/ Biometric clocking in at work

This topic has been archived, and won't accept reply postings.
Jus - on 07 Aug 2017
What are people's thoughts regarding giving your fingerprint data over to your employer?
Lord_ash2000 - on 07 Aug 2017
In reply to Jus:

I wouldn't be to fussed, what harm are they going to do with it?

However if it's anything like the finger print scan on my phone I think it would have some problems.

Climbing don't go well with finger print recognition
1
Swig - on 07 Aug 2017
In reply to Jus:

It might depend on what's held.

An iPhone holds some sort of mathematical representation (hash) of fingerprints rather than an image. They claim it isn't possible to make the image from the (I'd guess fairly long) number.
Jus - on 07 Aug 2017
In reply to Swig:

It just feels very big brother/ 1984!
Rigid Raider - on 07 Aug 2017
In reply to Jus:
We were supposed to clock in with a card but I lost mine and nobody seemed to bother. About two months later I dropped a suit at the dry cleaner and the bloke there pulled out my plastic card from a drawer and asked me: "Isn't this your name? I found it inside the dry cleaner."
Post edited at 17:11
dread-i - on 07 Aug 2017
In reply to Jus:

Its not fingerprint data, as used by the police. Its is a hash* of identifying swirls and curls, with a degree of fuzziness, due to prints not being perfect.

You print will be scanned, broken into sections and each section compared with a master print, which itself is broken down into sections. The comparison wont be 100% like for like, as dirt, or angle of your finger will make a difference. At the end of the process, an algorithm will say something like '10 of the 20 sample points match with a 50% degree of accuracy'. That gives a 1 in {big number} probability of it being you.

As I found, if you boulder on grit you loose fingerprints easily.

If you're really worried about this sort of thing, be aware you leave your fingerprints all over the place, all the time. There is a well known hack involving finger prints and gummy bears, google will tell you more.
DNA can also be gleaned from fingerprints.
People seem leak personal info all the time.

*see sha-2
1
cb294 - on 07 Aug 2017
In reply to Jus:

Depends on the kind of job you are doing. I can imagine situations where it would be way over the top and a gross violation of privacy rights, but others where it would be part of a state of the art security arrangement. Inappropriate for, say, a teacher or sales attendant, likely appropriate if you work in a high level biosafety facility or nuclear power plant.

CB
marsbar - on 07 Aug 2017
In reply to Jus:

It's common for schools to use thumb prints for charging for meals. It stops bullying over lunch money and the hassle of handling cash.
alx - on 07 Aug 2017
In reply to Jus:

Justification would be required.

To be frank, the effort of setting up and conducting the process would far exceed other simpler methods of monitoring.

If you work in areas where evidence is gathered and presented in a court of law I would imagine finger print as well as shoe foot print and DNA would be useful to understand if a crime scene had been poorly preserved during an investigation.
Neil Williams - on 07 Aug 2017
In reply to Jus:

Don't care about biometrics overly.

Do care more about clocking (as distinct from submitting timesheets), it shows a lack of trust.
1
The Lemming - on 07 Aug 2017
In reply to Jus:

> What are people's thoughts regarding giving your fingerprint data over to your employer?

I would not give my finger prints to the police, unless I was ordered to by law. So why would I want to give such important information to my employer, convenience?

The technology may not be there today to faithfully record and document your fingerprint, but the time will come. By then you will be too relaxed complacent to realise this as you will have been giving personal identifiable features about yourself as a matter of course.

And what comes of the time when this technology is so sophisticated that it can be hacked and used against you?

Big, big, big alarm bells are ringing for me.
9
dread-i - on 07 Aug 2017
In reply to The Lemming:

>And what comes of the time when this technology is so sophisticated ...

And yet, you'll happily allow your employer to take your photo for your ID badge. You're not going to be spotted in the street or followed via a camera in a crowd if they have your finger prints. Your finger prints wont appear on news at 10, if you 'go postal' at work. We broadcast biometric info all the time. Asking for a photo is the same as asking for a fingerprint, only a more accurate and intrusive way of identifying you.

Fingerprints may be emotive, as they are commonly associated with criminals and law enforcement. Would people be happy with a retinal scan instead?

As for cost, lots of these systems are comparable with a card access system. The security is higher and running costs are lower, as people misplace cards etc.
The Lemming - on 07 Aug 2017
In reply to dread-i:

> >And what comes of the time when this technology is so sophisticated ...

> And yet, you'll happily allow your employer to take your photo for your ID badge. You're not going to be spotted in the street or followed via a camera in a crowd if they have your finger prints.

Not exactly a convincing argument.

