The Passback Problem

Author: Brian Rhodes, Published on Sep 14, 2016

Every security system has flaws, even high-tech ones. While Electronic Access Control helps keep sensitive areas safe, it is not without weaknesses.

One of the most troubling vulnerabilities is called 'Passback' - the practice of using someone else's credentials to gain entry. In this note, we take a look at the problem and how designers can minimize vulnerabilities, looking at:

  • Passback vs Tailgaiting
  • Software solutions including time limit and reader pattern and flow
  • Other solutions including biometrics, cameras, turnstiles and signange
  • Ignoring it

***** ******** ****** *** *****, **** ****-**** ****. ***** ********** Access ******* ***** **** ********* ***** ****, ** ** *** without **********.

*** ** *** **** ********* *************** ** ****** '********' - the ******** ** ***** ******* ****'* *********** ** **** *****. In **** ****, ** **** * **** ** *** ******* and *** ********* *** ******** ***************, ******* **:

  • ******** ** ***********
  • ******** ********* ********* **** ***** *** ****** ******* *** ****
  • ***** ********* ********* **********, *******, ********** *** ********
  • ******** **

[***************]

The ******* *******

'********' ** *** ********** **** *** '******* ***********', ***** **** the ******* ** *** ****** ******* ******* ** ******-******* *********. Suppose '****** *' ***** ***** ***** *** ****** ******* ********, but '****** *' ** *** ******* ****** **** *** ****. 'Passback' ****** **** '****** *' ***** ***** ***** ** '****** B' ** **** ****** *** **** ******.

**** ******** ** ******* ********** ** ******** * **** *** through ** **** **** ** ** ******* ******, ** ******* your ******** **** ******* ****. ** ****, ** ***** **** the ****** ** *** *********** ****** ** *** *** ** was ********, *** ** ***** ** ***** **** *** ****** has ** ********* ** * ********* ******.

Less ***** **** **********, ***** * *******

** ***** ** ******** *******, ********** ** * '******' ****, ***** ******** ** ********* **** *******.  Many ******** ****** ***** **** ****** *** ** **** **** to ********* *** ****** ******* ******, ***** ********** ********* ****** ignores **. ** ** *******, ******** ** ****** ** ****** with '****' ******* ** **** ****** ********* ** ***** ** avoid ******* ***********.

****** *******, '**********' ***** **** **** * **** *** **** opened ** * **********, ** ** **** **** ** **** more **** *** ********** ** ******* ** ****-*******. ** ******** ** 'passback', '**********' ****** ******** *** *********** ** **** ********** ***********. However '****-********' ********, ********** ***** ** *** '******* *** ****' variety, *** ** **** ** ****** *** '**********' *******. 

*** ****, *** ************* - ****** ******* ********.

Basic ******** *********

** ******* *** ****, ****** ******* ******* ***** ******* '****-********' controls, ***** ********* ********* * *** ** ******** ******* ** credential ***. *** *******:

**** *****:* **** ****** ** **** ** *** **** ****** ***** within * ******* ****** ** ****. ***** **** ********** * decidedly '***-****' ********, ** ** *** ******* ** *********. ****** limiting * **** ** ** **** ** *** **** ****** for * ****** ** * ** * ******* *********** *** convenience ** ********** '*******-****' * **********. *******, **** **** ** control *** ** ************ ** *****, ** *** ******** **** accidentally **** ********* ***** ******* * ****, ****** ********** ** a ************, ** **** **** ***** ********** ****** *** ******* re-credentialing ******* ** *******.

****** ******* *** ****: **** **** ** ******* ******** ********** ***** ****** * logical ******* ****** * ******. *** *******, * ********** **** be **** ** ** '***' ****** ****** ** *** ** used *** ** '**' ********. ******** * ********** ****** ** used ** ***** '******** *' ** '******** *' *** *** first **** ******. **** ****** ** ****-******** ** *** **** comprehensive ** *********** *** *******, *** ** ******** *** **** configuration *** ****** ** ******** ** ****** *** ***** ********** within * ********, **** ***** **** *** ************ ****.

