Slashdot Mirror

← Back to Stories (view on slashdot.org)

Card Locks Thwarted by Shopping Club Card

Posted by ryuzaki0 on from the hmmm-not-so-good dept.

hal9000(jr) writes "A recent column ('Social Engineering, the Shoppers' Way') on darkreading.com shows how easy it is for a pen test team to walk into a supposedly secure facility using a shoppers club card because the man trap feature was enabled. Man-traps allow people to enter an outer door but not an inner door similar to ATM kiosks. Once inside, of course, they had the run of the place." Lessons: after writing down your password, eat your sticky notes rather than leave them on the monitor.

28 of 361 comments (clear)

  1. Wrong kind of trap by HugePedlar · · Score: 4, Funny

    Should have used caltraps instead of mantraps.

    --
    Argh.
  2. Works for me by Knytefall · · Score: 5, Interesting

    Where I work, one of my friends was able to use his shopper's club card to get access to doors he didn't have access to, but I did. I thought the odds of that happening must be astronomical, but apparently it's more common than I thought.

  3. RTFA by MustardMan · · Score: 4, Informative

    TFA answers your question - most card reading entry systems have a feature which will allow any ATM card to open the door, because these systems are often used to secure ATM machines, and banks want people from other banks to be able to use their machine and pay the 2.00 service charge.

    Maybe next time, instead of trying to get a first post by asking a question based solely on skimming the summary, you'll RTFA?

    1. Re:RTFA by profet · · Score: 4, Insightful

      They also don't want homeless people sleeping in the warm atm room.

    2. Re:RTFA by Ryan+Amos · · Score: 4, Interesting

      Actually, checking for a valid ATM card is impossible.

      There is no ATM or even credit card standard; it's just a unique identifier linked to your account in the bank's databases. You can use ANY magstripe card you have as an ATM card. Just go to the bank and ask them.

      My bank did this for me when I lost my ATM card and needed cash. I went in, showed my picture ID, and they recorded my Student ID card as my ATM card. I could then stick it in an ATM and withdraw money. The guy explained that it was a lot faster than mailing me a new ATM card and that they could do it with any card that wasn't already linked to a bank account.

    3. Re:RTFA by Anonymous Coward · · Score: 5, Informative

      What?!? Have you ever worked software for a credit institution or a bank? The mag stripe is defined, if it wasn't Washington Mutual wouldn't be able to read Bank Of America. Same with credit cards, it VISA has a predefined strip. How the heck do you think that a BoA atm maching knows that my name is John Smith even though I have a Wells Fargo card, because there IS a standard.

      These standards aren't exactly handed out at the local book store, but they do exist. If the atm inside the man-trap serves Star, CoOp, Plus, and so on type cards, the little reader outside could make sure that the card swiped was valid. If you stick your super market card into an ATM it doesn't try every bank it knows until it finds a match, it recognizes that the card is invalid. The little card reader could do that as well.

  4. Just great. by Rob+T+Firefly · · Score: 5, Funny

    And what's more, the security system added frequent shopper rewards to their card! Those lucky bastards are going to save so much money on their next purchases of orange juice and cat food.

    --
    Slashdot Burying Stories About Slashdot Media Owned
  5. insecurity 101 by digitaldc · · Score: 5, Interesting

    Maybe...

    1) Have a photo ID badge that is the only card that can be swiped to get in to the location
    2) Install fingerprint readers and cameras for employees to gain entry
    3) Lock all doors/locations not in use, & again use ID Badges and fingerprint readers to gain entry
    4) Have have all passwords on keychains updated every few minutes
    5) And finally, have all employees meet regularly so they know each other by name and by face

    Just a thought.

    --
    He who knows best knows how little he knows. - Thomas Jefferson
    1. Re:insecurity 101 by Intron · · Score: 4, Interesting

      One lab I consulted for had RFID badges so you just had to walk up the door to unlock it. Saved the hassle of getting a card out every time. Employees were trained not to let two people through on one activation (except legitimate visitors) and had a bulletin board with a picture and name of every employee.

