Forgot your password?
typodupeerror

Card Locks Thwarted by Shopping Club Card 361

Posted by timothy
from the hmmm-not-so-good dept.
hal9000(jr) writes "A recent column ('Social Engineering, the Shoppers' Way') on darkreading.com shows how easy it is for a pen test team to walk into a supposedly secure facility using a shoppers club card because the man trap feature was enabled. Man-traps allow people to enter an outer door but not an inner door similar to ATM kiosks. Once inside, of course, they had the run of the place." Lessons: after writing down your password, eat your sticky notes rather than leave them on the monitor.
This discussion has been archived. No new comments can be posted.

Card Locks Thwarted by Shopping Club Card

Comments Filter:
  • by HugePedlar (900427) on Thursday July 20, 2006 @10:54AM (#15749889) Homepage
    Should have used caltraps instead of mantraps.
  • Works for me (Score:5, Interesting)

    by Knytefall (7348) on Thursday July 20, 2006 @11:00AM (#15749923)
    Where I work, one of my friends was able to use his shopper's club card to get access to doors he didn't have access to, but I did. I thought the odds of that happening must be astronomical, but apparently it's more common than I thought.
    • by Chapter80 (926879) on Thursday July 20, 2006 @03:23PM (#15751914)
      Try this one for the next concert you go to*:

      Buy your tickets online, using TicketMaster's instant delivery mechanism. They email you a PDF that serves as the ticket.

      Scan it in, bring it into photoshop, and edit the seat location. For that matter, use scissors and tape and a copier to modify your seat location. Make sure you make it a front row seat!

      Then when you go to the concert, use the original to get in the door. Use your edited version to wander the floor. Obviously you probably won't have a seat, but you'll be able to get pretty darn close. All because they only scan the ticket at the door. They visually inspect the ticket to see if you are special enough to get up close.

      * Seriously, I would never suggest that you break the law. This idea is purely for entertainment and discussion purposes. Kids, don't try this at home!

  • Just great. (Score:5, Funny)

    by Rob T Firefly (844560) on Thursday July 20, 2006 @11:01AM (#15749929) Homepage Journal
    And what's more, the security system added frequent shopper rewards to their card! Those lucky bastards are going to save so much money on their next purchases of orange juice and cat food.
  • insecurity 101 (Score:5, Interesting)

    by digitaldc (879047) * on Thursday July 20, 2006 @11:02AM (#15749935)
    Maybe...

    1) Have a photo ID badge that is the only card that can be swiped to get in to the location
    2) Install fingerprint readers and cameras for employees to gain entry
    3) Lock all doors/locations not in use, & again use ID Badges and fingerprint readers to gain entry
    4) Have have all passwords on keychains updated every few minutes
    5) And finally, have all employees meet regularly so they know each other by name and by face

    Just a thought.
    • I bet you've either never seen, or have forgotten, this story [theregister.co.uk] already.

      Using fingerprints or other such biometric data to gain access to valuable resources is a very BAD idea. Until there's a sensor that can identify me, that I'm alive and well and not in any way stressed (no gun pressed into the small of my back etc. etc.) then the whole idea is a no no.
      • Re:insecurity 101 (Score:3, Insightful)

        by Hoi Polloi (522990)
        I was fingerprinted as part of my DOD security clearance at a DOD lab. At the time I had psoiasis on my fingers so my fingerprints were practically smooth from thickened skin. After it cleared up I doubt any prints they took would've been too useful.
    • Re:insecurity 101 (Score:5, Interesting)

      by Intron (870560) on Thursday July 20, 2006 @11:39AM (#15750221)
      One lab I consulted for had RFID badges so you just had to walk up the door to unlock it. Saved the hassle of getting a card out every time. Employees were trained not to let two people through on one activation (except legitimate visitors) and had a bulletin board with a picture and name of every employee.

