Card Locks Thwarted by Shopping Club Card

hal9000(jr) writes "A recent column ('Social Engineering, the Shoppers' Way') on darkreading.com shows how easy it is for a pen test team to walk into a supposedly secure facility using a shoppers club card because the man trap feature was enabled. Man-traps allow people to enter an outer door but not an inner door similar to ATM kiosks. Once inside, of course, they had the run of the place." Lessons: after writing down your password, eat your sticky notes rather than leave them on the monitor.

Works for me

[Knytefall]

Where I work, one of my friends was able to use his shopper's club card to get access to doors he didn't have access to, but I did. I thought the odds of that happening must be astronomical, but apparently it's more common than I thought.

insecurity 101

[digitaldc]

Maybe...

1) Have a photo ID badge that is the only card that can be swiped to get in to the location
2) Install fingerprint readers and cameras for employees to gain entry
3) Lock all doors/locations not in use, & again use ID Badges and fingerprint readers to gain entry
4) Have have all passwords on keychains updated every few minutes
5) And finally, have all employees meet regularly so they know each other by name and by face

Just a thought.

Wow I thought everyone knew this...

[Chineseyes]

During the summers as a college job I used to work at an insurance company mailroom which housed a lot of paperwork with very personal information SSN's Medical Info you name it, it was there. My fellow mailroom employees and I used to use CVS shopper cards to gain access to every room in the building when we had forgotten our ID cards at home. Also if you happen to have a shopper card for one grocery store it almost always works at a competing grocery store.

security

[hostylocal]

physical security on most sites is a joke. at my last job i used to work for the u.k government and we had a running competition to see who could get past the security guard station with the most rediculous item. i think that the winner used a tin of sardines that looked nothing like the site pass, but was approximately the same shape. i used to use a cigarette packet most of the time. the mag swipes to enter various blocks did actually look for your pass number on a list of approved numbers however - but a large portion of these were left unlocked or propped open during warm periods. lh

Extraordinary transformation

[Demerara]

What's most amazing about the story is not that they got "made" second time round but that the woman who did so had left the building, started her car and began to drive away. She remembered what had happened, turned round and came back to shop the two pentesters.

That this happened in this fashion 6 months after the initial (and hugely embarassing) successful penetration reflects both the company's response and the quality of the security awareness training delivered to employees.

How many people, hand on heart, once they're out of the office, would turn round and come back for such a scenario?

Bad Advice?

[BrianRoach]

FTA: We advised them to look for a badge and question individuals who appear to be out of place.

Umm ... how about, "Call security and tell them" instead?

If you've got someone who's in the middle of a criminal act ... is it wise to test just how much of a criminal they are?

While it may be that most data poachers serious enough to break into a building aren't violent criminals ... I'm not going to test that theory. Especially if it's late at night, I'm unarmed, and I'm outnumbered 2:1.

Spending the rest of the night duct-taped in a supply closet just doesn't seem like all that much fun to me :)

- Roach

Other items that work well.

[Demon-Xanth]

Pretty much any type of tools. ESPECIALLY telephone buttsets. My dad worked for a phone company for a long time, and if he had a telephone buttset, nobody every questioned his credentials, or took a second thought about letting him into anywhere in a building. Locked door? Just ask someone to open it for you!

Clipboard. If you got a clip board, people are AFRAID to question you. A coworker of mine visited a major plant once, and the employees mistook him for a CEO or something like that because he had a clipboard.

Suit and tie. People will assume you're a rep of a visiting company and will give you directions.

The best locks in the world won't do any good if someone trusted opens it for an attacker.

Re:insecurity 101

[Intron]

One lab I consulted for had RFID badges so you just had to walk up the door to unlock it. Saved the hassle of getting a card out every time. Employees were trained not to let two people through on one activation (except legitimate visitors) and had a bulletin board with a picture and name of every employee.

The most secure place I've been (bank IT center) had a vestibule that weighed you on the way in and out. If you were heavier or lighter, the door didn't open.

Did the word "thought" escape your keyboard?

[abb3w]

It occurs to me that all this attention to security detail will come to naught in the Star Trek future - they could just use the transporter and beam into any secure area, all they need are the coordinates and blammo, they're in.

