Slashdot Mirror

← Back to Stories (view on slashdot.org)

Card Locks Thwarted by Shopping Club Card

Posted by ryuzaki0 on from the hmmm-not-so-good dept.

hal9000(jr) writes "A recent column ('Social Engineering, the Shoppers' Way') on darkreading.com shows how easy it is for a pen test team to walk into a supposedly secure facility using a shoppers club card because the man trap feature was enabled. Man-traps allow people to enter an outer door but not an inner door similar to ATM kiosks. Once inside, of course, they had the run of the place." Lessons: after writing down your password, eat your sticky notes rather than leave them on the monitor.

16 of 361 comments (clear)

  1. RTFA by MustardMan · · Score: 4, Informative

    TFA answers your question - most card reading entry systems have a feature which will allow any ATM card to open the door, because these systems are often used to secure ATM machines, and banks want people from other banks to be able to use their machine and pay the 2.00 service charge.

    Maybe next time, instead of trying to get a first post by asking a question based solely on skimming the summary, you'll RTFA?

    1. Re:RTFA by jrumney · · Score: 3, Informative

      There is no ATM or even credit card standard;

      Yes there is, and has been for years. Banks derive a lot of income from the charges on other banks' customers using their machines, and their customers using other banks' machines, so it is in their interest to follow the standard. There is also a standard for magstripe cards, which is why you can encode your bank details on almost any magstripe card, often without interfering with what was there before (as long as it wasn't another bank card, or a non-standard card with non-bank information on track 2).

    2. Re:RTFA by Anonymous Coward · · Score: 5, Informative

      What?!? Have you ever worked software for a credit institution or a bank? The mag stripe is defined, if it wasn't Washington Mutual wouldn't be able to read Bank Of America. Same with credit cards, it VISA has a predefined strip. How the heck do you think that a BoA atm maching knows that my name is John Smith even though I have a Wells Fargo card, because there IS a standard.

      These standards aren't exactly handed out at the local book store, but they do exist. If the atm inside the man-trap serves Star, CoOp, Plus, and so on type cards, the little reader outside could make sure that the card swiped was valid. If you stick your super market card into an ATM it doesn't try every bank it knows until it finds a match, it recognizes that the card is invalid. The little card reader could do that as well.

    3. Re:RTFA by squiggleslash · · Score: 2, Informative

      I'm finding this highly improbable. I'm not saying you don't believe that's what they said, but there has to be more to it than that.

      Back in 1998, I visited the US for the first time (I'm British.) I needed more cash, so I went to an ATM in the middle of Boston, put in my card, and withdrew some money. When I came back to Britain, and got my next bank statement, the charge showed up. Which is what you'd expect.

      I'm finding it just a little bit difficult to believe that this would have been possible if the ATM had to search through a database containing EVERY BANK CARD IN THE WORLD, essentially made up of arbitrary card numbers, to find out which bank account my card refered to. I can't imagine why anyone would implement something that likely to be the victim of database synchronization and duplicate number errors.

      It's notable that there is an official format for financial cards which works the way most of us would expect such a thing to work, identifying features such as account numbers and institution dependent features.

      --
      You are not alone. This is not normal. None of this is normal.
  2. Wrong use of the word man-trap by petrilli · · Score: 5, Informative

    A man-trap, in the physical security world, is a "room" (loosely defined here) which has control points on both sides. Often you have to use two different forms of authorization, one for entry (i.e. a badge) and another for exit (biometrics, let's say). This allows it to *trap* anyone who tries to sneak through the system. What the article is really talking about is not a man-trap, but the anti-"bum" measures that banks use in many cities around ATMs inside a building. You have to put your ATM card into a slot, but it really doesn't read the card, it just verifies that you stuck a magstrip card into the slot. You then use your ATM card to access the ATM where it is presumably verified.

    Setting anything in this method is absurd, and the physical security people should be fired on the spot for this kind of kindergarten mistake. While what likely happened is that it was turned this way when installed so that you could teach people to use it without having to deal with the slowdown of people actually being blocked, it's a bad way to behave, and shouldn't have been even turned on the first time this way. It may also be that, in fact, it was turned this way because of a problem with reliability of magstripe cards (they fail pretty regularly), and instead the system should have been converted to another form of identification -- Wiegand, RF proxy, etc.

    1. Re:Wrong use of the word man-trap by Dun+Malg · · Score: 3, Informative
      So... the highest level of authority in that office who should know about this, is probably a partner in the law firm, and risks losing his license to practice law because of it
      So far as I know, there's no requirement that your doors be locked to remain licensed to practice law. The door is deadbolted after hours, so it's not an issue after hours. Also, both partners are aware of the issue because I wave the damn popsicle stick at them as a reminder every time I'm there.

      ... and you are still liable for a charge of B&E...
      I suggest you go read the definition of B&E/Burglary. Basically, it is this:
      "entering a building or remaining unlawfully with intent to commit any crime"
      1) every time I'm there I am there at their request and am permitted to be in the area by the back door
      2) what crime? I'm there to make keys to file cabinets or reset the combination on their safe, again, at their request

      and the head of security is an accessory to your B&E...
      Where did you acquire your legal education? Television? An accessory must generally have knowledge that a crime is being, or will be committed. At most this could be considered negligence, but as such would only be grounds for dismissal or civil suit. But given that the partners know all about it and tactly approve, that's not even a sure thing.
      --
      If a job's not worth doing, it's not worth doing right.
  3. Single Entry door or Man Traps by nuggz · · Score: 4, Informative

    Man trap is a bit confusing.

    They are likely refering to a single person entry door.
    The problem I see is this may not suffice for disabled access.

