Fake Finger Attack! Run!

As someone who enjoys pointing out flaws and saying “I told you so” (I know, ‘people in glass houses’…), I thoroughly enjoyed news from Brazil that a fingerprint scanner was defeated by a…


The unfortunate lady, a doctor, worked at a hospital in São Paulo and was allegedly forced to cover up for lazy colleagues.  The hospital uses a fingerprint scanner (of unknown make and model, at this time) to track employee attendance; employees must scan a finger to clock-in and clock-out.  According to her lawyer, her colleagues preferred watching episodes of E.R. dubbed in Portuguese (that’s unconfirmed) to actually working in a hospital.  But how to get around this bulletproof security system?  Remove a finger, like a disgraced Yakuza member?  No, no. Put down the knife.

Let’s make a fake finger!

The current news releases don’t have much detail on the methodology, but it sounds like precise casts were taken of one finger for each lazy person, then used as a form for a finger replica.  I presume they would have to be very careful with the casting and forming to preserve the fingerprint, but a little intense focus on crafts can pay dividends of George Clooney episodes.


If only someone had warned them about fingerprint scanner vulnerabilities!  Oh, they did.  In fact, this sort of “replay attack” is a fundamental weakness of biometric security.  If someone steals your password, there are gazillions more that can replace it.  Your supply of replacement fingers is more limited.  Your supply of replacement eyes for retinal scanners is even smaller.

On that note, I’m off to form a new band called Fake Finger Attack.