Slashdot Mirror

← Back to Stories (view on slashdot.org)

Doctors Bypass Biometric Scanners With Fake Fingers

Posted by Soulskill on from the no-technology-can-trump-laziness dept.

jfruh writes "At a Brazilian hospital, doctors were required to check in with a fingerprint scanner to show that they've showed up for work. Naturally, they developed a system to bypass this requirement, creating fake fingers so that they could cover for one another when they took unauthorized time off. Another good example of how supposedly foolproof security tech can in fact be fooled pretty easily."

36 of 139 comments (clear)

  1. Biometrics are not secrets. by Anonymous Coward · · Score: 5, Insightful

    All the security experts who think that biometrics are the end-all-be-all of security are mistaken. Biometrics are not secrets, so once one knows your biometric id, they can impersonate you and you can't change your password!

    1. Re:Biometrics are not secrets. by TWX · · Score: 5, Funny

      A decade ago, a friend of mine suggested that if they *really* wanted foolproof biometrics, to use "colon terrain mapping".

      I told him that I wasn't sure that I could be his friend anymore...

      --
      Do not look into laser with remaining eye.
    2. Re:Biometrics are not secrets. by Hentes · · Score: 2

      So how would using a password-based system prevent the doctors from sharing their passwords with each other and continue slacking off?

    3. Re:Biometrics are not secrets. by PRMan · · Score: 2

      IIRC, Adam licked a photocopy of his finger and bypassed it.

      --
      Peter predicted that you would "deliberately forget" creation 2000 years ago...
    4. Re:Biometrics are not secrets. by houghi · · Score: 5, Funny

      I hope he does not have a job selling hardware to the TSA.

      --
      Don't fight for your country, if your country does not fight for you.
    5. Re:Biometrics are not secrets. by Anonymous Coward · · Score: 5, Insightful

      So how would using a password-based system prevent the doctors from sharing their passwords with each other and continue slacking off?

      That's a social problem. There is no technological solution. I repeat, technology cannot solve every problem. How do you solve this problem? Check once and a while. The guys daughter was listed as being there every day for three years and never worked a single day. The people who just trusted a glorified punch card machine instead of once verifying it in person should be fired too.

    6. Re:Biometrics are not secrets. by Molochi · · Score: 2

      Really it's no different than sharing a postit note with your password.

      I've never worked anywhere where biometric scans wouldn't involve a full fake hand and a PIN to go with it. I'm guessing doctors would just sharpie that on the back of a rubber hand... and the pin would of course be 1-2-3-4-5-6.

      --
      "The Adobe Updater must update itself before it can check for updates. Would you like to update the Adobe Updater now?"
    7. Re:Biometrics are not secrets. by Ryanrule · · Score: 2

      I agree. Fire management who do not manage.

    8. Re:Biometrics are not secrets. by swillden · · Score: 4, Insightful

      Biometrics are good for two categories of applications: Super high security, James Bond type stuff, and casual semi-security, where you want something to keep out the lazy but don't care that much. In between, they're broken.

      They work great in high-security applications when you have a controlled environment, which generally means an attended environment -- a guard is standing there very carefully watching the scanning process, and the scanners and all of the support systems are tightly secured.

      And they're fine in circumstances where you don't care very much.

      In between, biometrics are not secrets, and the fact that some scanner reported an image which appears to match means very little.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
    9. Re:Biometrics are not secrets. by gweihir · · Score: 2

      This is actually one way to tell a good security expert from a bad one: The bad ones do not get that biometrics is more of a problem than a solution, while the good ones know this.

      There is a third class though: The immoral ones that want to sell you something that does not work, but they do not care.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  2. An important reminder... by fuzzyfuzzyfungus · · Score: 4, Interesting

    In addition to being a reminder that the people with a hard-on for 'biometrics' are either morons(Here you go, you were born with only ten passwords, so don't lose them!) or primarily interested in surveillance and tracking, or both; this is a useful reminder that 'security' is a system of interlocking parts Not a product you buy from your Solutions Vendor(tm) and set-and-forget.

    We have the one doctor, who was caught with the fake fingers, along with at least three others who were ghosting through their shifts. She claims that they leaned on her, threatened her job if she refused to help with the con, they probably claim that she was in on the con and was absent on other days. Regardless of which of those is true, how many other people at the hospital would be in the position to notice whether or not a doctor is present and doing stuff? Probably more than a few. The front-desk servitors had to know what patient flow looked like, restock requests for supplies in various exam rooms can't have looked right, there are a lot more details than the punch-card machine here. This hospital isn't so much suffering from a 'fingerprint scanners are oversold' problem; but a problem with either massive cheating and/or apathy toward cheating, or unaccountable abuse of authority to suppress people who could have blown the whistle.

