet!)
Probably would have held out longer.
In addition to being a reminder that the people with a hard-on for 'biometrics' are either morons(Here you go, you were born with only ten passwords, so don't lose them!) or primarily interested in surveillance and tracking, or both; this is a useful reminder that 'security' is a system of interlocking parts Not a product you buy from your Solutions Vendor(tm) and set-and-forget.
We have the one doctor, who was caught with the fake fingers, along with at least three others who were ghosting through their shifts. She claims that they leaned on her, threatened her job if she refused to help with the con, they probably claim that she was in on the con and was absent on other days. Regardless of which of those is true, how many other people at the hospital would be in the position to notice whether or not a doctor is present and doing stuff? Probably more than a few. The front-desk servitors had to know what patient flow looked like, restock requests for supplies in various exam rooms can't have looked right, there are a lot more details than the punch-card machine here. This hospital isn't so much suffering from a 'fingerprint scanners are oversold' problem; but a problem with either massive cheating and/or apathy toward cheating, or unaccountable abuse of authority to suppress people who could have blown the whistle.
Granted, they can be thrown off by any change in the hands biometric signature, such as a new ring or even swelling due to allergies. But they are very hard to trick. Finger print scanners have been fooled by hot-dogs with xeroxed finger print swirls on them.
"Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
Who the hell thinks fingerprint scanners are foolproof? We've had "how to pass a fingerprint scanner" stories for a decade now.
This has been done before.
Prior Art.
The "Civilized World" jumped the shark ca. 1973.
"This fake finger smells like it has been up someone's butt!"
No one is dumb enough to claim that finger print readers are secure. It's one step up from a password. All you need to get is a finger print from the "doctor" you want to be for the day and with a little effort you can replicate access. Out of all bio-metric security systems, finger prints are pretty insecure.
This happened almost 7 years ago
Whenever a player quits EVE to go play WoW, the Average IQ of both games increase.
They must have watched mythbusters
It surprises me that many debate the “security” of the fingerprint scanners while omitting the major flaw of any biometric system – it is not revocable. You cannot simply reset someone’s fingertips if the system for that instance has been compromised. With pretty much all other authentication there’s some mechanism to delete the bad entry: a password can be reset, a certificate can be revoked, a compromised key can end up in the black list, etc. None of this is possible with any biometric system. Even if it takes an elaborate trickery and a lot of resources to duplicate a finger, a hand, or a mockup of the retina scan, once it’s done, it cannot be “cancelled” at the biometric system level.
There's no such thing as "illegal download"
did they bypass the "foolproof security tech", or did they bypass a flawed implementation of the "foolproof security tech"?
These guys were just making fakes, no big deal. I've always been concerned that with everything being done this way, a violent criminal wouldn't hesitate to cut off my digits or pluck out my eyes. Best case scenario, you're violently compelled to place your body part wherever. I'd much rather surrender my key at gunpoint and let the insurance companies deal with it.
Why to to all the trouble with making fake fingers when all you need are gummi bears
Bypass security. Tasty snack. It's the two-in-one product of modern technology!
if (it != oneThing) it = another;
Attendance is not a security issue.
If they're allowing biometric authentication as a single factor authentication to clinical data, there's cause for concern. In this case, this is biometric identification, and is still more reliable than punching an ID into a time system.
In healthcare, biometrics are usually used, if at all, as a second factor for authentication. (And that usage is rare because certain demographics have fingerprints that are not reliably read by most scanners.)
...they gave the government the finger...
Here we use fake doctors...
“He’s not deformed, he’s just drunk!”
You appear to have dropped your finger there buddy, gotta be more careful with that!
What do I know, I'm just an idiot, right?
Windows NT ® 4.0 I will just hack the the out of date OS
In Brazil banks started to use ATM's with finger print reading.
Only the finger print is necessary to withdraw money from your account...
http://www.tecmundo.com.br/banco/34422-adeus-cartao-de-banco-itau-e-bradesco-autorizam-saques-via-impressao-digital.htm (in portuguese)
Also goes to show how much effort Brazilians put into avoiding work.
Biometrics have one fatal flaw that has always scared the hell out of me. If someone wants past biometrics, they will either develop fake body parts that work as good as the original, or they will just remove the actual body part.