Yes I can be tracked by CCTV with face recognition. Anybody can take my photo in a public place and use that as they see fit.

Somebody would have to take my fingerprints against my will.

You could pretend to be me with a photo of me but I suspect that the visual clues would be spotted.

2
dread-i - on 07 Aug 2017
In reply to The Lemming:

> Somebody would have to take my fingerprints against my will.
Or just pick some item up that you've used and they also now have your DNA as a bonus.

>You could pretend to be me with a photo of me...
There's centuries of research into disguises. Making one person look like another; for nefarious reasons or to play a role on stage etc.

ads.ukclimbing.com
thermal_t - on 07 Aug 2017
In reply to Jus:

Meh. I've already worked on several building sites where a fingerprint operated turnstile is in place to get onto site. Doesn't really bother me.
gethin_allen on 07 Aug 2017
In reply to Jus:

It wouldn't bother me either for data security or for time clocking. I need to use my RFID staff card to scan through dozens of doors in work every day so if anyone wanted to check up on me they could already and at least I wouldn't be able to leave my fingers at home or in the lab/office as I regularly do with my staff card.
aln - on 08 Aug 2017
In reply to marsbar:
> It's common for schools to use thumb prints for charging for meals.

Where do schools do that?
Post edited at 00:32
Big Ger - on 08 Aug 2017
In reply to aln:

In schools...
1
mrphilipoldham - on 08 Aug 2017
In reply to aln:

In the canteen, probably.
aln - on 08 Aug 2017
In reply to mrphilipoldham:

Not in any schools anywhere near where I live or that I've heard of.
mrphilipoldham - on 08 Aug 2017
In reply to aln:

I must admit I hadn't heard of it either, but a quick Google suggests it's been going on fairly widely since at least 2013.
marsbar - on 08 Aug 2017
In reply to aln:

Around a 1/3 of secondary schools at a very rough guess based on my time as a supply teacher.

They don't keep the image just some numbers based on it, and they don't do all the fingers. Parents can refuse. I've been happy to use it myself.
Jus - on 08 Aug 2017
In reply to marsbar:

Thing is - how do you know what they keep?

I'm probably overreacting, but I can't help feeling that there is something sinister about organisations tracking you through fingerprinting...

It might be nothing right now, but it strikes me as the thin end of the wedge. Next stop, this?
http://www.bbc.co.uk/news/av/world-us-canada-40806583/wisconsin-company-offers-microchip-implants-to...
Blue Straggler - on 08 Aug 2017
In reply to Jus:

> It just feels very big brother/ 1984!

Big Brother is FROM Nineteen Eighty-Four. You don't need to mention both.
Blue Straggler - on 08 Aug 2017
In reply to Jus:

>

> [corrupted URL about Wisconsin chip implants]

Next stop, this?

https://www.youtube.com/watch?v=qZNfwayNLL0
timjones - on 08 Aug 2017
In reply to Neil Williams:

> Don't care about biometrics overly.

> Do care more about clocking (as distinct from submitting timesheets), it shows a lack of trust.

OTOH in many work environments clocking in and out is by far the simplest way to do the job and timeshares would be a waste of time and resources.
Neil Williams - on 08 Aug 2017
In reply to Jus:
> Thing is - how do you know what they keep?
>
> I'm probably overreacting

You probably are indeed...it's this kind of overreaction that caused us to get the hopelessly unreliable facial biometric recognition for passports instead of a more reliable, cheaper, smaller and quicker fingerprint based verification which would have made the automatic gates almost as cheap, reliable and small as train ticket barriers.
Post edited at 11:59
Neil Williams - on 08 Aug 2017
In reply to timjones:
> OTOH in many work environments clocking in and out is by far the simplest way to do the job and timeshares would be a waste of time and resources.

True, mostly I guess in non-IT-based work environments (i.e. where you'd have the faff of going on a computer to submit each day/week when your job normally doesn't involve a computer).
Post edited at 11:59
ads.ukclimbing.com
timjones - on 08 Aug 2017
In reply to Neil Williams:

> True, mostly I guess in non-IT-based work environments (i.e. where you'd have the faff of going on a computer to submit each day/week when your job normally doesn't involve a computer)

I'd say that even if you work at a computer it is still likely to be simpler to clock in/out at the door rather than having to do it at your desk.

Sometimes the old tried and tested systems are still the best ;)
Jimbocz - on 08 Aug 2017
In reply to Jus:

> Thing is - how do you know what they keep?

> I'm probably overreacting, but I can't help feeling that there is something sinister about organisations tracking you through fingerprinting...

> It might be nothing right now, but it strikes me as the thin end of the wedge. Next stop, this?