    At first I thought man-trap would be they lock you in if anything goes wrong, the problem here would be a potentially devestating liability if there is any injury.
    Think about the lawsuit if someone got injured or killed (or mildly annoyed) if they were physically detained by an automated system.
    The wikipedia article indicates this issue.
    http://en.wikipedia.org/wiki/Man-trap

    1. Re:Single Entry door or Man Traps by Dun+Malg · · Score: 4, Informative
      At first I thought man-trap would be they lock you in if anything goes wrong, the problem here would be a potentially devestating liability if there is any injury. Think about the lawsuit if someone got injured or killed (or mildly annoyed) if they were physically detained by an automated system.
      Yeah, you usually only find man-traps at places like Los Alamos National Laboratory, where the system is supervised by actual live security personel. A man-trap is really only worth the effort and expense of constant monitoring if you're running something like LANL, where if a guy tries to wander in with a found/stolen card, you don't want him to just be able to say "oh well, no secret stealing for me today" and just walk away.
      --
      If a job's not worth doing, it's not worth doing right.
  4. Just have someone carry a baby in carrier by slam+smith · · Score: 5, Informative

    My wife used to regularly get into my work buildings to meet me for lunch. You just need to carry a baby in a baby carrier and everyone will let you in.

    --
    My Weblog
    1. Re:Just have someone carry a baby in carrier by YU+Nicks+NE+Way · · Score: 2, Informative

      There was a famous theft in which a large number of antique chairs were stolen from an office in broad daylight during working hours, with the staff present.

      The thieves drove up in a moving truck, wearing appropriate clothes, and explained that the chairs were being transferred to a different office. They presented "requisitions" to sign, got signatures, filled the truck, and dorve away.

  5. Re:insecurity 101 by Intron · · Score: 2, Informative

    I knew someone would ask that. No bathrooms inside. No food allowed inside. Emergency exits all set off alarms and called police and fire. Deliveries were made through separate doors where all packages were inspected. It also kept track of whether you were in or out. Doors would not open if you tried to go in twice or out twice.

    --
    Intron: the portion of DNA which expresses nothing useful.
  6. Re:Wow I thought everyone knew this... by winnabago · · Score: 3, Informative
    Also if you happen to have a shopper card for one grocery store it almost always works at a competing grocery store.
    That is most likely because your "competing" stores are different arms of the same conglomerate. Supervalu and Ahold are two of the largest, encompasing albertson's, stop n shop, giant, and several others. On top of this, the loyalty card databases may be maintained by an outside firm, who may combine the data across different chains into a superdatabase of every person who buys Watermelon, Vaseline, Jiffy-Pop, and Cool Whip on the same card. One thing that seems strange to me, though, is that I've never seen one that uses a magnetic strip. A quick look through the pile tells me it's much more common to see a more resilient bar code that is also printed on keychains and a letter that comes with the package. So, I can't try a mag strip out at the bank/office.


    It is interesting how some companies work very hard to force an image of different identities on their different divisons. For example, Gillette recently tried to distance themselves from a teen body spray that they were producing. It's good for the bottom line to create (perceived) competition, as we all know.

    --
    Dammit Otto, you have lupus.
  7. Re:Bad Advice? by element-o.p. · · Score: 2, Informative

    You are exactly right, but unfortunately, that's the way a lot of places operate.

    I used to work in a telco wire center, where the department I worked in was staffed 24x7. With two people per shift and coverage seven days a week, that means that four days a week, there was only one person in the building at any given time. The wire center was secured with card readers and magnetic locks on the doors, but one of the sensors kept malfunctioning--it would send an "open" alarm to the company contracted to provide security.

    So, what was the security company's response? Would they send their on-site patrol guy, complete with radio, pepper spray, kevlar vest and semi-auto pistol? No, of course not! They called us to check the back door to see if it was a false alarm or if someone was actually trying to break in. Needless to say, that went over <sarcasm>REAL well </sarcasm>.

    --
    MCSE? No, sir...I don't do Windows. Yes, I am an idealist. What's your point?
  8. Frequently changed passwords = sticky notes by Anonymous Coward · · Score: 2, Informative

    While I can remember 1/2 a dozen passwords, I cannot expect my coworkers to do the same.
    Most often there is a sea of sticky notes pasted right on the monitor with the bi-annual password!!!

    To require constant password resets is idiotic. Please use a system that requires them to remember ONE really complicated password or invest in a fingerprint reader which is getting absurdly cheaper.

  9. In broad daylight by Ernesto+Alvarez · · Score: 2, Informative

    What's a better example of stealing something in plain sight of everyone than stealing two mainframes with confidential data from a secured server room belonging to Australian customs.

    They went in, presented fake credentials, worked in the room a couple of hours, took two machines and nobody suspected a thing until someone noticed the servers were down.

    Anyone can top that?

    --
    GPG 0x1B479C78
  10. Floor seats at the concert by Chapter80 · · Score: 5, Informative
    Try this one for the next concert you go to*:

    Buy your tickets online, using TicketMaster's instant delivery mechanism. They email you a PDF that serves as the ticket.

    Scan it in, bring it into photoshop, and edit the seat location. For that matter, use scissors and tape and a copier to modify your seat location. Make sure you make it a front row seat!

    Then when you go to the concert, use the original to get in the door. Use your edited version to wander the floor. Obviously you probably won't have a seat, but you'll be able to get pretty darn close. All because they only scan the ticket at the door. They visually inspect the ticket to see if you are special enough to get up close.

    * Seriously, I would never suggest that you break the law. This idea is purely for entertainment and discussion purposes. Kids, don't try this at home!