Card Locks Thwarted by Shopping Club Card

hal9000(jr) writes "A recent column ('Social Engineering, the Shoppers' Way') on darkreading.com shows how easy it is for a pen test team to walk into a supposedly secure facility using a shoppers club card because the man trap feature was enabled. Man-traps allow people to enter an outer door but not an inner door similar to ATM kiosks. Once inside, of course, they had the run of the place." Lessons: after writing down your password, eat your sticky notes rather than leave them on the monitor.

RTFA

[MustardMan]

TFA answers your question - most card reading entry systems have a feature which will allow any ATM card to open the door, because these systems are often used to secure ATM machines, and banks want people from other banks to be able to use their machine and pay the 2.00 service charge.

Maybe next time, instead of trying to get a first post by asking a question based solely on skimming the summary, you'll RTFA?

Re:RTFA

[MustardMan]

And how exactly should it check for valid cards? Should it have a record of every single ATM card on the planet? Should it know some sort of ID code for every single bank? Or, should it search for some string that's common in all ATM cards, and very well might exist in other cards, too, like, say, a grocery store discount card that carries personal information about its user?

Either way - you've made a gross assumption that is in no way backed up by any factual information, and phrased in such a way that, no matter what you insist, I doubt you did RTFA.

Re:RTFA

[jrumney]

There is no ATM or even credit card standard;

Yes there is, and has been for years. Banks derive a lot of income from the charges on other banks' customers using their machines, and their customers using other banks' machines, so it is in their interest to follow the standard. There is also a standard for magstripe cards, which is why you can encode your bank details on almost any magstripe card, often without interfering with what was there before (as long as it wasn't another bank card, or a non-standard card with non-bank information on track 2).

Re:RTFA

What?!? Have you ever worked software for a credit institution or a bank? The mag stripe is defined, if it wasn't Washington Mutual wouldn't be able to read Bank Of America. Same with credit cards, it VISA has a predefined strip. How the heck do you think that a BoA atm maching knows that my name is John Smith even though I have a Wells Fargo card, because there IS a standard.

These standards aren't exactly handed out at the local book store, but they do exist. If the atm inside the man-trap serves Star, CoOp, Plus, and so on type cards, the little reader outside could make sure that the card swiped was valid. If you stick your super market card into an ATM it doesn't try every bank it knows until it finds a match, it recognizes that the card is invalid. The little card reader could do that as well.

Re:RTFA

[squiggleslash]

I'm finding this highly improbable. I'm not saying you don't believe that's what they said, but there has to be more to it than that.

Back in 1998, I visited the US for the first time (I'm British.) I needed more cash, so I went to an ATM in the middle of Boston, put in my card, and withdrew some money. When I came back to Britain, and got my next bank statement, the charge showed up. Which is what you'd expect.

I'm finding it just a little bit difficult to believe that this would have been possible if the ATM had to search through a database containing EVERY BANK CARD IN THE WORLD, essentially made up of arbitrary card numbers, to find out which bank account my card refered to. I can't imagine why anyone would implement something that likely to be the victim of database synchronization and duplicate number errors.

It's notable that there is an official format for financial cards which works the way most of us would expect such a thing to work, identifying features such as account numbers and institution dependent features.

Wrong use of the word man-trap

[petrilli]

A man-trap, in the physical security world, is a "room" (loosely defined here) which has control points on both sides. Often you have to use two different forms of authorization, one for entry (i.e. a badge) and another for exit (biometrics, let's say). This allows it to *trap* anyone who tries to sneak through the system. What the article is really talking about is not a man-trap, but the anti-"bum" measures that banks use in many cities around ATMs inside a building. You have to put your ATM card into a slot, but it really doesn't read the card, it just verifies that you stuck a magstrip card into the slot. You then use your ATM card to access the ATM where it is presumably verified.

Setting anything in this method is absurd, and the physical security people should be fired on the spot for this kind of kindergarten mistake. While what likely happened is that it was turned this way when installed so that you could teach people to use it without having to deal with the slowdown of people actually being blocked, it's a bad way to behave, and shouldn't have been even turned on the first time this way. It may also be that, in fact, it was turned this way because of a problem with reliability of magstripe cards (they fail pretty regularly), and instead the system should have been converted to another form of identification -- Wiegand, RF proxy, etc.