**** ****** *** ****** ********** *** ******** ******** **** ****, but *** ***, ****** ******* ********** ******** ********. *** *****, more ****** *********, ********** ******** ********* ******* ********* ** ********.

Other *********

************ ******** ******** ********* ******** **** **** **** ********.  *** example, ** *** ********* ********* ** ************ *** ********** ******, **** **** ** ******** ***** **** *****, *** **** **** **% ** ***** ********* ********* ***** **** **** one ******** ******:

*** **** ****** '***** *********' ******* ***** ******** *****:

  • **********:* **** *** ** ******* ******** ** ** ********** ***** on ********** ******* ** '*********' ***********. ***** ****** *********** ** ****** ******** features ********* ***** **** *******.
  • *******: ******* ****** ******** ******** ***** ************ ******* ** ****** *** verify ** ****** *** ********* ** ****** ******.
  • **********:*** **** ****** '******' ****** **** ***** **********, ********* *****, or ******** ** ********** ******* **** **** ** ****** ****** entry ** *** ****.
  • *******:*** **** ****** '****' ******* ** ***** **** ********** ** passively ******* *** **** *** *** *** ** ***** ** remind ****** **** ******** *** ****** ******* ****** ** ********** security ********.

Ignoring ************ **** ******

*******, ******* *** ***** ********** ** *** ******* *** ******** the *****. ***** **% ** ********* **** **** ****** ** nothing, ******* ********** ** ** *** ******, ** ** ** *** enough ** * **** ** ******* ***************.

******** ** ****** *** ****** *** **** ******* *** ****, but ***** ** ********** *** *********** ** ********* *** **** invalidate *** ***** ******** **** ******* ***** ********** ****** ******* versus *********** ********** **** *** *****.

 

Comments (7)

Undisclosed #1

09/14/16 04:08pm

**** *******. ** ***** *** ******* *** ****. ** ***** that *** *** ***** *** ***** ******** *** ********* ** synonyms *** **** *********** **** ** **********.

** ***** ****** ***, ********** *** ************ *** ******** *** passback ** ******** *********.

*** *** ********** ** **** ******** ** ** *** **** by *** ** **** ****** ************ ** ******* *** ****** while ********** (** ************) ** **** ******** ** *** ** convenience **** ** * ****** ******.

Thumbnail pp 5

Brian Rhodes

IPVMU Certified | In reply to Undisclosed #1 | 09/14/16 04:41pm

* ***** **** *** ******** ******, ***** ** *** *** tailgating ****** (********** - ****** ******* ********) **** ******** *********.

*******, *** ******* ** ******* **** **** ****** *** ** similar (**: *******, **********, *******) ** **** ** ***** *** lines **** * ***. ********** ***** *** ******* ** *** APB ** *********** *********, '**********' ****** *** ************.

** **** ******* **** ********** *** ** ****** ** *** 'antipassback' ******** ***!

Undisclosed #2

In reply to Brian Rhodes | 09/14/16 05:03pm

** ** ************ "***** ******* ***********" ** ***?

Thumbnail pp 5

Brian Rhodes

IPVMU Certified | In reply to Undisclosed #2 | 09/14/16 05:13pm

************ ** *** **** ** ******* ***********.

Igor Falomkin

09/15/16 05:34am

***** *** *** **** *******. *** ******* *** ** ****** using **** ************. ***** ** ** ****** ******* ********** ******** checks **** **'* ******* **** ***** *** ******* *** ****. I'm **** ********* *** **** ******** ** ********** **** ** our ********. **'* **** **** ******** **** **** *********** ******, may ** **** ** **** ********* ****** ******* ****** **** and **** *** **** ******** ******* **** *********** *******.

Skip Cusack

In reply to Igor Falomkin | 09/19/16 02:20pm

****, *** *** ****** *** ***** **** ********* **************, ****** possession *** ********* **************, ***** ******** **** **** ******? ** so, * *****, *** *** **** ** ************** **** *** impact *** ********** ** ********** ** ************ ** *** ** I *** ******....

Skip Cusack

09/19/16 02:00pm

*****, **** *******, ** ******. ******** ** **** ********* **** Tailgating ** ************. ********** ** **** ******** ***** ** ****** an ********** **** ******* ***** ********* ** *******. ************ ** when *** ********** **** ** ********* ** ******** *** ************ user ******* *** ******.