      The most secure place I've been (bank IT center) had a vestibule that weighed you on the way in and out. If you were heavier or lighter, the door didn't open.

      --
      Intron: the portion of DNA which expresses nothing useful.
    2. Re:insecurity 101 by MountainLogic · · Score: 4, Funny

      Better get a receipt every time you go to the bathroom

  6. Wrong use of the word man-trap by petrilli · · Score: 5, Informative

    A man-trap, in the physical security world, is a "room" (loosely defined here) which has control points on both sides. Often you have to use two different forms of authorization, one for entry (i.e. a badge) and another for exit (biometrics, let's say). This allows it to *trap* anyone who tries to sneak through the system. What the article is really talking about is not a man-trap, but the anti-"bum" measures that banks use in many cities around ATMs inside a building. You have to put your ATM card into a slot, but it really doesn't read the card, it just verifies that you stuck a magstrip card into the slot. You then use your ATM card to access the ATM where it is presumably verified.

    Setting anything in this method is absurd, and the physical security people should be fired on the spot for this kind of kindergarten mistake. While what likely happened is that it was turned this way when installed so that you could teach people to use it without having to deal with the slowdown of people actually being blocked, it's a bad way to behave, and shouldn't have been even turned on the first time this way. It may also be that, in fact, it was turned this way because of a problem with reliability of magstripe cards (they fail pretty regularly), and instead the system should have been converted to another form of identification -- Wiegand, RF proxy, etc.

    1. Re:Wrong use of the word man-trap by umghhh · · Score: 5, Insightful

      It is indeed a major mistake. Firing the responsible technician on the spot as you suggest will not do anything to increase security however. After all persons responsible were able to act on information provided - next time this method did not work. We do not have such certainity about their replacement.

      Not giving a chance for improvment is bad policy - the only thing it really does is alienate security people. It may be that next time they spot similar mistake they will not fix it in any official way fearing consequences and this can create bigger security problem then the one 'fixed' by firing squad.
      Alienated guards are bad guards.

    2. Re:Wrong use of the word man-trap by Dun+Malg · · Score: 4, Interesting
      but it really doesn't read the card, it just verifies that you stuck a magstrip card into the slot....It may also be that, in fact, it was turned this way because of a problem with reliability of magstripe cards (they fail pretty regularly), and instead the system should have been converted to another form of identification -- Wiegand, RF proxy, etc.
      One law office where I work had so much trouble with the mag-stripe reader on the back door that the head of security himself opened the thing up and wired the electric strike release directly to the microswitch that detects when a card's been inserted! This means that you can get in the back door with anything that fits in the slot, even a popsicle stick, a trick I throughly enjoy demonstrating every time I go there. I even keep a popsicle stick in the truck just for that purpose.

      Surprised guy who sits by back door: How'd you get in?
      Me: Popsicle stick (holding up popsicle stick)

      --
      If a job's not worth doing, it's not worth doing right.
  7. Single Entry door or Man Traps by nuggz · · Score: 4, Informative

    Man trap is a bit confusing.

    They are likely refering to a single person entry door.
    The problem I see is this may not suffice for disabled access.

    At first I thought man-trap would be they lock you in if anything goes wrong, the problem here would be a potentially devestating liability if there is any injury.
    Think about the lawsuit if someone got injured or killed (or mildly annoyed) if they were physically detained by an automated system.
    The wikipedia article indicates this issue.
    http://en.wikipedia.org/wiki/Man-trap

    1. Re:Single Entry door or Man Traps by Dun+Malg · · Score: 4, Informative
      At first I thought man-trap would be they lock you in if anything goes wrong, the problem here would be a potentially devestating liability if there is any injury. Think about the lawsuit if someone got injured or killed (or mildly annoyed) if they were physically detained by an automated system.
      Yeah, you usually only find man-traps at places like Los Alamos National Laboratory, where the system is supervised by actual live security personel. A man-trap is really only worth the effort and expense of constant monitoring if you're running something like LANL, where if a guy tries to wander in with a found/stolen card, you don't want him to just be able to say "oh well, no secret stealing for me today" and just walk away.
      --
      If a job's not worth doing, it's not worth doing right.
  8. Just have someone carry a baby in carrier by slam+smith · · Score: 5, Informative

    My wife used to regularly get into my work buildings to meet me for lunch. You just need to carry a baby in a baby carrier and everyone will let you in.