I refer you over to Larry Niven's essay, "The Theory and Practice of Teleportation", collected in All The Myriad Ways [amazon.com]; you'll probably need to check used bookstores or libraries for it. However, as my memory serves, he characterized that type of teleportation (both recieve-to-device-from-anywhere and send-from-device-to-anywhere) as "you don't get a society, you get a short war".

Re:Don't buy it....

[Pontiac]

OK here an example from a recent pen test .

Someone setup a test SQL server in the lab with access to the production netowork.

Since it's "just a lab box" the SA password was left blank.

at some point a domain admin logged into this box.

The security team accessed the box with the local SA account.
They got the LSASS password cache.

With that they got the Domain Admin account.

They used that to acccess a DC, got the SAM and used Rainbow crack with a 10gig pre compiled hash DB to get 30 out of 35 domain admin accounts.

Re:Easy full access

[Anonymous Coward]

So what? You missed the point entirely. Janitors are going to be going into pretty much every square inch of the building (even your server room is going to have to be sweeped occasionaly) to do their job.

Where I work (I'm in an IT dept) we actually have to clean our own stuff unless we're there babysitting the janitors. The janitorial staff comes though once a week while we're there (yeah, a pain in the ass) but other than that we're "it". Only people directly in the IT food chain have physical access to the IT section of the facility (basically it's IT peons -> Director of IT -> VP of Operations -> Pres).

When I worked for the federal government I was located in a SCIF on a military base, and we had our own janitors, MPs, bean counters, etc. and they were all cleared for TS material. We even had a technical librarian and a small library in there!

I do understand that not every company can take such precautions, but your point is noted. Own the place physically with the most innocuous folks and you still own the place. Period.

Re:RTFA

[Ryan Amos]

Actually, checking for a valid ATM card is impossible.

There is no ATM or even credit card standard; it's just a unique identifier linked to your account in the bank's databases. You can use ANY magstripe card you have as an ATM card. Just go to the bank and ask them.

My bank did this for me when I lost my ATM card and needed cash. I went in, showed my picture ID, and they recorded my Student ID card as my ATM card. I could then stick it in an ATM and withdraw money. The guy explained that it was a lot faster than mailing me a new ATM card and that they could do it with any card that wasn't already linked to a bank account.

Tabloid Alert

[linuxwrangler]

While on travel in Chicago a couple years ago I caught a "oh, isn't this dreadful" hand-wringing pieces of journalism where they had "discovered" that even the transit card would open the door to the ATM. They trotted out stories of people who had been mugged after getting their money. So when back home I tried my BART card and it worked fine as well.

Could they improve the ATM vestibule access? Sure. But would it do any good? I doubt it. Almost everyone has some sort of card that could reasonably be used in an ATM and a mugger can just get you when you walk out or force you in when you get out your card. Or they could use a stolen card.

Given the default security-settings and install options present on so much software, I suppose I shouldn't be surprised but I am still surprised that a system whose sole purpose is security would make it so easy to allow this sort of misconfiguration. That seems like an option you should be forced to request.

Re:Other items that work well.

[tradiuz]

Well abused tool belt with used tools (the one day my tools and tool belt were new and shiny, I had security ask for credentials 4 times, and have never been asked since).
Well abused hard hat with a contractors name on it (Simplex/Grinell works well, since 99.9% of everyone have a Simplex/Notifier fire alarm system in Houston).
Work worn blue jeans and t-shirt. Cover-alls also work.
Worn work boots.

What really scares me though, is that I had less resistance walking around Halliburton than I had walking around BMC Computers. Apparently, software code is behind better locks than radioactive material. I used to be a fire alarm tech, and went into the wrong building once, had security open the fire command center, and opened the panel before I realised that I was a block away from my intended destination. I put the panel back on, walked out, thanked security, and made haste to my original destination. This was very soon after 9/11, and security was stopping everyone with a suit and tie, but toolbelts got to walk past the metal detectors.

Re:Other items that work well.

[KozmoStevnNaut]

It's scary, but unfortunately true.

