Cybersecurity in Brazil

Guest Post: Brazil’s Cybersecurity Conundrum (Council of Foreign Relations)

Brazil has embraced the digital age with more gusto than most. It is one of the top users of social media and recently signed-off on a bill of rights for the Internet, the Marco Civil. The country is also a leader in the development of online banking with more than 43 percent of web users engaging such services, and can be proud of a thriving software industry, including some world class companies.

Brazil certainly is an interesting case.

Biometric voter verification in Brazil

Biometric voting machine to be used by 21.6 million Brazilians (Agência Brasil)

Over 20 million voters—15% of the population to take part in the 2014 elections—are estimated to cast their ballot by means of a voting machine with biometric identification, announced the Superior Electoral Court (“TSE”) on Wednesday (Aug 20). The technology can be found in 762 municipalities, among which 15 state capitals. The machines use the electors’ fingerprints to recognize their identity.

More Brazilian rubber-fingered ghosts

This time it’s the port of Paranaguá (Portuguese – Folha de S. Paulo)

A Federal Police (PF) operation Monday at the port of Paranaguá found “silicone fingers” that were used by employees to forge their attendance and receive credit for days not worked.

The 25 “fingers” were tailor-made, reproducing the fingers of 14 employees. They were stored in desks at the port, labeled with the name of each worker. Even a tray (ed. mold?) was found.

Each of the workers have worked there for at least eight years, according to PF.

Federal Police are investigating whether there are other people involved in the fraud.*

According to their site, the port at Paranaguá is the largest bulk port in latin America.

Paranaguá port                                                                                                                 ©Digital Globe & Microsoft Corporation

See Brazilian ghost doctors have rubber fingers for a more in-depth analysis of why forcing time-and-attendance fraud into the realm of rubber fingers is actually a good thing.

Long story short, every person who participated in creating a facsimile of their fingerprint has also had to create a lot of evidence that they participated in a conspiracy to defraud their employer.

The fraud kit in this most recent case can be seen at the Folha link.

*Translation from Google & Bing translation services with an assist by me. For now, robots still have a hard time with Brazilian Portuguese. I sympathize.

Brazil and India are leading the way to biometric forms of identity verification

SINGULARITY HUB The Brazilian bank Bradesco recently began using a palm vein biometric system called Palm of Your Hand to provide secure log-in on its ATM machines. Clients who choose to use traditional personal identification numbers can continue to do so, but those who go with the new system can forego PINs while simultaneously satisfying the national social security program’s requirement of “proof of life” in order to collect benefits.

In India, the national government is rolling out the largest biometric identification database to date, requiring all of its billion-plus citizens to register in hopes of reducing benefits fraud.

Brazilian ghost doctors have rubber fingers

Note: all links in this post go to Portuguese language sources. Translations are a collaboration between Google and me.

My brother in São Paulo tipped me off to a rubber finger scandal in the Greater S.P. health service.

Doctor busted in SP for falsifying colleagues fingerprints with silicone (Floha de S. Paulo – Portuguese)

A doctor was arrested red-handed on Sunday, March 10 for using silicone fingers to fake the fingerprints use to mark the attendance of colleagues. She and the other doctors are employees of Samu Service (Emergency Medical Care) for Ferraz de Vasconcelos, in Greater São Paulo.

According to police, Thauane Nunes Ferreira, 28, registered the attendance of 11 doctors and 20 nurses. She told police she practiced the irregularity because she was coerced by her boss. 

Greater SPDoctors suspected of faking attendance are removed (Floha de S. Paulo – Portuguese)

Six Samu Service (Emergency Medical Care) doctors  in Ferraz de Vasconcelos, Greater São Paulo, paid R$ 4,800 [ed. $2,450 US] to the coordinator of the service in the city, Jorge Luiz Cury, in order to avoid working four 24-hours shifts per month for which they were paid, City Hall says. Police are investigating the case. The city pulled the servers allegedly involved in the fraud.

The day before yesterday [ed. see above], when the scheme was discovered, doctor Thauane Nunes Ferreira, 28, was arrested in the act of using mock fingers with silicone fingerprints to mark the attendance of six colleagues.

Where they have been adopted, biometrics have made ghostbusting easier. In this case, with time-and-attendance biometrics deployed someone had to create and use 31 rubber fingers (pictured at both links above). That draws attention. Without biometrics, scaling up the time-and-attendance fraud while decreasing the risk of detection would have been much easier. If this allegedly corrupt boss was willing to go up to at least 31 rubber fingers, how many paper employees would he have tried?

According to Wikipedia, Ferraz de Vasconcelos, where the fraud took place, is second-poorest of Greater São Paulo’s 39 municipalities. Congratulations to all involved for stopping this instance of the corrupt stealing resources meant to provide health care to people far less fortunate than the doctors and administrators involved.

UPDATE:
[Via] Drudge and the BBC are now on the story. If you didn’t want to wade through the Portuguese pieces linked above, you may be interested in these.

UPDATE II:
Upon closer examination of the the photos of the fake fingers used, another thought comes to mind. It certainly appears as though the fake fingers were created with the participation of their owners, making them evidence for the prosecution that they were complicit in the fraud.  As it is, the fake fingers used in the fraud come from a variety of live finger models. In the two examples pictured below, the one on the left appears to belong to a male and the one on the right appears to belong to a female. If the counterfeiter wasn’t working from live models, there would be no reason to add a fingernail to the back of the fake finger.

Image edited from original photo at Folha de S. Paulo

Had the doctors’ prints been somehow lifted via subterfuge and placed onto a silicone finger without their knowledge, we might expect all of the fake fingers to look very similar as the finger counterfeiter might have used his own finger as a model and simply placed the doctors’ prints on it. Alternatively, as with The Old Gummi Bear Trick, the item bearing the fingerprints needn’t look much like a finger at all.

Without biometrics (and with a more careful set of individuals), it might have been very difficult to prove that the doctors involved weren’t just victims of identity theft by a corrupt official. With the evidence on hand (!) it should be a simple matter to determine if the fake fingers match those of the ghost doctors.

A larger question is whether this story argues for or against the adoption of biometric systems for time-and-attendance. Nobody should claim that biometrics or any other security or ID management measure is perfect and infallible. Nothing is infallible. In this case, however, it appears that having a biometric rather than a paper-based time-and-attendance system increased the costs and complexity of committing the fraud. It made executing its daily function (clocking in) more difficult to do without being noticed. And (at least in this case) it forced those complicit in the scheme to create pretty significant evidence of their involvement.

As a manager or law enforcement official, which case would you rather prosecute: one with rubber fingers or one with only a paper trail?

Note: This post has undergone a few revisions for the purposes of updating the post, correcting typographical or grammatical errors and to add clarity.

Brazil takes another step toward nationwide biometric adoption for elections

Brazil: The numbers of a vigorous democracy (Jamaican Observer)

Initiated in the early 1990s, the use of electronic ballot boxes was implemented in the entire country in 2000, at the most remote localities, as well as abroad (where citizens voluntarily registered can vote for the resident). Security, durability and handling easiness are some of the characteristics of the Brazilian electronic ballot box, which makes possible the nearly immediate counting of votes.

Balloting security being one of the pillars of a truly democratic system, the Brazilian electoral justice has remained committed to the continued improvement of electoral processes and technologies. For instance, biometric ballot boxes were introduced for over seven million registered voters during the municipal elections. This feature should be extended to the entire country by 2018, an ambitious objective, bearing in mind the always increasing number of registered voters.

Brazil has been phasing in biometric elections for some time now, with the goal of nationwide adoption of biometrics for elections in 2018.

See:
Brazilian election biometrics have 93.5% success rate – and that was in 2010.

Brazil and Biometric Elections – where the 2018 goal is mentioned.

SecurLinx & Qualiserve enter agreement in Brazil

SecurLinx Brasil and Qualiserve Technology Solutions enter into Exclusive Integration Partnership for Brazil (PRWeb Press Release

SecurLinx Brasil, a subsidiary of SecurLinx Holding Company (FRA: S8X) has completed a comprehensive integration agreement for its biometric identity management solutions in Brazil with Qualiserve Soluções Em Tecnologia. “This strong partnership with a recognized leader in the national marketplace demonstrates our commitment to gaining market share and rapidly increasing revenue in the next year. Together, we will ensure peak performance and the highest level of customer service for our Brazilian clients,” said Barry Hodge, CEO of SecurLinx Holding Company.

Under the terms of this agreement, Qualiserve will be the exclusive installer and IT system manager for SecurLinx Brasil, offering helpdesk and field maintenance services as needed. In cases where a client purchases a biometric identity management solution from SecurLinx Brasil and that client has an existing contract with a third party IT service provider, Qualiserve will act as a technical consultant and project manager on behalf of SecurLinx.

According to Davis Hodge, President of SecurLinx Brasil, “Qualiserve, with its impressive track record of tackling complicated large scale IT infrastructure deployments coupled with its market leading IT management services provided to some of the largest multinational and local corporations, is a perfect fit for SecurLinx.” Kleber Rodrigues, Founder and President of Qualiserve added, “We have spent considerable time evaluating both new and established biometric solutions providers on behalf of our customers and have determined that SecurLinx offers the most complete and robust products available in the market.”

About Qualiserve:
For over 10 years, Qualiserve has offered comprehensive IT infrastructure and systems management to some of the largest multinationals and local companies in Brazil. Additional services include web hosting, ERM, VoIP telephony, and cloud computing. The Company is headquartered in São Bernardo / São Paulo and has offices across Brazil, including Rio de Janeiro, Manaus and Santa Catarina.

SecurLinx Announces Opening of Brazil Subsidiary

SecurLinx Holding Corporation (FRA: S8X) has continued its expansion plan with the establishment of SecurLinx Brasil.

Based in São Paulo, it will have primary responsibility for marketing biometric identity management solutions for business and law enforcement across Brazil, but will also operate throughout Latin America.

This announcement is the culmination of a six month process of business development market research and regulatory filings required by the Brazilian Central Bank and Revenue Authorities. “The country’s dynamic economy, large population, and security needs have drawn our attention for quite some time. We are excited to be in a position to offer our solutions in the Brazilian market where high-quality, high-technology solutions like the ones we offer are eagerly adopted,” said SecurLinx CEO Barry Hodge. According to Hodge, this gives SecurLinx a foothold in one of the world’s fastest growing and most promising security markets. “We are currently in discussions with potential integration partners that we expect to further multiply our reach and accelerate our market penetration over the next six to twelve months.”

The full text of the press release and a pdf of it is available here.

I’ve been down here in São Paulo helping to get things moving with our new operation here, hence the lighter-than-usual blogging. We’re proud to share the news of our new Brazilian venture and excited for what the future holds.

São Paulo sidewalk

Following Attendance Scandal São Paulo City Council Self-Imposes Biometric System

After scandal, 42 of the 55 councilors say they are in favor of presence only with digital (O Estadão de São Paulo)
Google Chrome Translation (with slight edits)

After [this newspaper] uncovered fraud in the attendance record at City Hall, 42 of the 55 councilors said they were in favor of attendance at plenary sessions being recorded only by fingerprint. To change the bylaws of the house, you need the backing of 28 MPs.

The current system relies on passwords.

Translate »