Slashdot Mirror
Doctors Bypass Biometric Scanners With Fake Fingers
jfruh writes "At a Brazilian hospital, doctors were required to check in with a fingerprint scanner to show that they've showed up for work. Naturally, they developed a system to bypass this requirement, creating fake fingers so that they could cover for one another when they took unauthorized time off. Another good example of how supposedly foolproof security tech can in fact be fooled pretty easily."
All the security experts who think that biometrics are the end-all-be-all of security are mistaken. Biometrics are not secrets, so once one knows your biometric id, they can impersonate you and you can't change your password!
I think you mean iris scanners. Retina scanners are science fiction.
Why, you mean the doctors can't diagnose retina diseases because you can't see the retina through the pupil?
Ezekiel 23:20
Technology cannot ever fix Sociological problems, it can only mask them.
We design technology in ways so that it routes around failures, and then wonder why it fails when humans do the same thing. You want to solve the problem of people not showing up for work, you fire them or put them on 2 week unpaid leave, or doc their pay, or whatever. If you aren't going to do anything about it, then stop making noise and let them skip out.
Why is this so hard?
Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
Probably would have held out longer.
A fingerprint scanner with a pulse detector (which many have) would have been fine too. Any security system can be bypassed with enough effort, so you need to consider what you are trying to protect, and make sure bypassing security is more trouble than it is worth. A doctor who wants an extra day off will obviously make a fake finger, but may not go to the trouble of making a pulse generator.
There's a difference between 'uninformed' and 'moronic.' Part of the problem with IT security is that it's full of self-proclaimed experts who heap scorn on the uninformed instead of trying to educate them. You're not one of those, are you?
[Sir Garlon] is the marvellest knight that is now living, for he destroyeth many good knights, for he goeth invisible.
Let's face it, nothing will ever be secure as long as people are involved.
Time to start getting rid of them. ;)
A feeling of having made the same mistake before: Deja Foobar
You educate your sociopathic boss who reads Wired and thus (thinks he) knows more about this stuff than you. You can't, and he now hates you because you "subverted his authority". Guess what? He's moronic.
At the other end of the spectrum: Go ahead and educate Johnny Salesman. His eyes glaze over, and he's now thinking about watching the big game with his Bud Lite in hand. He's not listened to a word you've said. You've wasted your time and his. Guess what? He's moronic.
The vast majority of people aren't us. The vast majority of people look at a black box and don't wonder how it works, what's inside it, or if it can be bypassed somehow. They look at a black box, and all they see is a black box. They only care enough about how it works to be comfortable enough with so they do not actively have to think about it. I'm all for the altruistic spread of knowledge, but the only thing that happens whenever you try to get people to genuinely think is that they typically come off hating you in the end.
NO!
Biometrics aren't a replacement for passwords, they're a replacement for USERNAMES. They provide a "something you have" factor to authentication, there still needs to be a "something you know."
Like usernames they aren't secret. They don't need to be secret, and they can be copied without ruining the security of the system. They don't need to be changed, and are unique to each user. Biometrics are great when used as usernames, and a security nightmare waiting to happen when used as a password.
Not a sentence!