Where I work (a medium-sized audio/video equipment and "lifestyle" company) everyone is required to wear their access card in a visible place, and guests are issued specielt guest cards that they have to sign for. Everyone here is strongly reminded that it is their duty to question anyone who does not have a visible access card or guest card as well as anyone who looks out of place.

Also, when visiting any of the research departments and assembly lines, mobile phones and anything else possibly containing a camera are to be stored at the receptionist's desk for the duration of the visit.

In the end, it is very much up to the employees, however. It's a good thing people generally like working here, so they do put in the slight extra effort to maintain some level of security :-)

Re:Wrong use of the word man-trap

[Dun Malg]

but it really doesn't read the card, it just verifies that you stuck a magstrip card into the slot....It may also be that, in fact, it was turned this way because of a problem with reliability of magstripe cards (they fail pretty regularly), and instead the system should have been converted to another form of identification -- Wiegand, RF proxy, etc.

One law office where I work had so much trouble with the mag-stripe reader on the back door that the head of security himself opened the thing up and wired the electric strike release directly to the microswitch that detects when a card's been inserted! This means that you can get in the back door with anything that fits in the slot, even a popsicle stick, a trick I throughly enjoy demonstrating every time I go there. I even keep a popsicle stick in the truck just for that purpose.

Surprised guy who sits by back door: How'd you get in?
Me: Popsicle stick (holding up popsicle stick)

You make a point there at the end...

[Demon-Xanth]

"It's a good thing people generally like working here"

At my company, we've gone through two names since 2000 and went from a people loving company to a "people at the top" loving company. I've noticed that even though they've tried to tighten security, less people actually care about security so even though they've tried to close holes, they lost thier company wide security net. There isn't a single employee in my building that gives a rats arse about physical security outside of thier own tools/stuff.

When I was hired, people would ask where I worked, and that sort of thing. Although it might not be intentionally a security question, it would've caught me if I didn't belong. Now, new hires wander around without anyone ever asking them anything.

"Kinda" similar but not really....

[THESuperShawn]

My wife has those "Coupon Cards" or "Frequent Shopper" cards for 30 different drug and grocery stores. She used to keep adding new ones to my key chain all the time. Tired of looking like I was hiding quite a package in my pocket al lthe time, I decided to try out a theory of mine. I scanned a stores keychain tag at a totally different store (self checkout, obviously can't hand it to a cashier). Well, it worked just fine. While you obviously won't get credit for the sale (big deal) as who knows what account it goes to, you do get all the "virtual coupons" associated with the card.

I now just carry one shopping card (Harris Teeter I think). It works at almost every store wherever I travel...CVS, Lowes Foods, Bi-Lo, etc. I just scan the card and it says "Welcome member".

And FYI. The ATM vestibules- big deal- they are all set to open on any magnetic reader as most banks and credit card companies use different numbers of tracks, data types, and encryption. They don't want to "lock out" members of other banks and not get to charge them a $3.00 "convienience fee" so they let basically any card in. Its not like it gives you access to the ATM if you use a fake card, you just gain access to a vestibule full of video cameras. Its only made as a "deterrant".

Spelling/Grammer police- I did this from a mobile while in a meeting, I don't feel like jumping through hoops to use a spell check. Just bear with me for now.

Re:insecurity 101

[SparkEE]

The types of rolled ink fingerprints captured for security clearance purposes, and used in IAFIS, are very different from how a fingerprint reader at a door would work. Door lock fingerprint readers are generally pretty good about being insensitive to such issues. Most use some type of capacity array to read your print beyond your first layer of skin, so that things like scrapes, dust, etc are not factors. Some use optical arrays, which are pretty horrible though.

I'm not advocating using fingerprint readers as a single source of security though. The technology isn't really quite there yet, but there's been a lot of progress in recent years. Even with a perfect non-spoofable fingerprint reader, to be really secure there has to be the "what you know" aspect used in conjuction.

Re:RTFA

[Metzli]

Actually, the man-trap feature could be quite useful if properly implemented. If you had an external door with this enabled on a badge reader and a room separated from the inside with an internal door that had this disabled on a badge reader, this could trap the intruder (you know, a man trap). The intruder gets through the outside door and can't get through the inside one. If you have a badge reader that's needed to exit (w/o the man-trap feature enabled), then the intruder is now stuck in the room with no way in or out. This is a variation of the classic man-trap and allowing effectivly everyone from the outside is part of the configuration.

