Card Locks Thwarted by Shopping Club Card

hal9000(jr) writes "A recent column ('Social Engineering, the Shoppers' Way') on darkreading.com shows how easy it is for a pen test team to walk into a supposedly secure facility using a shoppers club card because the man trap feature was enabled. Man-traps allow people to enter an outer door but not an inner door similar to ATM kiosks. Once inside, of course, they had the run of the place." Lessons: after writing down your password, eat your sticky notes rather than leave them on the monitor.

Easy full access

[nizo]

I wonder how many companies screen the janitorial staff? Not only do they typically have full access to the building, but they are there after hours and can easily rummage around looking for usernames, passwords, and machines that are still logged in with administrator privledges. Heck they could bring a laptop in and connect directly to the internal network for that matter.

Re:RTFA

[profet]

They also don't want homeless people sleeping in the warm atm room.

Security, you get what you pay for.

[Anon-Admin]

Most security people are minimum wage. I see people talking about flashing cards and cans of food, etc. This is not a surprise.

I once entered the R&D area of a fortune 500 company using an ID that was printed on an ink jet printer and had my picture and the CIA logo on it. I was questioned and just flashed the card. That ended all questions.

When I was managing a computer company, I came back from lunch to find the lead chatting with a guy. The guy introduced him self as the fire marshal and the lead informed me that there was a Fire Inspection going on. The "Fire Marshal" told me I could not go into the back while the inspection was going on. I proceeded to enter the back to find the "Inspector" inspecting the computer equipment. Right out the back door!

The truth is that most people will not question you, provided you look like you belong and have some form of ID to back it up.

Now it is time to go to the uniform store and get a security guard uniform. I think ill stand next to the night deposit box at the bank. Just to see how many people will give me there deposits when I tell them that the deposit box it broken and I am there to collect and secure there deposit.

Re:Wrong use of the word man-trap

[umghhh]

It is indeed a major mistake. Firing the responsible technician on the spot as you suggest will not do anything to increase security however. After all persons responsible were able to act on information provided - next time this method did not work. We do not have such certainity about their replacement.

Not giving a chance for improvment is bad policy - the only thing it really does is alienate security people. It may be that next time they spot similar mistake they will not fix it in any official way fearing consequences and this can create bigger security problem then the one 'fixed' by firing squad.
Alienated guards are bad guards.

Re:Bad Advice?

[Overzeetop]

maybe it was an upper manager who was in a hurry and didn't want to get out his ID card

Yes, it's not the situation in the article, but you bring up a very valid point:

Security Is For Everyone

You absolutely should call security on upper management, though you might want to do it from someone else's phone. Management, not matter what level, must respect the security measures, no matter how high they are. The CEO should have his ID card at the ready if he's in a secure facility. *hrupph*