In Depth
The Problem with Employee Badges As a Security Mechanism
Book Excerpt: No Tech Hacking: A Guide to Social Engineering, Dumpster Diving, and Shoulder Surfing
November 26, 2007 — CSO —
Read more in CSO’s interview with Johnny Long (LINK TK).
By Johnny Long
My phone company getup was convincing, but without the badge I doubt I would have made it inside. The badge identified me as a phone guy. However, the badge was nothing more than a laminated bit of printer paper. To use security jargon, that laminated paper was my authentication token. By letting someone visually inspect it, they could draw a conclusion about whether or not I was legitimate. This type of visual identification is a weak authentication mechanism because it is so easily duplicated. Unfortunately, many facilities rely on exactly this type of security, yet it amazes me how many badges I see worn out in public.
I spot at least ten different types of badges a day. If I had a nickel for every time I saw a new badge, I’d have a whole lot of nickels. Even though I’ve seen hundreds thousands of badges in my lifetime, I still get giddy when I see a new one because know beyond a shadow of a doubt that I could somehow use it to gain access to that company. Even if they employ some sort of electronic system to validate the card—we’ll talk more about those systems later in this section—I could probably use the badge to tailgate or social engineer my way inside. Getting giddy about site badges is admittedly strange, but I’ve long since given up on the doldrums of normality. These days I go all the way; I carry a camera wherever I go to capture badges I spot in the wild. I spotted the badge below in a local mall. (We’ve obscured faces and identify details.)
Badges sometimes appear in packs, as the photo below reveals.
I captured this next photo as I sat in a corporate lobby. The walls were lined with all sorts of plaques and awards that the company had earned through the years. Several flat-screen monitors droned through PowerPoint presentations extolling their corporate virtues. I amused myself with a game of “count the buzzwords” until I saw this particular slide and nearly flipped backwards out of the overstuffed leather armchair.
This slide was one of several that showed groups of employees—in various stages of corporate bonding—all wearing their badges. After spending a total of two minutes in the building’s open lobby, I had no less than ten badge photos. Fortunately for this company, I was “off duty” and never discovered if a laminated bit of printer paper would be enough to work my way inside.
Johnny Long
Security Directions: A Virtual Conference
Available On Demand Sept. 30 - Dec. 30
Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.
Protecting PII: How to Work with IT to Manage Risk
Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.
- Upgrading to VMware vSphere with vWire
- Removing Barriers To Better Server Virtualization Efficiency
- Practical Approaches for Securing Web Applications across the Software Delivery Lifecycle
- Staying A Step Ahead of the Hackers: The Importance of Identifying Critical Web Application Vulnerabilities
- Managing A Growing Threat: An Executive's Guide to Web Application Security
- The Forrester Wave™: Web Filtering, Q2 2009
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
CSO Perspectives
-
April 5-7, 2010Hyatt Regency Santa ClaraClick here for more information!
Santa Clara, California
(ISC)2 members can earn up to 24 CPE Credits!
