MD used "silicone fingers" to trick biometric time clock on colleagues' behalf

NewImageBrazilian doctor Thaune Nunes Ferreira, 29, was arrested for fraud for allegedly covering up her colleagues' absence from work by using prosthetic fingers to sign them in on a biometric time clock at the hospital near Sao Paulo. According to the BBC, "police said she had six silicone fingers with her at the time of her arrest, three of which have already been identified as bearing the fingerprints of co-workers." Ferreira's attorney claims "she was forced into the fraud as she faced losing her job." (BBC News)


  1. What’s so surprising about transferring a fingerprint impression?  It’s the big security hole in these fingerprint systems:  They only work until you touch something smooth while not wearing gloves.  After that, anybody can come in, lift the print, and make a copy of your finger.  Ironically, this includes most fingerprint scanners, as the glass is the ideal surface for maintaining a fingerprint.  

    1.  Ya, fake “gummie fingers” have been a known hole in these systems since they first appeared. The fake prints are very easy to make, like with your home printer and in your kitchen easy to make.

      I am somewhat surprised they were not using any of the more advanced tech that actually looks at dermal structure below the skin surface.

      1.  Apparently, this wasn’t a high security application of the technology. It was only being used for time and attendance. The risk of forgery usually wouldn’t justify the extra costs of the more complex biometric systems since they weren’t protecting sensitive data. Proof again that the malicious insider threat is the one you can always count on.

      2.  Yea, a few minutes with the Google Oracle shows it to be pretty easy. This could be a fun weekend project with the kids…

    2. That’s my issue with any biometric sensors. In the case in point, the finger “owners” were part of the scheme. But suppose they were stolen. If my credit card is forged, I can cancel it and get another number. But once you get you biometric data forged, how are you going to replace your iris?

    3. It’s a long way from “We knew about this already.” to “A doctor is caught with six fake fingers in her possession.” If you can’t see that you need to clean your glasses.

  2. If I recall rightly something like this has been featured in at least one James Bond film and in an episode of Wonder Woman with Linda Carter–although in those cases it was done with more nefarious intent.

    At the time I thought, well, obviously it’s ridiculous that such a system could be fooled so easily. Now it seems ridiculous that no one realized this was a major problem with these sensors.

    1. Lots of people know about these problems, including the manufacturers, but somehow they just don’t make it to the marketing material.  Go figure.

      This is why Biometrics is usually talked about in a multi-factor security sense.  IE, your thumbprint scanner should always require you to type in a password or swipe a badge as well. 

  3. Thanks for the info, folks! You’re right, seems spoofing isn’t that hard! Corrected my post.

  4. I would have called them personal masturbatory devices, claimed I had a weird co-worker/office fetish, and told whomever was detaining me to politely go and fuck themselves and allow me to do the same. 

  5. My gym went to biometric sign in with your fingerprint and I found the whole thing annoying.   Makes me want to get something like this to use to sign in with my own print to make a point.

    1. You don’t find it convenient to be free of freeloaders and not having to carry around some dingus?

      Or does it not leave you free enough of freeloaders?

  6. Do any of the commenters here have actual knowledge of the liveness detection being using in modern sensors?  Or are you just guessing?  I haven’t worked with them myself, but there has been a lot of development into the detection of heat, pulse, etc, in order to prevent spoofing.  The fingerprint readers used in time and attendance systems are typically older technology.

    However, in any case you need to look at this stuff with the right security angle.  The question isn’t “can this system be defeated?” it is “is this system better than what we have now?”   A conventional time and attendance system (punch cards) can be very easily spoofed by simply having a friend clock in for you.  This system requires a much more sophisticated attack.

    1. I’m using one right now that detects heat, and requires your finger to “swipe” over a narrow strip instead of a larger flat glass surface. Similar to those on some old IBM laptops.

      It’s made in Korea, but re-sold by Yale as the Gateman locks.

    2. I get your point, but in the end, there is software interpreting whatever is the input. If you can mimic the biometric input (for example, by plugging a device that pumps signals into the sensor-machine connection), you can get access to the system. Heat and pulse can be simulated too.

      Of course, I am not saying that this is trivial — far from that. But once (if) your biometric data can be encoded and stored on a portable digital format, you cannot reset it. You can always get another Twitter password.

Comments are closed.