      The most secure place I've been (bank IT center) had a vestibule that weighed you on the way in and out. If you were heavier or lighter, the door didn't open.
  • by petrilli (568256) on Thursday July 20, 2006 @11:02AM (#15749939) Homepage
    A man-trap, in the physical security world, is a "room" (loosely defined here) which has control points on both sides. Often you have to use two different forms of authorization, one for entry (i.e. a badge) and another for exit (biometrics, let's say). This allows it to *trap* anyone who tries to sneak through the system. What the article is really talking about is not a man-trap, but the anti-"bum" measures that banks use in many cities around ATMs inside a building. You have to put your ATM card into a slot, but it really doesn't read the card, it just verifies that you stuck a magstrip card into the slot. You then use your ATM card to access the ATM where it is presumably verified.

    Setting anything in this method is absurd, and the physical security people should be fired on the spot for this kind of kindergarten mistake. While what likely happened is that it was turned this way when installed so that you could teach people to use it without having to deal with the slowdown of people actually being blocked, it's a bad way to behave, and shouldn't have been even turned on the first time this way. It may also be that, in fact, it was turned this way because of a problem with reliability of magstripe cards (they fail pretty regularly), and instead the system should have been converted to another form of identification -- Wiegand, RF proxy, etc.
    • Interesting - I always heard of such a set-up being called a "sallyport."
    • by umghhh (965931) on Thursday July 20, 2006 @11:56AM (#15750384)
      It is indeed a major mistake. Firing the responsible technician on the spot as you suggest will not do anything to increase security however. After all persons responsible were able to act on information provided - next time this method did not work. We do not have such certainity about their replacement.

      Not giving a chance for improvment is bad policy - the only thing it really does is alienate security people. It may be that next time they spot similar mistake they will not fix it in any official way fearing consequences and this can create bigger security problem then the one 'fixed' by firing squad.
      Alienated guards are bad guards.

    • What the article is really talking about is not a man-trap, but the anti-"bum" measures that banks use in many cities around ATMs inside a building. You have to put your ATM card into a slot, but it really doesn't read the card, it just verifies that you stuck a magstrip card into the slot.

      Some of the "bum repelling devices" are a little more advanced and will read the frst
      few digits to verify that you are a customer of the barticular bank, etc, (a bit of a nuisance if you are drunk and looking to buy more
    • Banks in London used to have such a system - you swipe your ATM card to gain access. But then criminals started fitting their own card reader devices on the outside of the door and cloning cards (demonstrating yet again why it's a bad idea to have a card where mere knowledge of the card number is enough to authorize payment). So now they just have push-button entry systems.
    • by Dun Malg (230075) on Thursday July 20, 2006 @12:17PM (#15750571) Homepage
      but it really doesn't read the card, it just verifies that you stuck a magstrip card into the slot....It may also be that, in fact, it was turned this way because of a problem with reliability of magstripe cards (they fail pretty regularly), and instead the system should have been converted to another form of identification -- Wiegand, RF proxy, etc.
      One law office where I work had so much trouble with the mag-stripe reader on the back door that the head of security himself opened the thing up and wired the electric strike release directly to the microswitch that detects when a card's been inserted! This means that you can get in the back door with anything that fits in the slot, even a popsicle stick, a trick I throughly enjoy demonstrating every time I go there. I even keep a popsicle stick in the truck just for that purpose.

      Surprised guy who sits by back door: How'd you get in?
      Me: Popsicle stick (holding up popsicle stick)

  • by nuggz (69912) on Thursday July 20, 2006 @11:06AM (#15749962) Homepage
    Man trap is a bit confusing.

    They are likely refering to a single person entry door.
    The problem I see is this may not suffice for disabled access.