I don't see any problem with this and I would be happy to have a micro chip implanted if it meant I could easily prove who I am. I must authenticate myself through passwords and pins and keys about 75 times per day. I'd gladly trade that for a wave of the hand. These chips are the same as what's on your Oyster Card and can't be read more than about 6 inches away.

By themselves, they don't automatically equate to some distopian tracking scheme, neither does your employer storing your fingerprints. Of course, your employer could be evil , but that's the risk you run anyway.

All of this pales in comparison to the most sophisticated tracking device in history that most of us happily carry around with us and input our most personal thoughts. Nobody cares about your fingerprints, they are far more interested in your mobile phone and are motivated by money to exploit your data to your detriment.
marsbar - on 08 Aug 2017
In reply to Jus:
I don't know for certain what they keep. However they tell me they are not and there are laws in place to protect me.

I trust that they are telling the truth, or that if they lied about what they keep one of their engineers or coders would have whistle blown by now. I'd say as a general observation engineers and coders are more trustworthy on average than someone picked at random. Also better informed on this topic of privacy and information.

I also suppose that if they are going to use someone's finger print for something bad that the chances of them picking mine out of the millions is small.

Everything in life is a risk. The risk reward ratio on this one worked for me.

As I understand it my employer was nowhere near it, just the catering company IT supplier.
Post edited at 16:18
cb294 - on 08 Aug 2017
In reply to Neil Williams:

Yes, fingerprints and retina scans make reasonably reliable, automated ID possible. However, even these systems can be spoofed, in some cases even with simple photographs (which can be obtained in public spaces using a standard telephoto lens, at least according to a Spiegel article about a presentation at a recent cybersafety conference), no fancy contact lenses or silicone fingers required.
The problem is then, how do you convince anyone that it was not you that logged in and cleaned out the strongroom aty your place of work? The more people uncritically trust technology, the bigger the problems with ID theft become. Give me an old fashioned receptionist or armed guard post any day, obviously depending on the security level required.

CB
1
dread-i - on 08 Aug 2017
In reply to cb294:

>The problem is then, how do you convince anyone that it was not you that logged in and cleaned out the strongroom aty your place of work? The more people uncritically trust technology, the bigger the problems with ID theft become. Give me an old fashioned receptionist or armed guard post any day, obviously depending on the security level required.

You use different forms of authorisation, based on risk. Cleaning out the strong room, would require two factor auth (2fa). Something you are (fingerprint) to get in the room. Something you know (safe combination) to unlock the loot. No security system is perfect, but you can tailor it to the risk. If your vault has super secrets in it, add a time lock. Still not secure, add some armed guards and so on.

>Give me an old fashioned receptionist or armed guard post any day, obviously depending on the security level required.

That nuclear facility at Natanz in Iran had no internet access, armed guards, and all the staff were security screened. Yet, they still managed to get infected with the stuxnet virus.
elsewhere on 08 Aug 2017
In reply to cb294:
An essential part of ID is revocation and repudiation.

If somebody nicks your passport it can be revoked and you can repudiate a mortgage application saying "that's not me, that's the number of the passport stolen 3 years ago".

If your biometric ID is stolen, faked or duplicated you can't revoke the ID without surgery or grinding away your fingertips so you can't repudiate the fraudulent transaction.
Jus - on 08 Aug 2017
In reply to Blue Straggler:

> Next stop, this?


that looks good!
cb294 - on 08 Aug 2017
In reply to dread-i:

Yes I was being facetious, but the problem that biometric ID causes bigger problems in case of ID theft precisely because it is (naively) trusted as being safe definitely remains.

Maybe the strongroom or the freezer with the lethal viruses will have 2fa, but what about online payments, credit cards, etc..

Unfortunately too many people are happy to trade convenience for safety and/or privacy.

CB
cb294 - on 08 Aug 2017
In reply to elsewhere:

Precisely!

CB
Kevster - on 08 Aug 2017
In reply to Jus:

Worked at a school, where access was via finger print, that was maybe 8 years ago. Nothing new. This included students too.
Where's the problem? It's a pobablility that it's correct, just harder to fake than a number or signature.
birdie num num - on 08 Aug 2017
In reply to Jus:

It's just an insulting lack of trust in the workforce. Spying on folk who are trying to earn an honest living and at the same time, balance the work/play equation.
Normally when I have a temporary need for extra recovery following a hard night of the play aspect of the work/play balance, my mate clocks me in. And vice versa.
dread-i - on 09 Aug 2017
In reply to cb294:

> Yes I was being facetious, but the problem that biometric ID causes bigger problems in case of ID theft precisely because it is (naively) trusted as being safe definitely remains.