    1. Re:An important reminder... by Archangel+Michael · · Score: 3, Insightful

      Technology cannot ever fix Sociological problems, it can only mask them.

      We design technology in ways so that it routes around failures, and then wonder why it fails when humans do the same thing. You want to solve the problem of people not showing up for work, you fire them or put them on 2 week unpaid leave, or doc their pay, or whatever. If you aren't going to do anything about it, then stop making noise and let them skip out.

      Why is this so hard?

      --
      Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
    2. Re:An important reminder... by SirGarlon · · Score: 3, Insightful

      In addition to being a reminder that the people with a hard-on for 'biometrics' are either morons

      There's a difference between 'uninformed' and 'moronic.' Part of the problem with IT security is that it's full of self-proclaimed experts who heap scorn on the uninformed instead of trying to educate them. You're not one of those, are you?

      --
      [Sir Garlon] is the marvellest knight that is now living, for he destroyeth many good knights, for he goeth invisible.
    3. Re:An important reminder... by SternisheFan · · Score: 2
      At least they used 'fake' fingers.

      I once worked with a pre-med student who would talk of the hijinks that would go on in the morgue. Goofy things like skipping rope with a body's intestines. One student left a dismembered hand holding money with a toll booth collector, he was expelled.

    4. Re:An important reminder... by Anonymous Coward · · Score: 3, Insightful

      You educate your sociopathic boss who reads Wired and thus (thinks he) knows more about this stuff than you. You can't, and he now hates you because you "subverted his authority". Guess what? He's moronic.

      At the other end of the spectrum: Go ahead and educate Johnny Salesman. His eyes glaze over, and he's now thinking about watching the big game with his Bud Lite in hand. He's not listened to a word you've said. You've wasted your time and his. Guess what? He's moronic.

      The vast majority of people aren't us. The vast majority of people look at a black box and don't wonder how it works, what's inside it, or if it can be bypassed somehow. They look at a black box, and all they see is a black box. They only care enough about how it works to be comfortable enough with so they do not actively have to think about it. I'm all for the altruistic spread of knowledge, but the only thing that happens whenever you try to get people to genuinely think is that they typically come off hating you in the end.

    5. Re:An important reminder... by Anonymous Coward · · Score: 2, Informative

      There are doctors who have $150k cars and $1.5M houses. But there are not very many of them, and the money they make treating patients isn't what paid for those things - they either have family money or are earning it from other businesses.

      Medicine is a well-paid and interesting job, but in terms of lifetime earnings you're better off being a banker (and I mean a regular banker, not just the high end Wall Street finance guys). My wife and I are both doctors. We do take about two nice trips a year, but we don't have children, our house cost under $200k, our cars are 4 and 12 years old, and we eat dinner at home five or six nights a week. We have no worries about paying the bills, but we're a lot less well off than plenty of people our age because we spent our twenties working for peanuts. We'll pass many of them in earnings sometime in our fifties, which is nice but is enough of a tradeoff that I wouldn't encourage anyone to go to med school unless they just have a burning desire to be a doctor. That said, I'm sure glad I didn't go get a Ph.D. in chemistry, like I thought I wanted to do in high school.

    6. Re:An important reminder... by naroom · · Score: 2

      People hate feeling stupid, and if you pass information to them in a way that makes them feel smart, it will stick better. Your average undergraduate doesn't care about what you're trying to teach them, but they DO care about looking better than their peers, and looking good to employers. Knowledge isn't an end, it's a means to an end. Before you try to teach something, make sure it's something they want to know (even if it's for a stupid reason).

  3. Re:Retina Scanners... by K.+S.+Kyosuke · · Score: 3, Insightful

    I think you mean iris scanners. Retina scanners are science fiction.

    Why, you mean the doctors can't diagnose retina diseases because you can't see the retina through the pupil?

    --
    Ezekiel 23:20
  4. Re:"supposedly foolproof security tech" by Let's+All+Be+Chinese · · Score: 5, Interesting

    You'd have to be a right fool to be unable to fool these things. As in the link, as here, the application has very little to do with security. It's a people problem, and you can't fix those solely with technology.

