Features Podcasts Family Video Comics Music Tech Science Books Film & TV Games ✚

Jill

MD used "silicone fingers" to trick biometric time clock on colleagues' behalf

David Pescovitz at 12:01 pm Wed, Mar 13, 2013

— FEATURED —

THE LATEST

Guatemala: Archive of documents from Rios Montt genocide trial, overturned 10 days after guilty verdict

THE LATEST

Guatemala: Nation's highest court throws out Ríos Montt genocide trial verdict and prison sentence

Feature

Eurovision 2013: An American in London

Book Review

The Twelve-Fingered Boy - mesmerizing YA horror novel

Book Review

Black Code: how spies, cops and crims are making cyberspace unfit for human habitation

— FOLLOW US —

Boing Boing is on Twitter and Facebook. Subscribe to our RSS feed or daily email.

 

— POLICIES —

Except where indicated, Boing Boing is licensed under a Creative Commons License permitting non-commercial sharing with attribution

 

— FONTS —

Tweet
Kindle
NewImageBrazilian doctor Thaune Nunes Ferreira, 29, was arrested for fraud for allegedly covering up her colleagues' absence from work by using prosthetic fingers to sign them in on a biometric time clock at the hospital near Sao Paulo. According to the BBC, "police said she had six silicone fingers with her at the time of her arrest, three of which have already been identified as bearing the fingerprints of co-workers." Ferreira's attorney claims "she was forced into the fraud as she faced losing her job." (BBC News)

David Pescovitz is Boing Boing's co-editor/managing partner. He's also a research director at Institute for the Future. On Instagram, he's @pesco.

MORE:  biometrics • crime • prosthetics • security • Weird

More at Boing Boing

Eurovision 2013: An American in London

The technology that links taxonomy and Star Trek

  • jandrese

    What’s so surprising about transferring a fingerprint impression?  It’s the big security hole in these fingerprint systems:  They only work until you touch something smooth while not wearing gloves.  After that, anybody can come in, lift the print, and make a copy of your finger.  Ironically, this includes most fingerprint scanners, as the glass is the ideal surface for maintaining a fingerprint.  

    • TacoChuck

       Ya, fake “gummie fingers” have been a known hole in these systems since they first appeared. The fake prints are very easy to make, like with your home printer and in your kitchen easy to make.

      I am somewhat surprised they were not using any of the more advanced tech that actually looks at dermal structure below the skin surface.

      • James Pryor

         Apparently, this wasn’t a high security application of the technology. It was only being used for time and attendance. The risk of forgery usually wouldn’t justify the extra costs of the more complex biometric systems since they weren’t protecting sensitive data. Proof again that the malicious insider threat is the one you can always count on.

      • Ambiguity

         Yea, a few minutes with the Google Oracle shows it to be pretty easy. This could be a fun weekend project with the kids…

        • TacoChuck

           Oh that sounds like a fun and educational idea!

    • Sigmund_Jung

      That’s my issue with any biometric sensors. In the case in point, the finger “owners” were part of the scheme. But suppose they were stolen. If my credit card is forged, I can cancel it and get another number. But once you get you biometric data forged, how are you going to replace your iris?

      • blissfulight

        Either they didn’t think of that…or they don’t want to think about that.  

    • timquinn

      It’s a long way from “We knew about this already.” to “A doctor is caught with six fake fingers in her possession.” If you can’t see that you need to clean your glasses.

  • nixiebunny

    Silicone, not silicon. Please fix the headline. 

  • Boundegar

    They make doctors punch a time clock?  And I thought we had labor problems here.

  • http://www.youtube.com/user/Freethinkersanon Christopher

    If I recall rightly something like this has been featured in at least one James Bond film and in an episode of Wonder Woman with Linda Carter–although in those cases it was done with more nefarious intent.

    At the time I thought, well, obviously it’s ridiculous that such a system could be fooled so easily. Now it seems ridiculous that no one realized this was a major problem with these sensors.

    • jandrese

      Lots of people know about these problems, including the manufacturers, but somehow they just don’t make it to the marketing material.  Go figure.

      This is why Biometrics is usually talked about in a multi-factor security sense.  IE, your thumbprint scanner should always require you to type in a password or swipe a badge as well. 

  • David Pescovitz

    Thanks for the info, folks! You’re right, seems spoofing isn’t that hard! Corrected my post.

  • Bradley Robinson

    I would have called them personal masturbatory devices, claimed I had a weird co-worker/office fetish, and told whomever was detaining me to politely go and fuck themselves and allow me to do the same. 

  • Lurking_Grue

    My gym went to biometric sign in with your fingerprint and I found the whole thing annoying.   Makes me want to get something like this to use to sign in with my own print to make a point.

    • max00

      You don’t find it convenient to be free of freeloaders and not having to carry around some dingus?

      Or does it not leave you free enough of freeloaders?

  • Alex Kilpatrick

    Do any of the commenters here have actual knowledge of the liveness detection being using in modern sensors?  Or are you just guessing?  I haven’t worked with them myself, but there has been a lot of development into the detection of heat, pulse, etc, in order to prevent spoofing.  The fingerprint readers used in time and attendance systems are typically older technology.

    However, in any case you need to look at this stuff with the right security angle.  The question isn’t “can this system be defeated?” it is “is this system better than what we have now?”   A conventional time and attendance system (punch cards) can be very easily spoofed by simply having a friend clock in for you.  This system requires a much more sophisticated attack.

    • Ty_MY

      I’m using one right now that detects heat, and requires your finger to “swipe” over a narrow strip instead of a larger flat glass surface. Similar to those on some old IBM laptops.

      It’s made in Korea, but re-sold by Yale as the Gateman locks.

    • Sigmund_Jung

      I get your point, but in the end, there is software interpreting whatever is the input. If you can mimic the biometric input (for example, by plugging a device that pumps signals into the sensor-machine connection), you can get access to the system. Heat and pulse can be simulated too.

      Of course, I am not saying that this is trivial — far from that. But once (if) your biometric data can be encoded and stored on a portable digital format, you cannot reset it. You can always get another Twitter password.

  • http://newnumber6.livejournal.com Peter

    Just as long as she didn’t use Cheeto-fingers to sign in.

    One’s scamming the boss, the other’s just wrong.