Agree, to an extent.
If you hash a fingerprint, you would use that has as a password to unlock a standard SSL private key. The SSL key can be changed easily, but there is still the issue of the fingerprint being known. Once your fingerprint leaks out, it is not game over. There are still mitigations you can use, such as 2fa.

> Maybe the strongroom or the freezer with the lethal viruses will have 2fa, but what about online payments, credit cards, etc..

It's already here. That 'Verified by Visa' thing that asks you for your password is 2fa. You have your card, you know your password. The input you give, takes a different path to the traffic going to the vendor.

The thing about security, is that it is a moving target. Back in the day, multi million pound deals were done on the strength of a hand shake. That moved onto to signatures being used to secure a contract. Now it is digital signatures, based on strong cryptography involving big numbers. Soon that will move to quantum cryptography.

winhill - on 09 Aug 2017
In reply to Kevster:

> Worked at a school, where access was via finger print, that was maybe 8 years ago. Nothing new. This included students too.

> Where's the problem?

For me, the problem in schools, is encouraging kids to be lax about giving up biometric information.

Once a biometric is compromised it's compromised for life, unless you have surgery.

A fingerprint scanner scans the whole fingerprint then looks for forensically interesting loops, whorls, arches etc to produce several dozen points that can be stored. You then trust the software not to store the original scan.

Even if the software doesn't store the scan, anyone can give you a reader that does store the scan and then say it hasn't worked and can you use a PIN or say the wireless is weak and then bring out a genuine second machine etc.

Then it could be trivially easy to reproduce the scan and fit this to compromise the account.

Our local schools use it for the canteen, registration and even the library but I just refuse to let them use it for my kids, even though the schools give it a very hard sell (ie they chase you to register and don't offer an easy opt out).

The problem for the biometric industry (I used to sell for a biometric company) is that there hasn't been a high enough uptake across secure environments, so they have been forced to push it into environments where the motive is convenience rather than security, realistically though you should only give up biometrics when security demands it.
winhill - on 09 Aug 2017
In reply to dread-i:

> It's already here. That 'Verified by Visa' thing that asks you for your password is 2fa. You have your card, you know your password. The input you give, takes a different path to the traffic going to the vendor.

If you're using biometrics you could utilise the tuppenny scanner on your phone to generate a token that is itself part of a challenge response so only the token moves, not the biometric (time stamped of course).

But phones are too important so you need to be able to get around the biometric, if the scan fails for some reason. In which case you're back to entering your cat's birthday.

An open source OS is less than ideal, although it can be hardened but reliability and fallibility are always going to be an issue.
ads.ukclimbing.com
DancingOnRock - on 09 Aug 2017
In reply to Jus:
It's no different to a signature. My signature is everywhere.

The point is all it does, like a signature, is provide a small amount of evidence that you were there.

Your signature at the bottom of a contract says only that you were there, it doesn't say you understood or agreed to anything.

In law, fingerprints still cannot be used as a single source of evidence. They can only be used as supporting evidence.

You clock in with your thumb print, all it's giving your employer is a time stamp that says it's highly likely that you were there at that time and starting work.

The fact you then go to the toilet, have a coffee, chat about the football and then go to your workstation is beside the point.

The same with school canteen, it was most likely you that had sausage and chips and have agreed to have money debited from your account. If the money debited is wrong or gets taken from the wrong account then there must be processes to follow that up. They can't and shouldn't rely on the thumb print being the be all and end all.

Lots of hysteria over something that is 'new' and has a fancy sounding 'biometric' label.
Post edited at 11:46
Kevster - on 09 Aug 2017
In reply to winhill:

Interesting take from an insider.
Do you apply the same rigors to social media, Internet shopping etc etc? I'm not picking holes or looking to spar on the forum, it just strikes me that it's so easy to give or have taken so much personal data, it's fairly un avoidable.
Surely biometrics is more secure than a 4 digit number or a signature? These are easily misused and in the past were all one had.

Is there a solution?
Blue Straggler - on 11 Aug 2017
In reply to Jus:

> that looks good!

Yes. I think it's been dumped i.e. they did not distribute it to U.K. Cinemas, at least not nationwide wide release
krikoman - on 11 Aug 2017
In reply to Blue Straggler:

> Next stop, this?


I've seen the pre-quel, "The Beko Experiment," where people buy white goods and every now and then one of them sets on fire.
Ciro - on 11 Aug 2017
In reply to Jus:

Personally, I'd prefer that if someone wants to break into my workplace, they will need to try to steal my access card rather than chop off my finger, as the former wouldn't have an impact on my climbing.

This topic has been archived, and won't accept reply postings.