Fingers Getting Chopped Off, Diebold To Switch From Fingerprint To Palm-Vein?

JH
John Honovich
Apr 10, 2016
IPVM

From Businessweek:

Worried about ATM fraud, several Brazilian banks began rolling out machines equipped with fingerprint readers. Undeterred, criminals began severing the fingers of account holders to gain access to their money, says Frank Natoli, chief innovation officer at Diebold. One of the world’s top suppliers of ATMs, Diebold is working with some of the country’s banks to switch over to palm-vein-recognition systems.

Anyone have any color or experience related to this?

(1)
JG
Jeff Gack
Apr 10, 2016
IPVMU Certified

I always thought that fingerprint readers might be bad , for that reason.

Another creepy thought is if they went to retina scans.

I'm assuming that a severed hand would not gain access due to lack of blood flow.?

Avatar
Skip Cusack
Apr 10, 2016

Hopefully the criminals who would sever a digit to spoof a biometric test will quickly realize that a dead digit will not be accepted by a modern biometric system. And if I were working over at Diebold I’d raise my hand and suggest the best way to combat this kind of ignorance is to release a press campaign, at least in the affected area, to reinforce what the criminals will learn the first time they walk up to an ATM with something in a napkin. Otherwise, what’s next? Escalation? Dielbold’s approach of switching to palm recognition is flawed. So they would put the hands at risk instead of the finger? Besides from what I know palm rec is not as effective as fingerprint rec, so the efficacy of the whole system takes a hit even when it’s being used properly. Finally, if a dead digit does in fact pass the current biometric test in use, then migrating to a modern biometric system is the first order, and probably more cost effective than switching biometric types wholesale.

(2)
U
Undisclosed #1
Apr 10, 2016
IPVMU Certified

Dielbold’s approach of switching to palm recognition is flawed.

No, it's an upgrade path ;)

(2)
U
Undisclosed #1
Apr 10, 2016
IPVMU Certified

The most despicable form of bank "hacking" known.

(3)
U
Undisclosed #1
Apr 10, 2016
IPVMU Certified

I'm having a hard time finding any specific reported incidents of people's fingers being severed for use in Brazilian ATM's.

Not that I would put anything past some elements of society, but it would be nice to know the details surrounding the incident, e.g. was the finger actually tried, was it successful?

And how many times has it happened? Surely, even once is too many times, but people are violently attacked for their ATM and PIN codes all the time. Would a criminal really prefer this messy hack over the tried and true?

Also since the source is Diebold, and Diebold is likely not giving these palm scanners away for free, it's worth verifying how bad this problem really is, no?

(1)
Avatar
John Bredehoft
Apr 13, 2016
Bredemarket / Incode Technologies

I have only been able to locate one reliable story of someone's finger getting cut off to open a biometric lock. This occurred in Malaysia in 2005 to open a Mercedes car door.

http://news.bbc.co.uk/2/hi/asia-pacific/4396831.stm

U
Undisclosed #1
Apr 13, 2016
IPVMU Certified

Yes, I found only this one as well, mentioned in a later post below.

Fwiw, even with this story, it doesn't sound like they planned to do this from the start. Rather, after forcing the guy to start the car they threw him in in ditch. Later, it sounds like somebody turned the car off (sorry Boss!), and then the thugs went back and cut a fingertip off the guy and brought it back.

No word on whether it worked.

The Diebold exec's statement makes it sound like its a new wave of pre-meditated crime. Maybe there was an incident behind it, but it doesn't seem likely that it's some new fad in crime.

Sure, cut someone's fingers off, like a spy or a Brinks guard, because they would refuse.

But who would refuse ATM access and risk their fingers being cut off? And what criminal would think it's good to have a screaming victim around while they swipe a bloody finger??

So maybe they kill them first and then take their finger. Sure but that's just the same as getting their pin/card and killing them. Except sans the bloody finger.

(1)
Avatar
Brian Rhodes
Apr 10, 2016
IPVMU Certified

Like Skip mentions above, even cheap fingerprint sensors these days aren't fooled by severed digits. The methods of defending against this range from simple (heatbeat detection) to complex, multi-spectral images that employ layers of 'unnaturalness detection'.

See our: Fake Fingerprints - Liveness Detection Solutions note for more.

(1)
JH
John Honovich
Apr 10, 2016
IPVM

Frank Natoli is a Diebold executive, both listed on Diebold's website and on his own LinkedIn page.

It could be that Businessweek got this wrong, though (mainstream publications sometimes are unclear about niche technology).

(1)
U
Undisclosed #1
Apr 10, 2016
IPVMU Certified

Forget Brazil, I'm having a hard time finding ANY time someone's finger was severed to use in a fingerprint reader, save this one example of a Malaysian businessman who was carjacked and the car could only be driven after being authenticated thru it's built-in reader!

Anybody know any others?

KA
Konstantin Avramenko
Apr 11, 2016

They probably look on the experience of Japanese banks that employed palm vein readers for ATMs many years ago.

Palm vein biometric modality is more accurate than fingerprints and more robust to spoofing.

At the ISC West I saw Diebold prototype of the new generation ATM (IRVING) with the iris scanner. (Retina is outdated as a biometric modality because of the complexity of getting image and possible harm to eyes.) Iris is even better from the point of accuracy. Reliability depends on the type of sensor. Anyway, the representative of Diebold on a show told me that it was a modular system and they can add almost any modality by choice of customer.

Avatar
Hans Kahler
Apr 12, 2016
Eagle Eye Networks

Several years ago I heard a story like this, but instead of Brazil it was India and Pakistan. I don't think that it was true, and it was just something I heard - not read. Seems like a bit of a ghost story to me.

KA
Konstantin Avramenko
Apr 12, 2016

Demolition Man (1993)

(2)
U
Undisclosed #1
Apr 20, 2016
IPVMU Certified

The guy just gets out of the joint for tax evasion and now he's some sort of Brazilian Biometric Badass? Unbelievable.

KW
Ken Weiss
Apr 19, 2016

Most of the fingerprint biometrics require a live finger with blood flowing through the fingers

U
Undisclosed #1
Apr 19, 2016
IPVMU Certified

I think the purported issue is that criminals don't know this, and therefore aren't properly deterred.

And a victim yelling "Hah, it'l never work you bastards!", though satisfying in the moment, has little long term consolative effect.

(1)
Avatar
John Bredehoft
Apr 19, 2016
Bredemarket / Incode Technologies

I guess that after the fact, the victim can exclaim "I told you so!" while pointing...another finger at the perpetrator.

(1)
Avatar
John Bredehoft
Apr 19, 2016
Bredemarket / Incode Technologies

I've asked the author of the article. https://twitter.com/johnebredehoft/status/722457649346785284

Couldn't find Diebold on Twitter.

SM
Steve Mitchell
Apr 20, 2016

"..criminals began severing the fingers of account holders to gain access to their money, says Frank Natoli, chief innovation officer at Diebold."

Personally, I'm skeptical when I see claims like this. Is Frank able to name specific cases where this has happened? How frequently has this occurred? (I wonder how the villain knows they're going to need your fingerprint and must take your fingers while they steal your card). While I don't doubt it may be possible or have occurred on an occasion, I suspect it's more likely to be a strawman argument designed to pimp their new product. Kind of like how ppl talk about chain of custody of video evidence lest the video get thrown out of court--yet are unable to cite a single specific case of evidence being thrown out in a real court case.

(1)
New discussion

Ask questions and get answers to your physical security questions from IPVM team members and fellow subscribers.

Newest discussions