Slashdot Mirror
Doctors Bypass Biometric Scanners With Fake Fingers
jfruh writes "At a Brazilian hospital, doctors were required to check in with a fingerprint scanner to show that they've showed up for work. Naturally, they developed a system to bypass this requirement, creating fake fingers so that they could cover for one another when they took unauthorized time off. Another good example of how supposedly foolproof security tech can in fact be fooled pretty easily."
All the security experts who think that biometrics are the end-all-be-all of security are mistaken. Biometrics are not secrets, so once one knows your biometric id, they can impersonate you and you can't change your password!
Probably would have held out longer.
In addition to being a reminder that the people with a hard-on for 'biometrics' are either morons(Here you go, you were born with only ten passwords, so don't lose them!) or primarily interested in surveillance and tracking, or both; this is a useful reminder that 'security' is a system of interlocking parts Not a product you buy from your Solutions Vendor(tm) and set-and-forget.
We have the one doctor, who was caught with the fake fingers, along with at least three others who were ghosting through their shifts. She claims that they leaned on her, threatened her job if she refused to help with the con, they probably claim that she was in on the con and was absent on other days. Regardless of which of those is true, how many other people at the hospital would be in the position to notice whether or not a doctor is present and doing stuff? Probably more than a few. The front-desk servitors had to know what patient flow looked like, restock requests for supplies in various exam rooms can't have looked right, there are a lot more details than the punch-card machine here. This hospital isn't so much suffering from a 'fingerprint scanners are oversold' problem; but a problem with either massive cheating and/or apathy toward cheating, or unaccountable abuse of authority to suppress people who could have blown the whistle.
Granted, they can be thrown off by any change in the hands biometric signature, such as a new ring or even swelling due to allergies. But they are very hard to trick. Finger print scanners have been fooled by hot-dogs with xeroxed finger print swirls on them.
"Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
Who the hell thinks fingerprint scanners are foolproof? We've had "how to pass a fingerprint scanner" stories for a decade now.
This has been done before.
Prior Art.
The "Civilized World" jumped the shark ca. 1973.
"This fake finger smells like it has been up someone's butt!"
You'd have to be a right fool to be unable to fool these things. As in the link, as here, the application has very little to do with security. It's a people problem, and you can't fix those solely with technology.
Worse, treating it as a technical problem and attacking it with security kit gives a strong signal to your own {doctors,pupils,*} that they're all criminals and need to be treated as such. This in turn creates a powerful incentive to game the system.
What we have here is an incompetent administration trying to fix their mess through shitting on their underlings some more, using technology. Underlings know and dislike this.
And so gaming the system is what they'll do. This quite apart from biometrics being inappropriate everywhere but in criminal forensics. Be careful what you ask for and all that.
No one is dumb enough to claim that finger print readers are secure. It's one step up from a password. All you need to get is a finger print from the "doctor" you want to be for the day and with a little effort you can replicate access. Out of all bio-metric security systems, finger prints are pretty insecure.
This happened almost 7 years ago
Whenever a player quits EVE to go play WoW, the Average IQ of both games increase.
It surprises me that many debate the “security” of the fingerprint scanners while omitting the major flaw of any biometric system – it is not revocable. You cannot simply reset someone’s fingertips if the system for that instance has been compromised. With pretty much all other authentication there’s some mechanism to delete the bad entry: a password can be reset, a certificate can be revoked, a compromised key can end up in the black list, etc. None of this is possible with any biometric system. Even if it takes an elaborate trickery and a lot of resources to duplicate a finger, a hand, or a mockup of the retina scan, once it’s done, it cannot be “cancelled” at the biometric system level.
There's no such thing as "illegal download"
Let's face it, nothing will ever be secure as long as people are involved.
Time to start getting rid of them. ;)
A feeling of having made the same mistake before: Deja Foobar
Why to to all the trouble with making fake fingers when all you need are gummi bears
Bypass security. Tasty snack. It's the two-in-one product of modern technology!
if (it != oneThing) it = another;
Attendance is not a security issue.
If they're allowing biometric authentication as a single factor authentication to clinical data, there's cause for concern. In this case, this is biometric identification, and is still more reliable than punching an ID into a time system.
In healthcare, biometrics are usually used, if at all, as a second factor for authentication. (And that usage is rare because certain demographics have fingerprints that are not reliably read by most scanners.)
...they gave the government the finger...
Here we use fake doctors...
“He’s not deformed, he’s just drunk!”
You appear to have dropped your finger there buddy, gotta be more careful with that!
What do I know, I'm just an idiot, right?
In Brazil banks started to use ATM's with finger print reading.
