Practical Solutions To Piggybacking and Tailgating

Avatar
Brian Rhodes
Published Feb 12, 2015 05:00 AM

Piggybacking and tailgating are two of access control's biggest threats. In this note, we share survey results from more than 100 integrators about the specific steps they have implemented to solve them.

Results

We asked "How do you deal with the problems of users sharing credentials (ie: Piggybacking) or holding doors open for others (ie: Tailgating)?"

More than 100 integrators and end users responded. A breakdown of their answers into common groups is given below:

*** **** * **** ********* ** all ******* ** ***** *****:

The ***** *******

*** ***** *** ********, *** *** problems ** ****** ** **** ******** are ************ ********* ** ******* *** resolve **** *********** ****** ******* *******. These ****** *** ******** ******* **:

  • **********: ** ********* *** **** ** users ******* **** ***** ** ***** more **** *** **** ** **** in *** ****** ******* ******: ********** ****. ****** ******* ******* **** * difficult **** ********** *** *******, ** they **** ******* ***** ** ******** doors; *** *** **** **** *** opened.
  • ********: * ******* ******* ** ********** sharing (************ ****** '********') *** ** users handing their *********** ** *** ****** ****** you ******* * ***** ** *** door, *** ** *** *********, *** so **. ****** ******* ***** ******* methods ** ********* *********, ******, ** even ****** ****** ****** '****-********', *** the *** ** ********* ******* **** can ******* *** *******. ** ******** the ******* ** *** ******** ******* ****.

Answers *******

********* ********* **** **** *** ********* methods ** ******* ** ******** *** risk. **** **** **% ** *** responses ********* **** **** *** ****** of ******* *** **** **** **% mentioned *** ** ****.

**** **** ****, *** ******* ***** were *** **** ******** *****:

  • *******:*** **** ****** ******** ******** ***** surveillance ******* ** ****** *** ****** no ****** *** ********* ** ****** points.
  • **********:*** **** ****** '******' ****** **** using **********, ********* *****, ** ******** to ********** ******* **** **** ** single person ***** ** *** ****.
  • *******:*** **** ****** '****' ******* ** those **** ********** ** ********* ******* the **** *** *** *** ** signs ** ****** ****** **** ******** the ****** ******* ****** ** ********** security ********.
  • *******:***** **% ** ********* **** **** simply ** ******* ***** *** *****.  Either ********** ** ** *** ******, or ** ** *** ****** ** a **** ** ******* ***************.

Key ******

** *** ******** *****, ** **** the ********** ********** *********** **** ** controlling ** ********** *** ********** *** pass **** *******:

***** ***********: ******* *********** ******* **** ****** is * ******* ********, **** **** responses ********** ** ** *** ***** option **** **** ****** **** *****:

  • "********* ** *** ******** ****** ********** doors\gates ** ***** **** **** ********** security *******"
  • "** ******* **** ******* ******** *** ***** and **** * ******** ****** ***** with ****** ******* ****** **** ***** a **** ***** **** * **** or ****** ** ******."
  • "*** ******** ****** ** *** ****** for ***** ****** ***** ** *** a ******** **** ******* ** *** suspected ****/**** ** *** ****** ****** does *** ***** *** ********."
  • "*********** ***** ** * ************** *** and ******** *********."
  • "** ******* ******* **** ** *** door ** * **** ***** ** attached ***** **** ***** ** **** read. **'* **** ** ** *** owner ** ******* ***** ******."

*******, ****** ***** ** ******** ********* or **********/******** ****** *********, ** ** not * ***** ******** *** *** problems.  **** ******* ******* ***** **** are ******* ******* ** ********* ****** view ******** *** ****** *********** *** be ******* **** **** ** *** issues *** *** ******** ********* ** paired **** ***** *******.  

Strict ********

***** ********** **** *** ******* ******** to ********** ** ******* *** ***** directly.  *********** ******** **** **********, ** 'hard ************' *** **** ** ******** physically ******* ******.

**********

** **** *****, ***** ******* ******** that ******* ******* *** **** ****** enter ** *** ****.  *** ********** risk ** ****** ****** **********, ***** a **** ****** ** ******* ** held **** *** ******.  ******, ** order ** ******* *** *********, **** user **** ******* * **********.

  • "** ** ** * **** ******** application, ** ********* *** ************ ** a ********* **** ********."
  • "*** ******* *** ** ** ******* card ********** **********. ***** **** *** one ****** ******* ** * ****. It's *** *** ******** ******."
  • "*** ****, ** ******."
  • "********* **** (**** **** ********), **** checks ***** ***** ******* **** ******* Letters ***** ** ***** ****."
  • "******* ********** ** ******* ** ***** security *****."
  • "**********- * **** ***** ******** ******** and ******* ******** ****** *** **** volume *****."

**** *** (************)

** * ****** ******, ***** ********* hard ************ ******** ** ******** **** credentials **** ***** **** *** ** sequence.  **** ********* ***** * **** cannot ** **** ** *** **** reader ***** (********** ** ***** **********) without ***** **** ***** ** ***** readers.  ** **** *****, *** ******* flow ** ***** ** ** ****** controlled ******** *** **** ****** ** simply ******* ** '********' ** ****** credential **** ******* * *********, *****, or ******.

  • "** * ****-****** ****** **** ** area ** ******* *** **** *** tries ** *** *** **** ** any ***** **** ******* ***** ******* the ******** ****, *** **** ** disabled *** * ****** **** ** his ********** ** ***/*****."
  • "** ****** *** ******* **** ***** cards *** ** **** ***-**-****. ** works."
  • "*** ******* **** ********* ****** **** passback ** *****.  ********** ** *** possible ******* ** *** **********."
  • "** *** ************ **** ***** *** a **** ** **** **** ***** scanning ** ** *** ** * previous ****."

