How ID badges can hurt security and what can be done about itWednesday, November 9th 2011 @ 6:00 AM (not yet rated)
Most of us accept the need for ID badges in organizations that have more than a few people who recognize each other. It makes sense that we need a way to recognize those who are authorized to be there, even if we don't know them personally. ID badges help fulfill this need, for the most part. But they can be a weak link in security of the organization.
Inside Versus Outside
I recently saw a poster at a facility I was visiting that raised awareness about the risks of leaving your badge visible when you go outside the office. I've long felt that people who wear their badges in public places are making it easy for attackers to recognize employees of the organization at nearby parking lots, coffee shops and even mass transit systems.
Many organizations put information on their badges that makes it easier for co-workers to know the privileges that hvae been granted to the employee. Sitting across from somebody on a bus, or nearby in a coffee shop, you can often see many of these details if their badge is exposed. This is information that could be used against the organization in a social engineering attack.
It's better to have minimal information on a badge, in case it is lost outside, or just to reduce the usefulness to attackers who might see it when people inadvertently wear them outside the office.
Social Engineering With Badges
I recently read Kevin Mitnik's book "Ghost in the Wires", which details his emergence as a hacker and social engineer. Kevin described how easy it was to make a badge that looks official enough to fool 90% of the insiders when passing by them in a hallway. Virtually nobody is going to stop somebody they don't recognize if they have a badge that has the basic graphic elements that one would expect.
Adding a Layer of Security to ID Badges
So, you need a little more than just a visual badge to identify people properly. That's why many organizations with sensitive operations embed some electronics in the badge that can be used at automated access points. This works pretty well, as long as people don't hold the door open for others to enter the facility - an extremely bad habit called "tailgating".
For organizations that do not add this enhancement to their ID badges, you should have receptionists at each entrance to monitor the flow of people, and to inspect badges for authenticity.
No matter which approach you use, it's very important to inform staff that "tailgating" is a serious security vulnerability that is easy to address.
The Bottom Line
Employees must be educated to protect their badges with care, not to wear them outside, and not to allow anyone they don't recognize to follow them into a building.
Safeguards should also be put in place to ensure that entry points to facilities are well monitored. Badges should also have minimal information on them, and should be made difficult to forge, which can be implemented with commonly used RFID technology. Just keep in mind that any safeguards can be foiled, with enough resources and with social engineering approaches used by attackers.