    At first I thought man-trap would be they lock you in if anything goes wrong, the problem here would be a potentially devestating liability if there is any injury.
    Think about the lawsuit if someone got injured or killed (or mildly annoyed) if they were physically detained by an automated system.
    The wikipedia article indicates this issue.
    http://en.wikipedia.org/wiki/Man-trap [wikipedia.org]
    • The man trap in TFA is not the same as the man trap as described in the Wikipedia and I find a bit odd that the Wikipedia doesn't include an entry about the sort of man trap described in TFA. There websites that sell man traps such as are described in TFA at http://www.secureaccessportals.com/ [secureaccessportals.com] and http://www.koubasystems.com/mantrapsys.html [koubasystems.com]
    • I think the term "man trap" itself originated with castles. The main gate would consist of an inner door and and outer door. Attackers getting past the outer door could be attacked (with rocks, burning coals, boiling water/oil, etc) in the confined space by defenders above them through holes in the floor.
    • by Dun Malg (230075) on Thursday July 20, 2006 @01:07PM (#15750980) Homepage
      At first I thought man-trap would be they lock you in if anything goes wrong, the problem here would be a potentially devestating liability if there is any injury. Think about the lawsuit if someone got injured or killed (or mildly annoyed) if they were physically detained by an automated system.
      Yeah, you usually only find man-traps at places like Los Alamos National Laboratory, where the system is supervised by actual live security personel. A man-trap is really only worth the effort and expense of constant monitoring if you're running something like LANL, where if a guy tries to wander in with a found/stolen card, you don't want him to just be able to say "oh well, no secret stealing for me today" and just walk away.
  • by slam smith (61863) on Thursday July 20, 2006 @11:09AM (#15749993) Homepage
    My wife used to regularly get into my work buildings to meet me for lunch. You just need to carry a baby in a baby carrier and everyone will let you in.
    • Maybe it was because she was carrying a baby, or maybe it was because everyone recognized her as your wife because she was a regular visitor there. She should show up some time without the baby and see what happens. My suspicion is they'll let her in anyway because they recognize her by now.

      Of course, if your office isn't a particularly high security environment, it may just not matter that much if someone unauthorized makes it in. In that case (as with most ordinary office buildings), the security is th
    • by Demon-Xanth (100910) on Thursday July 20, 2006 @11:31AM (#15750155)
      Pretty much any type of tools. ESPECIALLY telephone buttsets. My dad worked for a phone company for a long time, and if he had a telephone buttset, nobody every questioned his credentials, or took a second thought about letting him into anywhere in a building. Locked door? Just ask someone to open it for you!

      Clipboard. If you got a clip board, people are AFRAID to question you. A coworker of mine visited a major plant once, and the employees mistook him for a CEO or something like that because he had a clipboard.

      Suit and tie. People will assume you're a rep of a visiting company and will give you directions.

      The best locks in the world won't do any good if someone trusted opens it for an attacker.
      • by tradiuz (926664) on Thursday July 20, 2006 @12:02PM (#15750444)
        Well abused tool belt with used tools (the one day my tools and tool belt were new and shiny, I had security ask for credentials 4 times, and have never been asked since).
        Well abused hard hat with a contractors name on it (Simplex/Grinell works well, since 99.9% of everyone have a Simplex/Notifier fire alarm system in Houston).
        Work worn blue jeans and t-shirt. Cover-alls also work.
        Worn work boots.

        What really scares me though, is that I had less resistance walking around Halliburton than I had walking around BMC Computers. Apparently, software code is behind better locks than radioactive material. I used to be a fire alarm tech, and went into the wrong building once, had security open the fire command center, and opened the panel before I realised that I was a block away from my intended destination. I put the panel back on, walked out, thanked security, and made haste to my original destination. This was very soon after 9/11, and security was stopping everyone with a suit and tie, but toolbelts got to walk past the metal detectors.
      • It's scary, but unfortunately true.

        Where I work (a medium-sized audio/video equipment and "lifestyle" company) everyone is required to wear their access card in a visible place, and guests are issued specielt guest cards that they have to sign for. Everyone here is strongly reminded that it is their duty to question anyone who does not have a visible access card or guest card as well as anyone who looks out of place.

        Also, when visiting any of the research departments and assembly lines, mobile phones and an
        • "It's a good thing people generally like working here"

          At my company, we've gone through two names since 2000 and went from a people loving company to a "people at the top" loving company. I've noticed that even though they've tried to tighten security, less people actually care about security so even though they've tried to close holes, they lost thier company wide security net. There isn't a single employee in my building that gives a rats arse about physical security outside of thier own tools/stuff.

          When
      • by Shotgun (30919) on Thursday July 20, 2006 @01:02PM (#15750936)
        My dad was a painter. Same story. The benefit of using the painter ruse is that you can tape off the conference room, cover everything with tarps, spread some paint around to get it good and smelly, and people will AVOID it. You won't even have to try to be sneaky while scanning the network.

