Slashdot Mirror

← Back to Stories (view on slashdot.org)

Doctors Bypass Biometric Scanners With Fake Fingers

Posted by Soulskill on from the no-technology-can-trump-laziness dept.

jfruh writes "At a Brazilian hospital, doctors were required to check in with a fingerprint scanner to show that they've showed up for work. Naturally, they developed a system to bypass this requirement, creating fake fingers so that they could cover for one another when they took unauthorized time off. Another good example of how supposedly foolproof security tech can in fact be fooled pretty easily."

13 of 139 comments (clear)

  1. Biometrics are not secrets. by Anonymous Coward · · Score: 5, Insightful

    All the security experts who think that biometrics are the end-all-be-all of security are mistaken. Biometrics are not secrets, so once one knows your biometric id, they can impersonate you and you can't change your password!

    1. Re:Biometrics are not secrets. by TWX · · Score: 5, Funny

      A decade ago, a friend of mine suggested that if they *really* wanted foolproof biometrics, to use "colon terrain mapping".

      I told him that I wasn't sure that I could be his friend anymore...

      --
      Do not look into laser with remaining eye.
    2. Re:Biometrics are not secrets. by houghi · · Score: 5, Funny

      I hope he does not have a job selling hardware to the TSA.

      --
      Don't fight for your country, if your country does not fight for you.
    3. Re:Biometrics are not secrets. by Anonymous Coward · · Score: 5, Insightful

      So how would using a password-based system prevent the doctors from sharing their passwords with each other and continue slacking off?

      That's a social problem. There is no technological solution. I repeat, technology cannot solve every problem. How do you solve this problem? Check once and a while. The guys daughter was listed as being there every day for three years and never worked a single day. The people who just trusted a glorified punch card machine instead of once verifying it in person should be fired too.

    4. Re:Biometrics are not secrets. by swillden · · Score: 4, Insightful

      Biometrics are good for two categories of applications: Super high security, James Bond type stuff, and casual semi-security, where you want something to keep out the lazy but don't care that much. In between, they're broken.

      They work great in high-security applications when you have a controlled environment, which generally means an attended environment -- a guard is standing there very carefully watching the scanning process, and the scanners and all of the support systems are tightly secured.

      And they're fine in circumstances where you don't care very much.

      In between, biometrics are not secrets, and the fact that some scanner reported an image which appears to match means very little.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
  2. An important reminder... by fuzzyfuzzyfungus · · Score: 4, Interesting

    In addition to being a reminder that the people with a hard-on for 'biometrics' are either morons(Here you go, you were born with only ten passwords, so don't lose them!) or primarily interested in surveillance and tracking, or both; this is a useful reminder that 'security' is a system of interlocking parts Not a product you buy from your Solutions Vendor(tm) and set-and-forget.

    We have the one doctor, who was caught with the fake fingers, along with at least three others who were ghosting through their shifts. She claims that they leaned on her, threatened her job if she refused to help with the con, they probably claim that she was in on the con and was absent on other days. Regardless of which of those is true, how many other people at the hospital would be in the position to notice whether or not a doctor is present and doing stuff? Probably more than a few. The front-desk servitors had to know what patient flow looked like, restock requests for supplies in various exam rooms can't have looked right, there are a lot more details than the punch-card machine here. This hospital isn't so much suffering from a 'fingerprint scanners are oversold' problem; but a problem with either massive cheating and/or apathy toward cheating, or unaccountable abuse of authority to suppress people who could have blown the whistle.

  3. Re:"supposedly foolproof security tech" by Let's+All+Be+Chinese · · Score: 5, Interesting

    You'd have to be a right fool to be unable to fool these things. As in the link, as here, the application has very little to do with security. It's a people problem, and you can't fix those solely with technology.

    Worse, treating it as a technical problem and attacking it with security kit gives a strong signal to your own {doctors,pupils,*} that they're all criminals and need to be treated as such. This in turn creates a powerful incentive to game the system.

    What we have here is an incompetent administration trying to fix their mess through shitting on their underlings some more, using technology. Underlings know and dislike this.

    And so gaming the system is what they'll do. This quite apart from biometrics being inappropriate everywhere but in criminal forensics. Be careful what you ask for and all that.

  4. Biometric system is insecure by design by jd659 · · Score: 4, Interesting

    It surprises me that many debate the “security” of the fingerprint scanners while omitting the major flaw of any biometric system – it is not revocable. You cannot simply reset someone’s fingertips if the system for that instance has been compromised. With pretty much all other authentication there’s some mechanism to delete the bad entry: a password can be reset, a certificate can be revoked, a compromised key can end up in the black list, etc. None of this is possible with any biometric system. Even if it takes an elaborate trickery and a lot of resources to duplicate a finger, a hand, or a mockup of the retina scan, once it’s done, it cannot be “cancelled” at the biometric system level.

    --
    There's no such thing as "illegal download"
  5. Re:Retina Scanners... by ShanghaiBill · · Score: 4, Insightful

    Probably would have held out longer.

    A fingerprint scanner with a pulse detector (which many have) would have been fine too. Any security system can be bypassed with enough effort, so you need to consider what you are trying to protect, and make sure bypassing security is more trouble than it is worth. A doctor who wants an extra day off will obviously make a fake finger, but may not go to the trouble of making a pulse generator.

  6. Re:"supposedly foolproof security tech" by ackthpt · · Score: 4, Insightful

    Let's face it, nothing will ever be secure as long as people are involved.

    Time to start getting rid of them. ;)

    --

    A feeling of having made the same mistake before: Deja Foobar
  7. Re:Retina Scanners... by Vicarius · · Score: 4, Interesting

    Pulse detector can be fooled too. Check the end of this presentation, where he tried different molds and techniques, and finally succeeds opening a safe that detects pulse using a fake fingerprint: DEFCON 19: Safe to Armed in Seconds: A Study of Epic Fails of Popular Gun Safes.

  8. Re:Retina Scanners... by ctime · · Score: 4, Informative

    Iris scanners have lower false positive rejection rates and are more accurate than Retina scanners, which do exist. Retinas can become damaged and change with time, unlike the human iris which does not under normal circumstances change during lifetimes.

    Iris scanners considered the best biometric authentication, they are also typically the most expensive (look up the LG scanner pricing).

    http://www.lgiris.com/ps/products/previousmodels/irisaccess2200.htm

    http://web2.utc.edu/~Li-Yang/cpsc4600/6-Iris-DNA/IRIS-Retina.ppt has some good info on the differences.

  9. Re:What? by DMUTPeregrine · · Score: 4, Insightful

    NO!

    Biometrics aren't a replacement for passwords, they're a replacement for USERNAMES. They provide a "something you have" factor to authentication, there still needs to be a "something you know."

    Like usernames they aren't secret. They don't need to be secret, and they can be copied without ruining the security of the system. They don't need to be changed, and are unique to each user. Biometrics are great when used as usernames, and a security nightmare waiting to happen when used as a password.

    --
    Not a sentence!