    --
    My Weblog
  9. Draw your own ID card by Brix+Braxton · · Score: 4, Funny

    I work in a secured building - it's a federally protected building right above a train hub and across from the sears tower. Anyway - security is similar to what was described - barely flashing anything that resembles a photo ID card with a splash of red on it is sufficient to get in. I keep fighting the urge to do it, but what I really want to do is just draw a half assed I.D. card with crayon and construction paper and see if it gets me through.

    --
    www.wildpad.com
  10. Easy full access by nizo · · Score: 4, Insightful

    I wonder how many companies screen the janitorial staff? Not only do they typically have full access to the building, but they are there after hours and can easily rummage around looking for usernames, passwords, and machines that are still logged in with administrator privledges. Heck they could bring a laptop in and connect directly to the internal network for that matter.

    --
    I Am My Own Worst Enemy
    1. Re:Easy full access by bhpratt · · Score: 4, Funny

      I've worked a national laboratory and even the janitorial staff had to have secret or top-secret clearance to be allowed access to the respective secure areas. In fact, now that I think about it, most of the janitorial staff had higher clearance than I did...

  11. The Man Trap by digitaldc · · Score: 4, Funny

    they could just use the transporter and beam into any secure area, all they need are the coordinates and blammo, they're in.

    But, you forgot, after you beam down there could be an extremely attractive woman just waiting to suck all the salt out of you!

    --
    He who knows best knows how little he knows. - Thomas Jefferson
  12. Extraordinary transformation by Demerara · · Score: 4, Interesting

    What's most amazing about the story is not that they got "made" second time round but that the woman who did so had left the building, started her car and began to drive away. She remembered what had happened, turned round and came back to shop the two pentesters.

    That this happened in this fashion 6 months after the initial (and hugely embarassing) successful penetration reflects both the company's response and the quality of the security awareness training delivered to employees.

    How many people, hand on heart, once they're out of the office, would turn round and come back for such a scenario?

    --
    Backward%20compatibility%20is%20over-rated
  13. Other items that work well. by Demon-Xanth · · Score: 5, Interesting

    Pretty much any type of tools. ESPECIALLY telephone buttsets. My dad worked for a phone company for a long time, and if he had a telephone buttset, nobody every questioned his credentials, or took a second thought about letting him into anywhere in a building. Locked door? Just ask someone to open it for you!

    Clipboard. If you got a clip board, people are AFRAID to question you. A coworker of mine visited a major plant once, and the employees mistook him for a CEO or something like that because he had a clipboard.

    Suit and tie. People will assume you're a rep of a visiting company and will give you directions.

    The best locks in the world won't do any good if someone trusted opens it for an attacker.

    --
    If you think education is expensive, you should try ignorance -- Derek Bok, president of Harvard
    1. Re:Other items that work well. by tradiuz · · Score: 4, Interesting

      Well abused tool belt with used tools (the one day my tools and tool belt were new and shiny, I had security ask for credentials 4 times, and have never been asked since).
      Well abused hard hat with a contractors name on it (Simplex/Grinell works well, since 99.9% of everyone have a Simplex/Notifier fire alarm system in Houston).
      Work worn blue jeans and t-shirt. Cover-alls also work.
      Worn work boots.

      What really scares me though, is that I had less resistance walking around Halliburton than I had walking around BMC Computers. Apparently, software code is behind better locks than radioactive material. I used to be a fire alarm tech, and went into the wrong building once, had security open the fire command center, and opened the panel before I realised that I was a block away from my intended destination. I put the panel back on, walked out, thanked security, and made haste to my original destination. This was very soon after 9/11, and security was stopping everyone with a suit and tie, but toolbelts got to walk past the metal detectors.

    2. Re:Other items that work well. by Shotgun · · Score: 4, Interesting

      My dad was a painter. Same story. The benefit of using the painter ruse is that you can tape off the conference room, cover everything with tarps, spread some paint around to get it good and smelly, and people will AVOID it. You won't even have to try to be sneaky while scanning the network.

      I think most of the security in corporate buildings is more about insurance liability than security. When I was a security guard while going to college*, we were told not to approach anyone we saw on the premises at night. If they looked suspicious we were to call the police. The company recieved something like a 30% discount for having a minimum wage person walk through the building every few hours. Our job was to to discourage vandalism by our presence, and to observe and report (so that the fire only guts half of the north wing instead of the whole thing).

      The card readers are much the same. We just want to keep the random passerby from wandering through on sightseeing expeditions, and have something to cover our butts with at the civil trial when the judge asks why we were letting murderers and rapist wander the halls. Mention of coporate espionage will raise a few snickers amoung the security managers.

      --
      Aah, change is good. -- Rafiki
      Yeah, but it ain't easy. -- Simba
  14. Re:Don't buy it.... by Pontiac · · Score: 4, Interesting

    OK here an example from a recent pen test .

    Someone setup a test SQL server in the lab with access to the production netowork.

    Since it's "just a lab box" the SA password was left blank.

    at some point a domain admin logged into this box.

    The security team accessed the box with the local SA account.
    They got the LSASS password cache.

    With that they got the Domain Admin account.

    They used that to acccess a DC, got the SAM and used Rainbow crack with a 10gig pre compiled hash DB to get 30 out of 35 domain admin accounts.

    --
    If you think it's expensive to hire a professional to do the job, wait until you hire an amateur. --Red Adair
  15. Security, you get what you pay for. by Anon-Admin · · Score: 4, Insightful

    Most security people are minimum wage. I see people talking about flashing cards and cans of food, etc. This is not a surprise.

    I once entered the R&D area of a fortune 500 company using an ID that was printed on an ink jet printer and had my picture and the CIA logo on it. I was questioned and just flashed the card. That ended all questions.

    When I was managing a computer company, I came back from lunch to find the lead chatting with a guy. The guy introduced him self as the fire marshal and the lead informed me that there was a Fire Inspection going on. The "Fire Marshal" told me I could not go into the back while the inspection was going on. I proceeded to enter the back to find the "Inspector" inspecting the computer equipment. Right out the back door!

    The truth is that most people will not question you, provided you look like you belong and have some form of ID to back it up.

    Now it is time to go to the uniform store and get a security guard uniform. I think ill stand next to the night deposit box at the bank. Just to see how many people will give me there deposits when I tell them that the deposit box it broken and I am there to collect and secure there deposit.

  16. Re:Bad Advice? by Overzeetop · · Score: 4, Insightful

    maybe it was an upper manager who was in a hurry and didn't want to get out his ID card

    Yes, it's not the situation in the article, but you bring up a very valid point:

    Security Is For Everyone

    You absolutely should call security on upper management, though you might want to do it from someone else's phone. Management, not matter what level, must respect the security measures, no matter how high they are. The CEO should have his ID card at the ready if he's in a secure facility. *hrupph*

    --
    Is it just my observation, or are there way too many stupid people in the world?
  17. Floor seats at the concert by Chapter80 · · Score: 5, Informative
    Try this one for the next concert you go to*:

    Buy your tickets online, using TicketMaster's instant delivery mechanism. They email you a PDF that serves as the ticket.

    Scan it in, bring it into photoshop, and edit the seat location. For that matter, use scissors and tape and a copier to modify your seat location. Make sure you make it a front row seat!

    Then when you go to the concert, use the original to get in the door. Use your edited version to wander the floor. Obviously you probably won't have a seat, but you'll be able to get pretty darn close. All because they only scan the ticket at the door. They visually inspect the ticket to see if you are special enough to get up close.

    * Seriously, I would never suggest that you break the law. This idea is purely for entertainment and discussion purposes. Kids, don't try this at home!