In Depth

The Problem with Employee Badges As a Security Mechanism

Book Excerpt: No Tech Hacking: A Guide to Social Engineering, Dumpster Diving, and Shoulder Surfing

Page 2

Government agencies have known for years that employee badges should be removed when leaving the workplace. The more secretive agencies are very proactive when it comes to enforcing this policy. I was not surprised to discover so few open-air badges around more secretive government buildings. The keyword here is few. While spending some time in the D.C. corridor, I came upon an outdoor barbeque catered by an office leasing company. The event was designed to how appreciation for the various corporate tenants, some of which were government related. As I wandered around the large catering tent, I was amazed at the number of badges I spotted. I was so busy snapping pictures of people that I nearly forgot to take advantage of the free grub. Although I saw badges belonging to several different companies, some were more surprising than others, like the airfield badge shown below.

I am relatively certain that airport security personnel do not rely solely on visual badge identification as an authentication mechanism, but the photo is interesting nonetheless considering it was taken well away from airport property.

Two women waiting in line caught my eye (not in that way). The taller of the two was very important-looking. She was dressed in a smart black suit and was having an important-sounding conversation on her Blackberry cell phone. It wasn’t the geek-chic cell phone that caught my eye, but rather the plethora of badges and paraphernalia dangling from her lanyard. Traveling in tech circles, I’ve seen my share of lanyard clutter, but this nice lady took the prize for most neck-flair toted by a female.

As I drew closer, I realized that her badge was decidedly governmental in appearance. I took a few photos—which neither of them seemed to notice—and after reviewing them, I realized I had a horrible angle on the more interesting badges. As she continued chatting into the phone, I swung around to the other side of her and stepped in as close as I could without triggering her (admittedly impaired) stalker detection system. Less than a foot away from her, I snapped the photo below.

This particular badge is issued to government employees stationed at the Pentagon. The Post-It note reminds her to “bring a copy of yesterday’s all hands to DSS H.Q.” Granted, security at the Pentagon is second to none. I know from personal experience that the guards stationed at the Pentagon mean business. They are not to be trifled with. I also know that visual identification of a badge at the Pentagon means absolutely nothing. All badges are electronically verified, and the security of that electronic process is world-class. Still, I had no doubt that Pentagon security personnel would not take kindly to employees exhibiting this kind of careless behavior.