        I think most of the security in corporate buildings is more about insurance liability than security. When I was a security guard while going to college*, we were told not to approach anyone we saw on the premises at night. If they looked suspicious we were to call the police. The company recieved something like a 30% discount for having a minimum wage person walk through the building every few hours. Our job was to to discourage vandalism by our presence, and to observe and report (so that the fire only guts half of the north wing instead of the whole thing).

        The card readers are much the same. We just want to keep the random passerby from wandering through on sightseeing expeditions, and have something to cover our butts with at the civil trial when the judge asks why we were letting murderers and rapist wander the halls. Mention of coporate espionage will raise a few snickers amoung the security managers.

      • I use this ruse also. Although my identification of choice is a handheld ham radio. If you have a walky-talky style radio, people will let you anywhere.

        A little trick I learned when geocaching. People are always suspicious if they see people snooping around. I found that a relective vest(like that worn by motorcyclists), a clipboard and ham radio would get me into ANYWHERE! Do Not Enter? HA! Authorized Personel Only? JOKE!

    • There was a famous theft in which a large number of antique chairs were stolen from an office in broad daylight during working hours, with the staff present.

      The thieves drove up in a moving truck, wearing appropriate clothes, and explained that the chairs were being transferred to a different office. They presented "requisitions" to sign, got signatures, filled the truck, and dorve away.
    • Where I work, you just need to be on a bicycle. I even got waved through the guard shack on a day that our governor was on site and security was being more strict. I know it's not because they know me, because I normally drive.
    • by WindBourne (631190) on Thursday July 20, 2006 @12:04PM (#15750464) Journal
      Well, of course they would. Everybody is thinking of the kids.
  • by Brix Braxton (676594) on Thursday July 20, 2006 @11:10AM (#15749995) Homepage
    I work in a secured building - it's a federally protected building right above a train hub and across from the sears tower. Anyway - security is similar to what was described - barely flashing anything that resembles a photo ID card with a splash of red on it is sufficient to get in. I keep fighting the urge to do it, but what I really want to do is just draw a half assed I.D. card with crayon and construction paper and see if it gets me through.
    • I used to enter a military base by just flicking my wallet open, sometimes it would be a photo of my wife that I was flashing at them but I was driving a car that they knew and they were not looking that closely. I did mean to show my ID but I often made a mistake that I did not realise until later. I have several cards and photos in the windowed section of my wallet and sometimes got it wrong but I was never stopped for that. Sometimes they would do the routine mirrors under the car bit and look under t
  • by Chineseyes (691744) on Thursday July 20, 2006 @11:10AM (#15749996)
    During the summers as a college job I used to work at an insurance company mailroom which housed a lot of paperwork with very personal information SSN's Medical Info you name it, it was there. My fellow mailroom employees and I used to use CVS shopper cards to gain access to every room in the building when we had forgotten our ID cards at home. Also if you happen to have a shopper card for one grocery store it almost always works at a competing grocery store.
    • Also if you happen to have a shopper card for one grocery store it almost always works at a competing grocery store.

      That is most likely because your "competing" stores are different arms of the same conglomerate. Supervalu [wikipedia.org] and Ahold [wikipedia.org] are two of the largest, encompasing albertson's, stop n shop, giant, and several others. On top of this, the loyalty card databases may be maintained by an outside firm, who may combine the data across different chains into a superdatabase of every person who buys Watermelon

  • Man..... (Score:3, Insightful)

    by Mayhem178 (920970) on Thursday July 20, 2006 @11:10AM (#15749998)
    In college we had palm scanners just to get into the student recreation center. There was a rumor flying about that they could be beaten by scanning the back of your hand instead of the palm. Turned out to not be true.

    If you're telling me that my college gymnasium had better security than these places, then I am apalled.
  • security (Score:3, Interesting)

    by hostylocal (827126) on Thursday July 20, 2006 @11:14AM (#15750024)
    physical security on most sites is a joke. at my last job i used to work for the u.k government and we had a running competition to see who could get past the security guard station with the most rediculous item. i think that the winner used a tin of sardines that looked nothing like the site pass, but was approximately the same shape. i used to use a cigarette packet most of the time. the mag swipes to enter various blocks did actually look for your pass number on a list of approved numbers however - but a large portion of these were left unlocked or propped open during warm periods. lh
  • It occurs to me that all this attention to security detail will come to naught in the Star Trek future - they could just use the transporter and beam into any secure area, all they need are the coordinates and blammo, they're in.