Re:Wrong use of the word man-trap

[Dun+Malg]

So... the highest level of authority in that office who should know about this, is probably a partner in the law firm, and risks losing his license to practice law because of it

So far as I know, there's no requirement that your doors be locked to remain licensed to practice law. The door is deadbolted after hours, so it's not an issue after hours. Also, both partners are aware of the issue because I wave the damn popsicle stick at them as a reminder every time I'm there.

... and you are still liable for a charge of B&E...

I suggest you go read the definition of B&E/Burglary. Basically, it is this:
"entering a building or remaining unlawfully with intent to commit any crime"
1) every time I'm there I am there at their request and am permitted to be in the area by the back door
2) what crime? I'm there to make keys to file cabinets or reset the combination on their safe, again, at their request

and the head of security is an accessory to your B&E...

Where did you acquire your legal education? Television? An accessory must generally have knowledge that a crime is being, or will be committed. At most this could be considered negligence, but as such would only be grounds for dismissal or civil suit. But given that the partners know all about it and tactly approve, that's not even a sure thing.

Single Entry door or Man Traps

[nuggz]

Man trap is a bit confusing.

They are likely refering to a single person entry door.
The problem I see is this may not suffice for disabled access.

At first I thought man-trap would be they lock you in if anything goes wrong, the problem here would be a potentially devestating liability if there is any injury.
Think about the lawsuit if someone got injured or killed (or mildly annoyed) if they were physically detained by an automated system.
The wikipedia article indicates this issue.
http://en.wikipedia.org/wiki/Man-trap

Re:Single Entry door or Man Traps

[Dun+Malg]

At first I thought man-trap would be they lock you in if anything goes wrong, the problem here would be a potentially devestating liability if there is any injury. Think about the lawsuit if someone got injured or killed (or mildly annoyed) if they were physically detained by an automated system.

Yeah, you usually only find man-traps at places like Los Alamos National Laboratory, where the system is supervised by actual live security personel. A man-trap is really only worth the effort and expense of constant monitoring if you're running something like LANL, where if a guy tries to wander in with a found/stolen card, you don't want him to just be able to say "oh well, no secret stealing for me today" and just walk away.

Just have someone carry a baby in carrier

[slam+smith]

My wife used to regularly get into my work buildings to meet me for lunch. You just need to carry a baby in a baby carrier and everyone will let you in.

Re:Just have someone carry a baby in carrier

[YU+Nicks+NE+Way]

There was a famous theft in which a large number of antique chairs were stolen from an office in broad daylight during working hours, with the staff present.

The thieves drove up in a moving truck, wearing appropriate clothes, and explained that the chairs were being transferred to a different office. They presented "requisitions" to sign, got signatures, filled the truck, and dorve away.

skip the adverts/spamsite

Social Engineering, the Shoppers' Way

JULY 19, 2006 | 9:32 AM -- For years, the "card key" has been considered a reliable means of securing the enterprise from unauthorized visitors. In some cases, these cards also serve as identification, and when combined with smartcard technology, a form of network authentication. But if these cards are misconfigured or managed, they can be rendered useless -- as my penetration testing company recently proved.

About six months ago, a medical facility hired us to assess its information security as part of a HIPAA compliance effort. During a pre-assessment briefing, the customer indicated a concern about physical access to the building, which could lead to a compromise of the network.

The company asked us to attempt to circumvent the physical security system, gain access to the building, and retrieve as much information as we could. We agreed, pending the appropriate "get out of jail" arrangements in case we were caught and detained by the authorities.

This facility was a little different than our other HIPAA customers, which are usually insurance companies or hospitals. The target this time was a giant laboratory that performs tests on samples sent by physicians from all over the region. With the volume of healthcare data stored in the facility, we knew that getting inside and connecting to the network could yield a good deal of sensitive and valuable information.

Before we tried to get in, I scoped out the entry points, observed when people came and went, and looked for potential weaknesses in security. Although I couldn't spot any video surveillance, the building security seemed pretty solid; the primary entrance was guarded by a receptionist behind glass. Other doorway access points were secured by a magnetic card swipe system.

On the day we planned to get into the building, I decided to try the magnetic swipe system. In a worst-case scenario, I figured I could fumble my way in, acting as if my card had malfunctioned and asking an employee to open the door from the inside.

Without having an "official" magnetic access card to duplicate, I pulled every card with a magnetic stripe from my wallet, including my bank ATM card, a credit card, and a shopping card from a major grocery store. To my surprise, the first swipe from the shopping card opened the door.