Login to read this IPVM report.
Why do I need to log in?
IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

Related Reports on Access Control

Vulnerability Directory For Access Control Cards on Aug 14, 2017
Knowing which access credentials are insecure can be unclear, especially because most look and feel the same. Even the most insecure 125 kHz types...
Competing Against G4S on Aug 09, 2017
G4S Secure Solutions is a global company, operating in multiple countries and offering a suite of products and services from guards to their AMAG...
ONVIF Releases Profile A for Access on Aug 08, 2017
ONVIF has struggled so far in access control. In 2014, ONVIF released Profile C for access control, but in the 3 years since, only 2 companies...
Access Control Commissioning / Install Checklist on Aug 03, 2017
This 80+ point checklist helps end users, integrators and consultants verify that access control installation is complete. It covers the following...
Bosch G-Series Intrusion Tested on Jul 26, 2017
Bosch is one of the biggest names in intrusion, and the company's G-Series panels are their most advanced commercial and high-security panels. But...
Smartcard Copier Tested (13.56MHz) on Jul 05, 2017
Copying 125kHz cards is certainly easy, as our test results showed, but how about 13.56MHz smart cards? Are they more secure? IPVM focused on the...
Biometrics Pros and Cons For Electronic Access Control on Jun 26, 2017
Biometrics has been long sought as an alternative to the security risks of cards, pins and passwords. While biometrics has improved somewhat over...
Access Control Course Winter 2018 on Jun 11, 2017
The Winter 2018 IPVM Access Control Course is now open; save $50 on early registration. IPVM offers the most comprehensive access control course...
RMR Integrator Importance Statistics on Jun 08, 2017
How do integrators feel about offering RMR / recurring revenue services? For many, their business revolves around RMR, while others see no...
HID Edge EVO Tested on Jun 07, 2017
HID Edge controllers have been one of most common offerings in IP door controllers for years. The new generation is called Edge EVO. We tested...

Most Recent Industry Reports

Avigilon CEO Attacks Asian Companies Cyber Insecurity on Aug 18, 2017
Avigilon CEO is taking aim at their Asian competitors. And he is going directly after these company's cyber security issues. In this note, we...
Sony Next Gen HD Dome Camera Tested (SNC-EM642R) on Aug 18, 2017
Sony has released their latest generation, claiming improved WDR and low light, increased IR range, and more. We tested the SNC-EM642R outdoor IR...
IP Networking Course September 2017 on Aug 17, 2017
This is the only networking course designed specifically for video surveillance professionals plus it includes live training, personal help and...
Knightscope Raises $10 Million With $3,320 Average Per Investor on Aug 17, 2017
Congrats to Knightscope. And condolences to their legion of little investors. Knightscope has disclosed they have raised $10+ million from their...
Axis and Arecont Legal Conflict Over Multi-Imager Cameras on Aug 17, 2017
Arecont threatened Axis. Axis has responded by moving to invalidate an Arecont patent. It is an important contest. Multi-imagers are Arecont's...
Directory Of Consumer Security Cameras on Aug 16, 2017
The consumer camera segment continues to grow, with new startups and models from existing players released seemingly every month. In this report we...
Cat 5e vs Cat 6 vs Cat 6a Network Cable Usage Statistics on Aug 16, 2017
Cat 5e? Cat 6? Cat 6a? What do integrators use in practice, today? 140+ integrators told IPVM. Here are the results: For those who want to...
Hikvision Responds To Cracked Security Codes on Aug 15, 2017
Hikvision has responded to IPVM's report on Hikvision's security code being cracked, both with a 2 page update to dealers and communication...
Stolen Video NVR / DVR Statistics on Aug 15, 2017
"But what happens if someone steals my recorder?" Anyone who has done more than a handful of jobs has probably heard this question several times....
Hikvision Europe Cutting Out Unauthorized End User Sales on Aug 15, 2017
The days of anyone buying Hikvision from anywhere off the Internet are numbered, at least in Europe, if Hikvision's plan comes to fruition. In...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact