Slashdot Mirror

← Back to Stories (view on slashdot.org)

Card Locks Thwarted by Shopping Club Card

Posted by ryuzaki0 on from the hmmm-not-so-good dept.

hal9000(jr) writes "A recent column ('Social Engineering, the Shoppers' Way') on darkreading.com shows how easy it is for a pen test team to walk into a supposedly secure facility using a shoppers club card because the man trap feature was enabled. Man-traps allow people to enter an outer door but not an inner door similar to ATM kiosks. Once inside, of course, they had the run of the place." Lessons: after writing down your password, eat your sticky notes rather than leave them on the monitor.

9 of 361 comments (clear)

  1. Works for me by Knytefall · · Score: 5, Interesting

    Where I work, one of my friends was able to use his shopper's club card to get access to doors he didn't have access to, but I did. I thought the odds of that happening must be astronomical, but apparently it's more common than I thought.

  2. Just great. by Rob+T+Firefly · · Score: 5, Funny

    And what's more, the security system added frequent shopper rewards to their card! Those lucky bastards are going to save so much money on their next purchases of orange juice and cat food.

    --
    Slashdot Burying Stories About Slashdot Media Owned
  3. insecurity 101 by digitaldc · · Score: 5, Interesting

    Maybe...

    1) Have a photo ID badge that is the only card that can be swiped to get in to the location
    2) Install fingerprint readers and cameras for employees to gain entry
    3) Lock all doors/locations not in use, & again use ID Badges and fingerprint readers to gain entry
    4) Have have all passwords on keychains updated every few minutes
    5) And finally, have all employees meet regularly so they know each other by name and by face

    Just a thought.

    --
    He who knows best knows how little he knows. - Thomas Jefferson
  4. Wrong use of the word man-trap by petrilli · · Score: 5, Informative

    A man-trap, in the physical security world, is a "room" (loosely defined here) which has control points on both sides. Often you have to use two different forms of authorization, one for entry (i.e. a badge) and another for exit (biometrics, let's say). This allows it to *trap* anyone who tries to sneak through the system. What the article is really talking about is not a man-trap, but the anti-"bum" measures that banks use in many cities around ATMs inside a building. You have to put your ATM card into a slot, but it really doesn't read the card, it just verifies that you stuck a magstrip card into the slot. You then use your ATM card to access the ATM where it is presumably verified.

    Setting anything in this method is absurd, and the physical security people should be fired on the spot for this kind of kindergarten mistake. While what likely happened is that it was turned this way when installed so that you could teach people to use it without having to deal with the slowdown of people actually being blocked, it's a bad way to behave, and shouldn't have been even turned on the first time this way. It may also be that, in fact, it was turned this way because of a problem with reliability of magstripe cards (they fail pretty regularly), and instead the system should have been converted to another form of identification -- Wiegand, RF proxy, etc.

    1. Re:Wrong use of the word man-trap by umghhh · · Score: 5, Insightful

      It is indeed a major mistake. Firing the responsible technician on the spot as you suggest will not do anything to increase security however. After all persons responsible were able to act on information provided - next time this method did not work. We do not have such certainity about their replacement.

      Not giving a chance for improvment is bad policy - the only thing it really does is alienate security people. It may be that next time they spot similar mistake they will not fix it in any official way fearing consequences and this can create bigger security problem then the one 'fixed' by firing squad.
      Alienated guards are bad guards.

  5. Just have someone carry a baby in carrier by slam+smith · · Score: 5, Informative

    My wife used to regularly get into my work buildings to meet me for lunch. You just need to carry a baby in a baby carrier and everyone will let you in.

    --
    My Weblog
  6. Other items that work well. by Demon-Xanth · · Score: 5, Interesting

    Pretty much any type of tools. ESPECIALLY telephone buttsets. My dad worked for a phone company for a long time, and if he had a telephone buttset, nobody every questioned his credentials, or took a second thought about letting him into anywhere in a building. Locked door? Just ask someone to open it for you!

    Clipboard. If you got a clip board, people are AFRAID to question you. A coworker of mine visited a major plant once, and the employees mistook him for a CEO or something like that because he had a clipboard.

    Suit and tie. People will assume you're a rep of a visiting company and will give you directions.

    The best locks in the world won't do any good if someone trusted opens it for an attacker.

    --
    If you think education is expensive, you should try ignorance -- Derek Bok, president of Harvard
  7. Re:RTFA by Anonymous Coward · · Score: 5, Informative

    What?!? Have you ever worked software for a credit institution or a bank? The mag stripe is defined, if it wasn't Washington Mutual wouldn't be able to read Bank Of America. Same with credit cards, it VISA has a predefined strip. How the heck do you think that a BoA atm maching knows that my name is John Smith even though I have a Wells Fargo card, because there IS a standard.

    These standards aren't exactly handed out at the local book store, but they do exist. If the atm inside the man-trap serves Star, CoOp, Plus, and so on type cards, the little reader outside could make sure that the card swiped was valid. If you stick your super market card into an ATM it doesn't try every bank it knows until it finds a match, it recognizes that the card is invalid. The little card reader could do that as well.

  8. Floor seats at the concert by Chapter80 · · Score: 5, Informative
    Try this one for the next concert you go to*:

    Buy your tickets online, using TicketMaster's instant delivery mechanism. They email you a PDF that serves as the ticket.

    Scan it in, bring it into photoshop, and edit the seat location. For that matter, use scissors and tape and a copier to modify your seat location. Make sure you make it a front row seat!

    Then when you go to the concert, use the original to get in the door. Use your edited version to wander the floor. Obviously you probably won't have a seat, but you'll be able to get pretty darn close. All because they only scan the ticket at the door. They visually inspect the ticket to see if you are special enough to get up close.

    * Seriously, I would never suggest that you break the law. This idea is purely for entertainment and discussion purposes. Kids, don't try this at home!