"GET / HTTP/1.0" 200 51230 "-" "Mozilla/4.0 (compatible; Setec Astronomy)"
it's the piss-poor AI. Even the dumbest human in the world can instantly tell if a person is actually sticking his own finger in the scanner or if he's holding a plastic fake, with 100% accuracy.
Kurzweil may have wet dreams about singularity, but I don't think computers can ever achieve awareness. They lack atman, immortal soul, theta, life essence, the Force, or whatever you wanna call it.
The fact that the doctors were trusted as both the authenticating-client and the key-holder was the issue here. Not biometric authentication. There was no promise that the doctors were not the malicious users themselves, but rather the authenticating-client here had an inherent incentive (getting paid without working) to help defeat the system. So, for all the criticism of biometric systems here -- we're missing the point, the implementation was incorrect to start. Attacking the medium is misguided, and also composed of (mostly) stupid arguments.
If this was a story of doctors having others falsify their time-cards or sharing keys it wouldn't have the same "people who like x auth method are idiots", but since it involves some slightly higher tech punch-in... well, here we are.
There's no such thing as a secure system. Just an inconvenient-to-defeat system; the weakest link/low-hanging fruit and all that. Biometric merely provides another authentication factor that can be used - so pointing to cases where people helped defeat their own locks is akin to saying that your buddy let me make copies of his keys, just look insecure keys are! It's silly. Correct implementation is key before you judge a system.
Buried in the article
"Most current fingerprint scanners have technology that can detect whether the finger has a pulse, and some read fingerprints at a depth below skin level, which would render the silicon fingers useless. Apparently, that hospital is using an older type of scanner."
Old, crappy technology fooled. Whoopie.
And it appears that this was an organized criminal enterprise:
"The mayor of Ferraz de Vasconcelos, Acir Fillo, said there might be as many as 300 hospital employees who do not exist, except for fake fingers with their prints, but who get paid anyway."
And what grownup thinks any security technology is "foolproof", let alone "motivated criminal enterprise proof"? The technology isn't perfect, therefore it's crap?
And by the way - "silicon" fingers? Bet you a dollar that should have been "silicone".
If this guy is actually paid to write this crap, he needs to be fired.
When I first saw the headlines for this story I immediately went to a much darker place. I envisioned doctors going into the morgue and borrowing a few digits for use in fooling the machines. I mean, it's not like those guys needed them any more. Things like this have happened before.
Then I realized this wouldn't work. For one thing, they'd have the wrong prints. For another, they'd be, well, a bit chilly.
Most current fingerprint scanners have technology that can detect whether the finger has a pulse, and some read fingerprints at a depth below skin level, which would render the silicon fingers useless. Apparently, that hospital is using an older type of scanner.
Giving biometric scanners the (fake) finger
Inside job.
The perfect example of corruption and conspiracy that begins --- and must begin --- at the top.
Another television network said it was the head of the emergency room that ran the scam and that his daughter had not worked a day in three years but got paid all the time.
Fake fingers to fool the boss at Brazil hospital
Ferreira confessed to using different fake fingers bearing the prints of 11 fellow doctors and 20 nurses in order to pretend they were showing up to work five overnight shifts each month, instead of just one, police said.
Ferreira also said the staff at the Ferraz Vasconcelos Hospital paid $2,400 per month to participate.
The doctor will face charges of falsifying a public document and could get two to six years in prison.
Brazilian doctor caught using fake fingers in biometrics scam
Sounds like a good way to solve three problems with one stone:
1. A less easily reproducable biometric map that changes over time. :D
2. Free pollop/colon cancer screening for everybody having to work through the machine.
3. Assuming it's used indisriminately: A sign to both members of the security community as well as the political community of where they should accept boundaries on security theater so they don't get fucked up the ass like the rest of us
In the '90s there was this "thumbprint ID" system that allowed registred folks to get through Dutch airport customs with no hassle.
Until some folks discovered you could slip a copied print onto a thumb and slip someone else through instead.
buy a vascular scanner or review security vamera footage to validate the fingerprint results.
The best biometric for doctors is obviously their handwriting - nobody can forge that shit (or read it).
Ha haw!
just saying.....
I do work in the city where it happened.
Tech its not the problem.
In fact, I'm so sick and tired of corruption here in Brasil that sometimes I wonder: how are we going to get rid of them? Man, they are in every layer of the system. if u become a politician, they will come have "the talk" with you. Same thing if u become a cop, a banker, and god! even a doctor now??? camon!