Once inside, we knew that blending into the environment was going to be a necessity. I needed to get my colleague to a conference room to jack into the network and start port scanning, while I started looking for logins and passwords by flipping keyboards and pulling yellow sticky notes from monitors. We located a men's room that also served as a changing facility for employees. Conveniently, it also contained clean smocks and scrubs for us to use.

Now dressed in the appropriate attire, we started walking the facility. We located an empty conference room and commandeered it as our place to work. As my colleague jacked into the network and started scanning each address, I started moving through the facility looking for anything that could provide privileged network access.

Within minutes, I located workstations littered with sticky notes containing logins and passwords. Some even provided detailed information on which systems could be accessed. After collecting several logins and passwords, I made my way back to our conference room to use what I had found.

As soon as I walked into the room, my colleague indicated he was now a domain administrator with access to numerous systems as well. Our efforts led us to a significant find of HIPAA-rich information. After several hours, we had collected enough information for our report, and we casually exited the building through the same doorway we entered.

Back at our office, we immediately notified the customer of the security flaw in the magnetic card swipe system. We later learned that the door access system had been mistakenly set to use a feature called "man-trap," which enables banks to secure their ATM ma

whatever

[szembek]

This summary made shit for sense.

Re:insecurity 101

[Intron]

I knew someone would ask that. No bathrooms inside. No food allowed inside. Emergency exits all set off alarms and called police and fire. Deliveries were made through separate doors where all packages were inspected. It also kept track of whether you were in or out. Doors would not open if you tried to go in twice or out twice.

Re:Wow I thought everyone knew this...

[winnabago]

Also if you happen to have a shopper card for one grocery store it almost always works at a competing grocery store.

That is most likely because your "competing" stores are different arms of the same conglomerate. Supervalu and Ahold are two of the largest, encompasing albertson's, stop n shop, giant, and several others. On top of this, the loyalty card databases may be maintained by an outside firm, who may combine the data across different chains into a superdatabase of every person who buys Watermelon, Vaseline, Jiffy-Pop, and Cool Whip on the same card. One thing that seems strange to me, though, is that I've never seen one that uses a magnetic strip. A quick look through the pile tells me it's much more common to see a more resilient bar code that is also printed on keychains and a letter that comes with the package. So, I can't try a mag strip out at the bank/office.

It is interesting how some companies work very hard to force an image of different identities on their different divisons. For example, Gillette recently tried to distance themselves from a teen body spray that they were producing. It's good for the bottom line to create (perceived) competition, as we all know.

Re:Bad Advice?

[element-o.p.]

You are exactly right, but unfortunately, that's the way a lot of places operate.

I used to work in a telco wire center, where the department I worked in was staffed 24x7. With two people per shift and coverage seven days a week, that means that four days a week, there was only one person in the building at any given time. The wire center was secured with card readers and magnetic locks on the doors, but one of the sensors kept malfunctioning--it would send an "open" alarm to the company contracted to provide security.

So, what was the security company's response? Would they send their on-site patrol guy, complete with radio, pepper spray, kevlar vest and semi-auto pistol? No, of course not! They called us to check the back door to see if it was a false alarm or if someone was actually trying to break in. Needless to say, that went over <sarcasm>REAL well </sarcasm>.

Frequently changed passwords = sticky notes

While I can remember 1/2 a dozen passwords, I cannot expect my coworkers to do the same.
Most often there is a sea of sticky notes pasted right on the monitor with the bi-annual password!!!

To require constant password resets is idiotic. Please use a system that requires them to remember ONE really complicated password or invest in a fingerprint reader which is getting absurdly cheaper.

In broad daylight

[Ernesto+Alvarez]

What's a better example of stealing something in plain sight of everyone than stealing two mainframes with confidential data from a secured server room belonging to Australian customs.

They went in, presented fake credentials, worked in the room a couple of hours, took two machines and nobody suspected a thing until someone noticed the servers were down.

Anyone can top that?

Floor seats at the concert

[Chapter80]

Try this one for the next concert you go to*:

Buy your tickets online, using TicketMaster's instant delivery mechanism. They email you a PDF that serves as the ticket.

Scan it in, bring it into photoshop, and edit the seat location. For that matter, use scissors and tape and a copier to modify your seat location. Make sure you make it a front row seat!

Then when you go to the concert, use the original to get in the door. Use your edited version to wander the floor. Obviously you probably won't have a seat, but you'll be able to get pretty darn close. All because they only scan the ticket at the door. They visually inspect the ticket to see if you are special enough to get up close.

* Seriously, I would never suggest that you break the law. This idea is purely for entertainment and discussion purposes. Kids, don't try this at home!