Buddy Punching

Buddy punching is a time & wage theft that is common amongst hourly workers. An employee gets another employee to punch the time clock for him (or her) because they are late or absent. This allows the deceitful employee to mislead their employers by over-stating hours worked and take pay for time not on the job or work not done. In special cases, compliance and safety regulations can be violated where more than one person are expected to be physically present to do the work.

There are various ways Time and Attendance systems use to verify the identity of a person and associate it with time a punch action was performed. Some ways are better than others, and combining multiple ways provides for stronger authentication of the employee.

All forms of authenticating people rely on one or more of these 3 approaches:

  • Something you know
  • Something you have
  • Something you are

Something you know (for e.g. passwords, PIN) is the most common kind of authentication mechanism based on having the employee remember something and not disclose it to anyone else.

Something you have (for e.g. keys, RFID or proximity cards, and smart cards) is based on the employee always possessing an object that has been assigned to them.

Something you are (for e.g. fingerprints, retina scans) is based on what the employee is. This relies on something about the employee that does not change, like a fingerprint.

While the authentication process becomes increasingly secure by adding each technique, it also adds to the cost and introduces more user errors. For example, while usually there is a process in place to handle forgotten passwords, replacing RFID cards or rekeying locks is expensive, and sensors on the bio-metric readers will fail due to dust, oil or mis-read due to changes in the physical characteristic of the person (band-aid on the finger). There is overhead in handling these errors and will cause the many good employees to lose time.

Unfortunately, while these systems are good at preventing a “bad guy” from impersonating a user (for example, to get access to a bank account), they fail where people collude to fool the system. Passwords and PINs can be shared and the system will assume that since the secret was entered correctly by the buddy, the clock actions will be attributed to missing employee. Similarly, keys and RFID cards can be given to the buddy to fake their presence.

Yes, it is harder to fool a biometric device – as long as the initial biometric readings are correctly setup and the biometric device is secure against tampering or misuse. For example, if no one is supervising the biometric device, a simple internet search will reveal multiple ways to beat fingerprint biometric readers, for example this link.

Hence, multiple steps should be taken to reduce the incidences of buddy punching. Start by setting expectations and a corporate culture of respect, trust and integrity from all staff; include clear language in the employment contract, visible signage near the readers, periodic reminders by supervisors, and using the right kind of clock devices based on problem, need and budget. By using these methods, buddy punching can be eliminated at a far lower cost and improve your bottom line.