    • by digitaldc (879047) * on Thursday July 20, 2006 @11:22AM (#15750073)
      they could just use the transporter and beam into any secure area, all they need are the coordinates and blammo, they're in.

      But, you forgot, after you beam down there could be an extremely attractive woman just waiting to suck all the salt out of you!
    • Ah, but they could shield secure areas, making transporter beam-ins impossible.

      Sadly, this post might get modded insightful...
    • by abb3w (696381) on Thursday July 20, 2006 @11:40AM (#15750225) Journal

      It occurs to me that all this attention to security detail will come to naught in the Star Trek future - they could just use the transporter and beam into any secure area, all they need are the coordinates and blammo, they're in.

      I refer you over to Larry Niven's essay, "The Theory and Practice of Teleportation", collected in All The Myriad Ways [amazon.com]; you'll probably need to check used bookstores or libraries for it. However, as my memory serves, he characterized that type of teleportation (both recieve-to-device-from-anywhere and send-from-device-to-anywhere) as "you don't get a society, you get a short war".

  • Easy full access (Score:5, Insightful)

    by nizo (81281) * on Thursday July 20, 2006 @11:21AM (#15750067) Homepage Journal
    I wonder how many companies screen the janitorial staff? Not only do they typically have full access to the building, but they are there after hours and can easily rummage around looking for usernames, passwords, and machines that are still logged in with administrator privledges. Heck they could bring a laptop in and connect directly to the internal network for that matter.
    • Every office I've ever worked in which had card-level access also gave cards to the janitorial staff, and their usage of the cards was logged and tracked just like everyone else.
      • That doesn't address what they do when they get inside. In fact most janitorial staff have more access then some employees. I can't get into a boss' office but the jan. staff have a key to empty his trash can because he can't be assed to leave it outside the door.

        The secondary fact that they could bring in a laptop and plug in anywhere demonstrates a TOTAL lack of insight into security. Most people assume that if you're inside you belong. Not just physically but by having live ethernet jacks everywhere that
    • by bhpratt (975195) on Thursday July 20, 2006 @12:27PM (#15750649) Homepage
      I've worked a national laboratory and even the janitorial staff had to have secret or top-secret clearance to be allowed access to the respective secure areas. In fact, now that I think about it, most of the janitorial staff had higher clearance than I did...
  • by Demerara (256642) on Thursday July 20, 2006 @11:22AM (#15750075) Homepage
    What's most amazing about the story is not that they got "made" second time round but that the woman who did so had left the building, started her car and began to drive away. She remembered what had happened, turned round and came back to shop the two pentesters.

    That this happened in this fashion 6 months after the initial (and hugely embarassing) successful penetration reflects both the company's response and the quality of the security awareness training delivered to employees.

    How many people, hand on heart, once they're out of the office, would turn round and come back for such a scenario?
    • Been there, done that.

      A few years ago I worked at a company that issues SSL certificates. I'd already driven from home to the office for some scheduled after-hours work, and issued a cert as part of that work. I was almost back home again when I realized I'd left my ID token card in the cert-issuing computer.

      Now, this machine was in a locked room which required ID card and PIN access, and even with the token card you had to fingerprint and password the computer. Nonetheless, I drove all the way across town
  • Bad Advice? (Score:4, Interesting)

    by BrianRoach (614397) on Thursday July 20, 2006 @11:24AM (#15750095)
    FTA: We advised them to look for a badge and question individuals who appear to be out of place.

    Umm ... how about, "Call security and tell them" instead?

    If you've got someone who's in the middle of a criminal act ... is it wise to test just how much of a criminal they are?

    While it may be that most data poachers serious enough to break into a building aren't violent criminals ... I'm not going to test that theory. Especially if it's late at night, I'm unarmed, and I'm outnumbered 2:1.