    Worse, treating it as a technical problem and attacking it with security kit gives a strong signal to your own {doctors,pupils,*} that they're all criminals and need to be treated as such. This in turn creates a powerful incentive to game the system.

    What we have here is an incompetent administration trying to fix their mess through shitting on their underlings some more, using technology. Underlings know and dislike this.

    And so gaming the system is what they'll do. This quite apart from biometrics being inappropriate everywhere but in criminal forensics. Be careful what you ask for and all that.

  5. Old News by dragon-file · · Score: 2
    Mythbusters already did this http://blogs.technet.com/b/steriley/archive/2006/09/20/457845.aspx

    This happened almost 7 years ago

    --
    Whenever a player quits EVE to go play WoW, the Average IQ of both games increase.
  6. Biometric system is insecure by design by jd659 · · Score: 4, Interesting

    It surprises me that many debate the “security” of the fingerprint scanners while omitting the major flaw of any biometric system – it is not revocable. You cannot simply reset someone’s fingertips if the system for that instance has been compromised. With pretty much all other authentication there’s some mechanism to delete the bad entry: a password can be reset, a certificate can be revoked, a compromised key can end up in the black list, etc. None of this is possible with any biometric system. Even if it takes an elaborate trickery and a lot of resources to duplicate a finger, a hand, or a mockup of the retina scan, once it’s done, it cannot be “cancelled” at the biometric system level.

    --
    There's no such thing as "illegal download"
    1. Re:Biometric system is insecure by design by Nadaka · · Score: 3, Funny

      It can be canceled at the biometric level...

      You are just squeamish about the organ replacement process.

      I bet you found it inconvenient to change your passwords every 90 days as well.

  7. Re:Retina Scanners... by ShanghaiBill · · Score: 4, Insightful

    Probably would have held out longer.

    A fingerprint scanner with a pulse detector (which many have) would have been fine too. Any security system can be bypassed with enough effort, so you need to consider what you are trying to protect, and make sure bypassing security is more trouble than it is worth. A doctor who wants an extra day off will obviously make a fake finger, but may not go to the trouble of making a pulse generator.

  8. Re:"supposedly foolproof security tech" by ackthpt · · Score: 4, Insightful

    Let's face it, nothing will ever be secure as long as people are involved.

    Time to start getting rid of them. ;)

    --

    A feeling of having made the same mistake before: Deja Foobar
  9. Basically... by Anonymous Coward · · Score: 2, Funny

    ...they gave the government the finger...

  10. Re:Retina Scanners... by Vicarius · · Score: 4, Interesting

    Pulse detector can be fooled too. Check the end of this presentation, where he tried different molds and techniques, and finally succeeds opening a safe that detects pulse using a fake fingerprint: DEFCON 19: Safe to Armed in Seconds: A Study of Epic Fails of Popular Gun Safes.

  11. Fake fingers are nothing by fustakrakich · · Score: 2

    Here we use fake doctors...

    --
    “He’s not deformed, he’s just drunk!”
  12. Re:Retina Scanners... by ctime · · Score: 4, Informative

    Iris scanners have lower false positive rejection rates and are more accurate than Retina scanners, which do exist. Retinas can become damaged and change with time, unlike the human iris which does not under normal circumstances change during lifetimes.

    Iris scanners considered the best biometric authentication, they are also typically the most expensive (look up the LG scanner pricing).

    http://www.lgiris.com/ps/products/previousmodels/irisaccess2200.htm

    http://web2.utc.edu/~Li-Yang/cpsc4600/6-Iris-DNA/IRIS-Retina.ppt has some good info on the differences.

  13. Re:Retina Scanners... by The+Grim+Reefer · · Score: 2

    Iris scanners have lower false positive rejection rates and are more accurate than Retina scanners, which do exist. Retinas can become damaged and change with time, unlike the human iris which does not under normal circumstances change during lifetimes.

    Isn't one of the possible side effects of Latisse and LiLash changes in iris color? Some glaucoma meds can do this too. Do iris scanners look at color and pattern? Or just the patterns?

  14. All the biometric criticism is missing the point. by ThisIsSaei · · Score: 2

    The fact that the doctors were trusted as both the authenticating-client and the key-holder was the issue here. Not biometric authentication. There was no promise that the doctors were not the malicious users themselves, but rather the authenticating-client here had an inherent incentive (getting paid without working) to help defeat the system. So, for all the criticism of biometric systems here -- we're missing the point, the implementation was incorrect to start. Attacking the medium is misguided, and also composed of (mostly) stupid arguments.