Re:Extraordinary transformation

[quacking duck]

Been there, done that.

A few years ago I worked at a company that issues SSL certificates. I'd already driven from home to the office for some scheduled after-hours work, and issued a cert as part of that work. I was almost back home again when I realized I'd left my ID token card in the cert-issuing computer.

Now, this machine was in a locked room which required ID card and PIN access, and even with the token card you had to fingerprint and password the computer. Nonetheless, I drove all the way across town again to put the token back in the safe.

Chances are I could've been the first person into the room the next day and no one would've been the wiser, but better safe than sorry--especially when it's policy.

Re:Other items that work well.

[Shotgun]

My dad was a painter. Same story. The benefit of using the painter ruse is that you can tape off the conference room, cover everything with tarps, spread some paint around to get it good and smelly, and people will AVOID it. You won't even have to try to be sneaky while scanning the network.

I think most of the security in corporate buildings is more about insurance liability than security. When I was a security guard while going to college*, we were told not to approach anyone we saw on the premises at night. If they looked suspicious we were to call the police. The company recieved something like a 30% discount for having a minimum wage person walk through the building every few hours. Our job was to to discourage vandalism by our presence, and to observe and report (so that the fire only guts half of the north wing instead of the whole thing).

The card readers are much the same. We just want to keep the random passerby from wandering through on sightseeing expeditions, and have something to cover our butts with at the civil trial when the judge asks why we were letting murderers and rapist wander the halls. Mention of coporate espionage will raise a few snickers amoung the security managers.

Re:insecurity 101

[bungeejumper]

In the Time magazine out last week, they describe a condition affecting one in 50 people - this condition causes an inability to recognize faces, and in extreme cases, people cannot recognize their own face in a mirror !

Re:RTFA

[markwalling]

or they could have just used the student info on the mag stripe as the identifier to the account. at the resturant i used to work at, we had added access control for the registers through the swipe reader we had for the credit cards. the company sent us 5 cards, but the owner was too lazy and cheap to buy more, so we used our own mag stripe cards for access (i used my grocery store card, one of my coworkers used his credit card...). it didn't write new data to the card, it just memorized what was already there. lots of fun for discovering whats on your bank cards... also there are credit card standards. the big 3 credit card brands (Visa/MC, Novus, AmEx) all use checksums on the number so that the POS can check to see if the card could exist before it dials in (because some people still use dialup for credit cards).

Paper towels...

[Anonymous Coward]

Everyplace I've worked seems to have those nice big glass double doors on the inside lobby entrance with the card reader on the side to unlock the doors. One night I left without my wallet, and my card key was in the wallet. I went back to the doors and they were locked for the night. So I went into the bathroom and got a stack of paper towels. I shot about 2 or 3 of them through the door, and the motion detector saw them and unlocked the doors for me.

Next day, I told my boss. He thanked me, but the facility manager started shooting me nasty looks. End of the month, my boss gave me a bonus for the info...

Re:Bad Advice?

[dbc]

Getting laughed at by underlings will cause nearly any office procedure to get revoked if the executive is high enough.

No, that is a sign of a company culture with far worse problems. If that is so where you work, put out your resume.

I worked at Intel for over a decade. "Employee only" technical and marketing data is published in serial numbered documents with a distinctive cover color. Every few months, the night shift guards walk the building confiscating secret documents that have not been locked away for the night. Document control matches up the serial numbers to names, a list gets generated, and the manager of those caught out gets an e-mail.

So, one day the V.P. of our division had a document picked up, and his name was put on a list that was sent to Andy Grove. We all got a good laugh out of that, including the V.P., who took the ribbing quite good naturedly. It's possible to take your work seriously without taking yourself overly seriously.

Re:insecurity 101

[Anonymous Coward]

In the eventuality of regurgitation, the sick employee is expected to deposit the output in a plastic bag and carry it with him/her through the security door.

Any employee with a cold is also expected to carry any tissues onto which he/she has deposited nasal mucus and/or phlegm.

Sincerely,
The Management