Only the finger print is necessary to withdraw money from your account...
http://www.tecmundo.com.br/banco/34422-adeus-cartao-de-banco-itau-e-bradesco-autorizam-saques-via-impressao-digital.htm (in portuguese)
Biometrics have one fatal flaw that has always scared the hell out of me. If someone wants past biometrics, they will either develop fake body parts that work as good as the original, or they will just remove the actual body part.
"GET / HTTP/1.0" 200 51230 "-" "Mozilla/4.0 (compatible; Setec Astronomy)"
In the English-speaking world they don't stop until you have only two options, They put it in a different way in a comment in the movie "Sin City": "sometimes you have to die, and sometimes you have to kill a hell of a lot of people".
Time to start getting rid of them. ;)
...and that would solve their problem, right there.
Of course, I don't mean get rid of them in the execution sense, but more in the "you're fired - pack your shit and get out while the security guard escorts you." sense.
Find the most obvious slackers, fire them publicly and loudly, blackball the crap out of them using factual evidence (this isn't the US - good luck suing), and you may be impressed with how quickly the other doctors fall in line.
Quo usque tandem abutere, Nimbus, patientia nostra?
it's the piss-poor AI. Even the dumbest human in the world can instantly tell if a person is actually sticking his own finger in the scanner or if he's holding a plastic fake, with 100% accuracy.
Kurzweil may have wet dreams about singularity, but I don't think computers can ever achieve awareness. They lack atman, immortal soul, theta, life essence, the Force, or whatever you wanna call it.
The fact that the doctors were trusted as both the authenticating-client and the key-holder was the issue here. Not biometric authentication. There was no promise that the doctors were not the malicious users themselves, but rather the authenticating-client here had an inherent incentive (getting paid without working) to help defeat the system. So, for all the criticism of biometric systems here -- we're missing the point, the implementation was incorrect to start. Attacking the medium is misguided, and also composed of (mostly) stupid arguments.
If this was a story of doctors having others falsify their time-cards or sharing keys it wouldn't have the same "people who like x auth method are idiots", but since it involves some slightly higher tech punch-in... well, here we are.
There's no such thing as a secure system. Just an inconvenient-to-defeat system; the weakest link/low-hanging fruit and all that. Biometric merely provides another authentication factor that can be used - so pointing to cases where people helped defeat their own locks is akin to saying that your buddy let me make copies of his keys, just look insecure keys are! It's silly. Correct implementation is key before you judge a system.
Buried in the article
"Most current fingerprint scanners have technology that can detect whether the finger has a pulse, and some read fingerprints at a depth below skin level, which would render the silicon fingers useless. Apparently, that hospital is using an older type of scanner."
Old, crappy technology fooled. Whoopie.
And it appears that this was an organized criminal enterprise:
"The mayor of Ferraz de Vasconcelos, Acir Fillo, said there might be as many as 300 hospital employees who do not exist, except for fake fingers with their prints, but who get paid anyway."
And what grownup thinks any security technology is "foolproof", let alone "motivated criminal enterprise proof"? The technology isn't perfect, therefore it's crap?
And by the way - "silicon" fingers? Bet you a dollar that should have been "silicone".
If this guy is actually paid to write this crap, he needs to be fired.
When I first saw the headlines for this story I immediately went to a much darker place. I envisioned doctors going into the morgue and borrowing a few digits for use in fooling the machines. I mean, it's not like those guys needed them any more. Things like this have happened before.
Then I realized this wouldn't work. For one thing, they'd have the wrong prints. For another, they'd be, well, a bit chilly.
Most current fingerprint scanners have technology that can detect whether the finger has a pulse, and some read fingerprints at a depth below skin level, which would render the silicon fingers useless. Apparently, that hospital is using an older type of scanner.
Giving biometric scanners the (fake) finger
Inside job.
The perfect example of corruption and conspiracy that begins --- and must begin --- at the top.
Another television network said it was the head of the emergency room that ran the scam and that his daughter had not worked a day in three years but got paid all the time.
Fake fingers to fool the boss at Brazil hospital
Ferreira confessed to using different fake fingers bearing the prints of 11 fellow doctors and 20 nurses in order to pretend they were showing up to work five overnight shifts each month, instead of just one, police said.
Ferreira also said the staff at the Ferraz Vasconcelos Hospital paid $2,400 per month to participate.
The doctor will face charges of falsifying a public document and could get two to six years in prison.
Brazilian doctor caught using fake fingers in biometrics scam
Fear will keep the local systems in line. Fear of this battlestation!
"What the American public doesn't know is what makes them the American public." -Ray Zalinsky (Tommy Boy)
The best biometric for doctors is obviously their handwriting - nobody can forge that shit (or read it).
Ha haw!