MD used "silicone fingers" to trick biometric time clock on colleagues' behalf

Discuss

20 Responses to “MD used "silicone fingers" to trick biometric time clock on colleagues' behalf”

  1. jandrese says:

    What’s so surprising about transferring a fingerprint impression?  It’s the big security hole in these fingerprint systems:  They only work until you touch something smooth while not wearing gloves.  After that, anybody can come in, lift the print, and make a copy of your finger.  Ironically, this includes most fingerprint scanners, as the glass is the ideal surface for maintaining a fingerprint.  

    • TacoChuck says:

       Ya, fake “gummie fingers” have been a known hole in these systems since they first appeared. The fake prints are very easy to make, like with your home printer and in your kitchen easy to make.

      I am somewhat surprised they were not using any of the more advanced tech that actually looks at dermal structure below the skin surface.

      • James Pryor says:

         Apparently, this wasn’t a high security application of the technology. It was only being used for time and attendance. The risk of forgery usually wouldn’t justify the extra costs of the more complex biometric systems since they weren’t protecting sensitive data. Proof again that the malicious insider threat is the one you can always count on.

      • Ambiguity says:

         Yea, a few minutes with the Google Oracle shows it to be pretty easy. This could be a fun weekend project with the kids…

    • Sigmund_Jung says:

      That’s my issue with any biometric sensors. In the case in point, the finger “owners” were part of the scheme. But suppose they were stolen. If my credit card is forged, I can cancel it and get another number. But once you get you biometric data forged, how are you going to replace your iris?

    • timquinn says:

      It’s a long way from “We knew about this already.” to “A doctor is caught with six fake fingers in her possession.” If you can’t see that you need to clean your glasses.

  2. nixiebunny says:

    Silicone, not silicon. Please fix the headline. 

  3. Boundegar says:

    They make doctors punch a time clock?  And I thought we had labor problems here.

  4. Christopher says:

    If I recall rightly something like this has been featured in at least one James Bond film and in an episode of Wonder Woman with Linda Carter–although in those cases it was done with more nefarious intent.

    At the time I thought, well, obviously it’s ridiculous that such a system could be fooled so easily. Now it seems ridiculous that no one realized this was a major problem with these sensors.

    • jandrese says:

      Lots of people know about these problems, including the manufacturers, but somehow they just don’t make it to the marketing material.  Go figure.

      This is why Biometrics is usually talked about in a multi-factor security sense.  IE, your thumbprint scanner should always require you to type in a password or swipe a badge as well. 

  5. David Pescovitz says:

    Thanks for the info, folks! You’re right, seems spoofing isn’t that hard! Corrected my post.

  6. Bradley Robinson says:

    I would have called them personal masturbatory devices, claimed I had a weird co-worker/office fetish, and told whomever was detaining me to politely go and fuck themselves and allow me to do the same. 

  7. Lurking_Grue says:

    My gym went to biometric sign in with your fingerprint and I found the whole thing annoying.   Makes me want to get something like this to use to sign in with my own print to make a point.

    • max00 says:

      You don’t find it convenient to be free of freeloaders and not having to carry around some dingus?

      Or does it not leave you free enough of freeloaders?

  8. Alex Kilpatrick says:

    Do any of the commenters here have actual knowledge of the liveness detection being using in modern sensors?  Or are you just guessing?  I haven’t worked with them myself, but there has been a lot of development into the detection of heat, pulse, etc, in order to prevent spoofing.  The fingerprint readers used in time and attendance systems are typically older technology.

    However, in any case you need to look at this stuff with the right security angle.  The question isn’t “can this system be defeated?” it is “is this system better than what we have now?”   A conventional time and attendance system (punch cards) can be very easily spoofed by simply having a friend clock in for you.  This system requires a much more sophisticated attack.

    • Ty_MY says:

      I’m using one right now that detects heat, and requires your finger to “swipe” over a narrow strip instead of a larger flat glass surface. Similar to those on some old IBM laptops.

      It’s made in Korea, but re-sold by Yale as the Gateman locks.

    • Sigmund_Jung says:

      I get your point, but in the end, there is software interpreting whatever is the input. If you can mimic the biometric input (for example, by plugging a device that pumps signals into the sensor-machine connection), you can get access to the system. Heat and pulse can be simulated too.

      Of course, I am not saying that this is trivial — far from that. But once (if) your biometric data can be encoded and stored on a portable digital format, you cannot reset it. You can always get another Twitter password.

  9. Peter says:

    Just as long as she didn’t use Cheeto-fingers to sign in.

    One’s scamming the boss, the other’s just wrong.

Leave a Reply