Giving biometric scanners the (fake) finger

Doctors in Brazil are using phony silicon fingers to fool biometric scanners. Sneaky? Sure. But you really gotta hand it to them.

fake fingersImage credit: flickr/London Looks

We all know passwords suck – they’re hard to remember, a pain in the arse to manage, and even the good ones are only as secure as the database in which they reside. We’ve seen enough password-hacking exploits over the last year (Dropbox, Evernote, LinkedIn, eHarmony to name just a few) to realize that much is true.

For many, the solution to our authentication woes lies in biometrics. What easier way to log in to your personal accounts than by using part of your person? Nothing to remember, nothing to bring, hard for someone else to duplicate or steal. No muss, no fuss.

Well, not so fast, kemosabe. Todays’ news brings an example of how biometrics can be easily fooled.

According to a report by Agency France-Presse, doctors in Brazil are using fake fingers to fool biometric scanners designed to track their comings and goings. At least five docs at Hospital Ferraz de Vasconcelos in Sao Paulo have been suspended after they were discovered using bogus silicon silicone digits, imprinted with their fingerprints, to clock their colleagues in and out of work.

Yes, it’s the old Gummy Bear fingerprint hack, only less delicious.

Per the report:

The mayor of Ferraz de Vasconcelos, Acir Fillo, said there might be as many as 300 hospital employees who do not exist, except for fake fingers with their prints, but who get paid anyway.

Thus lending an entirely new meaning to the phrase, “Giving your boss the finger.” Ba-dum-bum. Thank you, ladies and germs, please remember to tip your waiters.

When I first saw the headlines for this story I immediately went to a much darker place. I envisioned doctors going into the morgue and borrowing a few digits for use in fooling the machines. I mean, it’s not like those guys needed them any more. Things like this have happened before.

Then I realized this wouldn’t work. For one thing, they’d have the wrong prints. For another, they’d be, well, a bit chilly.

Most current fingerprint scanners have technology that can detect whether the finger has a pulse, and some read fingerprints at a depth below skin level, which would render the silicon silicone fingers useless. Apparently, that hospital is using an older type of scanner.

As a biometric, though, fingerprints aren’t really all that reliable, in part because their effectiveness varies depending on factors like skin type. Other biometrics based on your behavior – like the unique way in which every person types, known as “keystroke dynamics” – hold more promise.

But they don’t answer two essential questions:

1. Can the parties who are guarding your biometric data can be trusted to keep it out of the hands, so to speak, of hackers? If attackers can compromise the database where biometrics are matched up to actual identities and manipulate them, all bets are off – and you could be in a world of hurt.

2. What if you want to be both secure and private in your dealings on the Net? Can you be both positively identified using biometrics and pseudonymous at the same time? That would require an infrastructure of third-party ID verification services, which of course, we’d have to learn to trust.

With luck, these things may eventually happen. So keep your fingers crossed.

Got a question about social media or privacy? TY4NS blogger Dan Tynan may have the answer (and if not, he’ll make something up). Visit his snarky, occasionally NSFW blogeSarcasm or follow him on Twitter: @tynanwrites. For the latest IT news, analysis and how-to’s, follow ITworld onTwitter and Facebook.

Now read this:

The new MySpace: I like it, I really do. What's wrong with me?

What's the freakin' deal with all these LinkedIn endorsements?

Facebook knows you're gay before your mother does

This story, "Giving biometric scanners the (fake) finger" was originally published by ITworld.


Copyright © 2013 IDG Communications, Inc.

Shop Tech Products at Amazon