    If this was a story of doctors having others falsify their time-cards or sharing keys it wouldn't have the same "people who like x auth method are idiots", but since it involves some slightly higher tech punch-in... well, here we are.

    There's no such thing as a secure system. Just an inconvenient-to-defeat system; the weakest link/low-hanging fruit and all that. Biometric merely provides another authentication factor that can be used - so pointing to cases where people helped defeat their own locks is akin to saying that your buddy let me make copies of his keys, just look insecure keys are! It's silly. Correct implementation is key before you judge a system.

  15. Re:What? by DMUTPeregrine · · Score: 4, Insightful

    NO!

    Biometrics aren't a replacement for passwords, they're a replacement for USERNAMES. They provide a "something you have" factor to authentication, there still needs to be a "something you know."

    Like usernames they aren't secret. They don't need to be secret, and they can be copied without ruining the security of the system. They don't need to be changed, and are unique to each user. Biometrics are great when used as usernames, and a security nightmare waiting to happen when used as a password.

    --
    Not a sentence!
  16. Bogus Headline for semi bogus article by buybuydandavis · · Score: 2

    Buried in the article

    "Most current fingerprint scanners have technology that can detect whether the finger has a pulse, and some read fingerprints at a depth below skin level, which would render the silicon fingers useless. Apparently, that hospital is using an older type of scanner."

    Old, crappy technology fooled. Whoopie.

    And it appears that this was an organized criminal enterprise:

    "The mayor of Ferraz de Vasconcelos, Acir Fillo, said there might be as many as 300 hospital employees who do not exist, except for fake fingers with their prints, but who get paid anyway."

    And what grownup thinks any security technology is "foolproof", let alone "motivated criminal enterprise proof"? The technology isn't perfect, therefore it's crap?

    And by the way - "silicon" fingers? Bet you a dollar that should have been "silicone".

    If this guy is actually paid to write this crap, he needs to be fired.

  17. RTFA by westlake · · Score: 2
    Obsolete tech.

    When I first saw the headlines for this story I immediately went to a much darker place. I envisioned doctors going into the morgue and borrowing a few digits for use in fooling the machines. I mean, it's not like those guys needed them any more. Things like this have happened before.

    Then I realized this wouldn't work. For one thing, they'd have the wrong prints. For another, they'd be, well, a bit chilly.

    Most current fingerprint scanners have technology that can detect whether the finger has a pulse, and some read fingerprints at a depth below skin level, which would render the silicon fingers useless. Apparently, that hospital is using an older type of scanner.

    Giving biometric scanners the (fake) finger

    Inside job.

    The perfect example of corruption and conspiracy that begins --- and must begin --- at the top.

    Another television network said it was the head of the emergency room that ran the scam and that his daughter had not worked a day in three years but got paid all the time.

    Fake fingers to fool the boss at Brazil hospital

    Ferreira confessed to using different fake fingers bearing the prints of 11 fellow doctors and 20 nurses in order to pretend they were showing up to work five overnight shifts each month, instead of just one, police said.

    Ferreira also said the staff at the Ferraz Vasconcelos Hospital paid $2,400 per month to participate.

    The doctor will face charges of falsifying a public document and could get two to six years in prison.

    Brazilian doctor caught using fake fingers in biometrics scam

  18. Re:"supposedly foolproof security tech" by kilfarsnar · · Score: 2

    Fear will keep the local systems in line. Fear of this battlestation!

    --
    "What the American public doesn't know is what makes them the American public." -Ray Zalinsky (Tommy Boy)
  19. Re:Retina Scanners... by WillAffleckUW · · Score: 2

    The image on modern versions of cell phones is reportedly good enough to fool almost all such scanners.

    Sad, really.

    --
    -- Tigger warning: This post may contain tiggers! --
  20. Re:Full hand 3D scanners are the only "good" ones. by cusco · · Score: 2

    Hand key scanners are hideous. Anyone who has ever worked installing, configuring, servicing or maintaining them will tell you how much the hate the damn things. The false negative rate is terrible, they can be thrown off by hands swelling or shrinking because of temperature, exercise, menstrual water weight-gain, diets, or more. They get out of calibration if you breathe in their general direction. In case you haven't got it yet, I absolutely loathe them.

    --
    "Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin