Investigators expose Miami airport buddy punching system
Employees took time off and had others check them in and out of work; scheme shows weakness of single-factor authentication systems
The Transportation Security Administration last week announced it would not meet a 1 December deadline to complete criminal background checks on 50,000 airport employees, and news out of Miami provides a good example of why such checks are neccesary. Federal investigators have broken up an extensive “buddy punching” scheme in which twelve employees assigned to monitor and maintain the baggage conveyor belt system at Miami International Airport managed to be paid tens of thousands of dollars for shifts they never worked. Instead, friends of the truant employees used their badges to clock in and out for them. “If you can hand them to different people, they can be handed off to the wrong people,” said Miami-Dade Detective Javier Prellazo. “The bottom line is we were looking at this as a security issue. We want this airport to be secure.”
The scheme was detected during a routine audit and then confirmed by an informant. Under the operational codename “Phantom Swipe”, detectives combed through payroll and security records looking for inconsistencies, including repeated episodes where a person checked in but failed to check out — a glaring mistake on the part of the employees’ compatriots. One employee with twenty years experience missed whole or partial shifts on sixty days and was paid more than $10,000 for his efforts.
Sadly, this turn of events is just the latest in a series of scandals at the Miami airport. Two years ago, authorities arrested eleven airport employees for conspiring to siphon millions of gallons of jet fuel to be resold on the black market. In 2003, the airport’s construction chief was convicted in a contracts-for-bribes scheme and tax evasion, and in 2001 twelve employees were charged with using fraudulent documents to obtain security badges.
areas.
On the whole, the recent buddy punching episode provides a good example of why single factor authentication often fails to provide sufficient security. At no point in clocking in did the employees have to show their cards to a supervisor or otherwise show that the person swiping the card was its legitimate holder. The best approach to our minds would be a fingerprint biometrics system that requires both an identification card and a fingerprint scan. There is no shortage of companies offering such products, but perhaps none has made the proper pitch.
-read more in this Miami Herald report