    Spending the rest of the night duct-taped in a supply closet just doesn't seem like all that much fun to me :)

    - Roach

    • Re:Bad Advice? (Score:3, Insightful)

      by pe1rxq (141710)
      Sure, you could have a security hit squad jump them.....
      But most of the time someone looking out of place has a good reason to be there, maybe a new guy or someone from another department or just some guy with a bad sense of direction. In those cases just talking to them will be enough.
      Also most of the times this will be during regular office times when you outnumber them 10:1.

      Late at night you are right ofcourse, just call security.
      • Oh, I agree ... during the day when there's lots of people around and such, I'd have no problem approaching someone with a simple "Hey, are you looking for something/someone" type thing.

        2 guys at 10pm when the building was pretty much cleared out? Oh, and I just happen to notice they slipped the door when someone was leaving (as in TFA)? Nope. Sorry, not my job. I'm going to smile and nod as I walk by then go pick up a phone :D

        - Roach
    • Well, generally, in an office building, you don't just randomly call security on random people. It may have just been another co-worker, for instance. Hell, maybe it was an upper manager who was in a hurry and didn't want to get out his ID card. Even if it's a data poacher, it's not like they are going to stab you in the middle of a corporate lobby in the middle of the day.
      • Sorry, I was responding in the context of the article. Silly me, I know.

        It's late at night, and you see two guys slip a door when someone else exits.

        They're ...

        A) Co-Workers you don't know who both happened to forget their badges and need to be in the building after-hours.
        B) 2 Upper Managers your don't know who both happened to forget their badges and need to be in the building after-hours.
        C) Two guys who shouldn't be there.

        Final Answer? ;)

        - Roach
      • Re:Bad Advice? (Score:5, Insightful)

        by Overzeetop (214511) on Thursday July 20, 2006 @12:06PM (#15750480) Journal
        maybe it was an upper manager who was in a hurry and didn't want to get out his ID card

        Yes, it's not the situation in the article, but you bring up a very valid point:

        Security Is For Everyone

        You absolutely should call security on upper management, though you might want to do it from someone else's phone. Management, not matter what level, must respect the security measures, no matter how high they are. The CEO should have his ID card at the ready if he's in a secure facility. *hrupph*
        • Re:Bad Advice? (Score:3, Insightful)

          by Valdrax (32670)
          Security Is For Everyone

          Actually, that very egalitarian notion is likely to result in the dismantling of security procedures, depending on the workplace. I have a friend who worked for an AOL call center that had a man-trap up until the day that a senior VP got stuck in it due to a glitch that revoked his ID, causing him to be locked in and secured when he lacked credentials for entry.

          Getting laughed at by underlings will cause nearly any office procedure to get revoked if the executive is high enough.
          • Re:Bad Advice? (Score:3, Interesting)

            by dbc (135354)
            Getting laughed at by underlings will cause nearly any office procedure to get revoked if the executive is high enough.

            No, that is a sign of a company culture with far worse problems. If that is so where you work, put out your resume.

            I worked at Intel for over a decade. "Employee only" technical and marketing data is published in serial numbered documents with a distinctive cover color. Every few months, the night shift guards walk the building confiscating secret documents that have not been locked aw

  • Without having an "official" magnetic access card to duplicate, I pulled every card with a magnetic stripe from my wallet, including my bank ATM card, a credit card, and a shopping card from a major grocery store. To my surprise, the first swipe from the shopping card opened the door.


    I'm not surprised as I've also tried this maybe 10 years ago into the bank ATM machine access - with a frequent flyer card. I was thinking, how in the world would the thing verify as other banks customers can use the mach

  • I wonder if we can get mega-discounts at the grocery store if we use our card key in place of our club card?
  • So just how secure do you think most corporations are to intrusions by intensively competitive foreign firms, like, shall we say those from Korea (Both), China, Taiwan and others, who have already figured out what college students (including the foreign students) had figured out 10 years before during their undergraduate work?
  • by Anon-Admin (443764) on Thursday July 20, 2006 @11:48AM (#15750303) Journal
    Most security people are minimum wage. I see people talking about flashing cards and cans of food, etc. This is not a surprise.

    I once entered the R&D area of a fortune 500 company using an ID that was printed on an ink jet printer and had my picture and the CIA logo on it. I was questioned and just flashed the card. That ended all questions.

    When I was managing a computer company, I came back from lunch to find the lead chatting with a guy. The guy introduced him self as the fire marshal and the lead informed me that there was a Fire Inspection going on. The "Fire Marshal" told me I could not go into the back while the inspection was going on. I proceeded to enter the back to find the "Inspector" inspecting the computer equipment. Right out the back door!

    The truth is that most people will not question you, provided you look like you belong and have some form of ID to back it up.

    Now it is time to go to the uniform store and get a security guard uniform. I think ill stand next to the night deposit box at the bank. Just to see how many people will give me there deposits when I tell them that the deposit box it broken and I am there to collect and secure there deposit.
  • Tabloid Alert (Score:3, Interesting)

    by linuxwrangler (582055) on Thursday July 20, 2006 @11:49AM (#15750310)
    While on travel in Chicago a couple years ago I caught a "oh, isn't this dreadful" hand-wringing pieces of journalism where they had "discovered" that even the transit card would open the door to the ATM. They trotted out stories of people who had been mugged after getting their money. So when back home I tried my BART card and it worked fine as well.

    Could they improve the ATM vestibule access? Sure. But would it do any good? I doubt it. Almost everyone has some sort of card that could reasonably be used in an ATM and a mugger can just get you when you walk out or force you in when you get out your card. Or they could use a stolen card.

    Given the default security-settings and install options present on so much software, I suppose I shouldn't be surprised but I am still surprised that a system whose sole purpose is security would make it so easy to allow this sort of misconfiguration. That seems like an option you should be forced to request.
  • whatever (Score:2, Informative)

    by szembek (948327)
    This summary made shit for sense.
    • Re:whatever (Score:3, Insightful)

      by windowpain (211052)
      That wasn't a troll. The guy who submitted can't write for shit. There is absolutely nothing inherently insecure about a mantrap. I was puzzled until I rtfa. It's the fact that doors to ATM mantraps are configured to operate with any magnetic stripe card that is the problem. The submitter should have made that clear.
  • Many doors have locks are not installed improperly. Deadlocking latch bolts have an anti-jimmy mechanism (that little slidy thing on the door bolt) that won't let the bolt withdraw if they both aren't in the same position. When the door closes, this part of the lock remains outside of the hole for the bolt.

    Doors with deadlock latch bolts can, with a good swift kick, be pushed far enough into the door jamb for the anti-jimmy mechanism to fall into the strike plate hole. From there, a credit card or thin k
  • security audit (Score:2, Insightful)

    by headonfire (160408)
    after the (what seems to be) unannounced first break-in attempt and briefing of the employees, any and all results should be considered fairly invalid for at least several months afterwards. Being caught on their second attempt is a no-brainer - hopefully by that point all of the employees have been informed of a security audit, so everyone is going to pay attention, at least for a while.

    I worked in a "secure" government contracting facility for five years. As time passed, we had more and more security aud
  • by THESuperShawn (764971) on Thursday July 20, 2006 @12:37PM (#15750730)
    My wife has those "Coupon Cards" or "Frequent Shopper" cards for 30 different drug and grocery stores. She used to keep adding new ones to my key chain all the time. Tired of looking like I was hiding quite a package in my pocket al lthe time, I decided to try out a theory of mine. I scanned a stores keychain tag at a totally different store (self checkout, obviously can't hand it to a cashier). Well, it worked just fine. While you obviously won't get credit for the sale (big deal) as who knows what account it goes to, you do get all the "virtual coupons" associated with the card.

    I now just carry one shopping card (Harris Teeter I think). It works at almost every store wherever I travel...CVS, Lowes Foods, Bi-Lo, etc. I just scan the card and it says "Welcome member".

    And FYI. The ATM vestibules- big deal- they are all set to open on any magnetic reader as most banks and credit card companies use different numbers of tracks, data types, and encryption. They don't want to "lock out" members of other banks and not get to charge them a $3.00 "convienience fee" so they let basically any card in. Its not like it gives you access to the ATM if you use a fake card, you just gain access to a vestibule full of video cameras. Its only made as a "deterrant".

    Spelling/Grammer police- I did this from a mobile while in a meeting, I don't feel like jumping through hoops to use a spell check. Just bear with me for now.

When speculation has done its worst, two plus two still equals four. -- S. Johnson

Working...