Fingers Getting Chopped Off, Diebold To Switch From Fingerprint To Palm-Vein?

From Businessweek:

Worried about ATM fraud, several Brazilian banks began rolling out machines equipped with fingerprint readers. Undeterred, criminals began severing the fingers of account holders to gain access to their money, says Frank Natoli, chief innovation officer at Diebold. One of the world’s top suppliers of ATMs, Diebold is working with some of the country’s banks to switch over to palm-vein-recognition systems.

Anyone have any color or experience related to this?

I always thought that fingerprint readers might be bad , for that reason.

Another creepy thought is if they went to retina scans.

I'm assuming that a severed hand would not gain access due to lack of blood flow.?

Hopefully the criminals who would sever a digit to spoof a biometric test will quickly realize that a dead digit will not be accepted by a modern biometric system. And if I were working over at Diebold I’d raise my hand and suggest the best way to combat this kind of ignorance is to release a press campaign, at least in the affected area, to reinforce what the criminals will learn the first time they walk up to an ATM with something in a napkin. Otherwise, what’s next? Escalation? Dielbold’s approach of switching to palm recognition is flawed. So they would put the hands at risk instead of the finger? Besides from what I know palm rec is not as effective as fingerprint rec, so the efficacy of the whole system takes a hit even when it’s being used properly. Finally, if a dead digit does in fact pass the current biometric test in use, then migrating to a modern biometric system is the first order, and probably more cost effective than switching biometric types wholesale.

Dielbold’s approach of switching to palm recognition is flawed.

No, it's an upgrade path ;)

The most despicable form of bank "hacking" known.

I'm having a hard time finding any specific reported incidents of people's fingers being severed for use in Brazilian ATM's.

Not that I would put anything past some elements of society, but it would be nice to know the details surrounding the incident, e.g. was the finger actually tried, was it successful?

And how many times has it happened? Surely, even once is too many times, but people are violently attacked for their ATM and PIN codes all the time. Would a criminal really prefer this messy hack over the tried and true?

Also since the source is Diebold, and Diebold is likely not giving these palm scanners away for free, it's worth verifying how bad this problem really is, no?

I have only been able to locate one reliable story of someone's finger getting cut off to open a biometric lock. This occurred in Malaysia in 2005 to open a Mercedes car door.

Yes, I found only this one as well, mentioned in a later post below.

Fwiw, even with this story, it doesn't sound like they planned to do this from the start. Rather, after forcing the guy to start the car they threw him in in ditch. Later, it sounds like somebody turned the car off (sorry Boss!), and then the thugs went back and cut a fingertip off the guy and brought it back.

No word on whether it worked.

The Diebold exec's statement makes it sound like its a new wave of pre-meditated crime. Maybe there was an incident behind it, but it doesn't seem likely that it's some new fad in crime.

Sure, cut someone's fingers off, like a spy or a Brinks guard, because they would refuse.

But who would refuse ATM access and risk their fingers being cut off? And what criminal would think it's good to have a screaming victim around while they swipe a bloody finger??

So maybe they kill them first and then take their finger. Sure but that's just the same as getting their pin/card and killing them. Except sans the bloody finger.

Like Skip mentions above, even cheap fingerprint sensors these days aren't fooled by severed digits. The methods of defending against this range from simple (heatbeat detection) to complex, multi-spectral images that employ layers of 'unnaturalness detection'.

See our: Fake Fingerprints - Liveness Detection Solutions note for more.

Frank Natoli is a Diebold executive, both listed on Diebold's website and on his own LinkedIn page.

It could be that Businessweek got this wrong, though (mainstream publications sometimes are unclear about niche technology).

Forget Brazil, I'm having a hard time finding ANY time someone's finger was severed to use in a fingerprint reader, save this one example of a Malaysian businessman who was carjacked and the car could only be driven after being authenticated thru it's built-in reader!

Anybody know any others?

They probably look on the experience of Japanese banks that employed palm vein readers for ATMs many years ago.

Palm vein biometric modality is more accurate than fingerprints and more robust to spoofing.

At the ISC West I saw Diebold prototype of the new generation ATM (IRVING) with the iris scanner. (Retina is outdated as a biometric modality because of the complexity of getting image and possible harm to eyes.) Iris is even better from the point of accuracy. Reliability depends on the type of sensor. Anyway, the representative of Diebold on a show told me that it was a modular system and they can add almost any modality by choice of customer.

Several years ago I heard a story like this, but instead of Brazil it was India and Pakistan. I don't think that it was true, and it was just something I heard - not read. Seems like a bit of a ghost story to me.

Demolition Man (1993)

The guy just gets out of the joint for tax evasion and now he's some sort of Brazilian Biometric Badass? Unbelievable.

Most of the fingerprint biometrics require a live finger with blood flowing through the fingers

I think the purported issue is that criminals don't know this, and therefore aren't properly deterred.

And a victim yelling "Hah, it'l never work you bastards!", though satisfying in the moment, has little long term consolative effect.

I guess that after the fact, the victim can exclaim "I told you so!" while pointing...another finger at the perpetrator.

I've asked the author of the article.

Couldn't find Diebold on Twitter.

"..criminals began severing the fingers of account holders to gain access to their money, says Frank Natoli, chief innovation officer at Diebold."

Personally, I'm skeptical when I see claims like this. Is Frank able to name specific cases where this has happened? How frequently has this occurred? (I wonder how the villain knows they're going to need your fingerprint and must take your fingers while they steal your card). While I don't doubt it may be possible or have occurred on an occasion, I suspect it's more likely to be a strawman argument designed to pimp their new product. Kind of like how ppl talk about chain of custody of video evidence lest the video get thrown out of court--yet are unable to cite a single specific case of evidence being thrown out in a real court case.