******

***** ***** ******** ********** ******** ** access ***** ** ****** *** ****, and **** ****** ******** ********* ******** with ********* **** **** ******:

  • "****** *** ****** ** ***** ****** whether *** ********** *********** *** ******* inside."
  • "****** ********* ****** *** **********."
  • "*** ***** *** ****** ** **** sure **** ***** **** *** ******."
  • "* ***** ******** ***** ********* ****** once ** ***** *** ******* ** the **** ********."
  • "** *** *** ********* ** ********** or ********, *** ****** **** ***** you ** ***********."

Soft ********

***** ***** *** **** *********, *** potentially ***** ******* **** ** ***** risk, *** *** **** *********, **** obtrusive, *** ******* ********* *** **** popular **** ** ******* **** *** issue.

*******

**** ********* ******* ******* ***** ** strong ******** ** *********. ***** ***** nothing ** ******** ******** *** ****, signage ** * ********** ******** ** users ** *** ****** ** ********* the ****** ******.

  • "***** ***** ********* ******** ** ***** surveillance ****** **** ******** ******* ****** entrants ** * **** *********."
  • "** **** ***** ** ****** ****** not ** ********."
  • "********* ******* ******** **** ** **** entrance *** ****."
  • "** ******** *** ***** ****** *** reader *** *** ******* **** ********** with *** ******."
  • "** **** ******* ************, ****** ***** mantraps **** ******** ******* *** *********."

**********

******* ******, ** *** ********, ****** of *********** *** **** ** ** leave *********** *** ******** ** ********* managers. ******* * *** ** *************, procedures, *** ******** *** ******** ******* of ********** *** **** **** *** managed.

  • "***** ******* ** ** *** *****, including ********* ** ***** *** ****** control ***."
  • "** ****** ******* **. **** ** write ******** ***** *****, ** **** explicit ************ ** *** ** ****."
  • "****** *********** **** ****** ************ *******, including ********** ** *****, ****** ********** from ****, ***."
  • "(*** *****) **** **** ** **** ***** employees **** **** ** *** *** it **** ** ****, ****, **** reconcile **** ***** ** ***** **** sheets, *** ********* ********* ** **. If *** **** ** ********** *** the *******, ***** *****, ******* **** do ** ****."
  • "******* *********** ** ******* *** ***** is *** **** ********.  **** ***** most ** *** ****."

Do *******

* ****** ** *********, ***** **%, mentioned **** **** ** *** ******* the ***** ** ***, ** *** response ** ****.  *** ******** ******* is ****** *** ********* ** ** great ****** ** ******* ********** ******** ** additional ***** ** *******.

  • "*** **** *** ** ********* "****" with **** ** **** *** "**** on *** *****" *** ****** *** do ****."
  • "** ** ********* ** ******* *******."
  • "** ** ******, ** ***'* ******. Our ********'* ****'* ****** *** ********* about **."
  • "*** ********* ** *** *** *** risk, ******* ** ****** ** ******** them."
  • "**** ** ******* *********, ** *** bothers **** ********** **.  **** *** a *** ***** ******."

Tough *******

*** ****** ** *****: ******* ******** the ******* ** ********* *** ***** a ****** ** ********* **** ** conjunction.  ******* ******* ********* *** ********** in ******** *** *******, *** *** multiple ******* ******:

  • "*** *** ******** **** *** ***** security **** ** ******* *********. **** have ***** **** *** ***** *******. They **** ********* *****. *** ** ends *****. **** ***** ****-******** *** mustering *** * *** **** *** found *** *** ********* *** ******* was. ***** **** *** *** *****. By *** *** **** ********* **** in *** ********* ********. ***** *** no ********* *** **. ***** ******** thousands ** ******* ** ****** *** traps / **-*** *******, ** *** all ****** ***. ******* ****** ********** authority **** **** *****, ** ***'* happen."
  • "**** ** * ***** *****. ******* of *** ***** **** *********** ******* and *** *** ****** ******* ** a "****-**" ******, ** ** * user *****'* **** ****, *** ****** shows ** ** ****** **** *** absent **** ****. **** ** *** sites **** **** ******** **** **** anti-passback ********. **** ** *** ***** also **** ******* ** *** ***** and *** ***** ****** *** ****** footage *** **** ****** ******* *** people ******* *********** *** **** *** people ******** *** ************ ** **********."
Comments (4)
Avatar
Mark Jones
Feb 13, 2015

Interesting information. I would think video analytics would be tailor made for this, along with agressive followup.

PC
Patrick Clarke
Feb 13, 2015

Video can document and assess whether a piggy back occured, but doesn't have any means to stop it, right? Unless there's an analytic used as an occupancy sensor in a sallyport/man trap scenario in which only (1) person at a time can occupy the space.

Avatar
Mark Jones
Feb 13, 2015

that is why I mentioned agressive followup. Video can not stop it, but it can be used as a teaching tool.

Going one step further, if the analytics were good enough, you could sound an alarm at that door to alert the end user that he just piggy-backed. Bring their attention to it. Piggy backing is a serious issue and will not stop without agressive followup and training.

Keeping unathorized individuals out of your facility is security 101 stuff. An awful lot of serious infractions and penetrations are caused by ignoring seemingly harmless events.

JH
John Honovich
Mar 15, 2015
IPVM

Boon Edam did a tailgating survey. Obviously, it's skewed given their interests / sales but the claims are wild: "More than 50% of those surveyed believe the cost of a breach caused by tailgating would be from $150,000 up to “too high to measure.”