The Passback Problem

Author: Brian Rhodes, Published on Sep 14, 2016

Every security system has flaws, even high-tech ones. While Electronic Access Control helps keep sensitive areas safe, it is not without weaknesses.

One of the most troubling vulnerabilities is called 'Passback' - the practice of using someone else's credentials to gain entry. In this note, we take a look at the problem and how designers can minimize vulnerabilities, looking at:

  • Passback vs Tailgaiting
  • Software solutions including time limit and reader pattern and flow
  • Other solutions including biometrics, cameras, turnstiles and signange
  • Ignoring it

***** ******** ****** *** *****, **** ****-**** ****. ***** ********** Access ******* ***** **** ********* ***** ****, ** ** *** without **********.

*** ** *** **** ********* *************** ** ****** '********' - the ******** ** ***** ******* ****'* *********** ** **** *****. In **** ****, ** **** * **** ** *** ******* and *** ********* *** ******** ***************, ******* **:

  • ******** ** ***********
  • ******** ********* ********* **** ***** *** ****** ******* *** ****
  • ***** ********* ********* **********, *******, ********** *** ********
  • ******** **

[***************]

The ******* *******

'********' ** *** ********** **** *** '******* ***********', ***** **** the ******* ** *** ****** ******* ******* ** ******-******* *********. Suppose '****** *' ***** ***** ***** *** ****** ******* ********, but '****** *' ** *** ******* ****** **** *** ****. 'Passback' ****** **** '****** *' ***** ***** ***** ** '****** B' ** **** ****** *** **** ******.

**** ******** ** ******* ********** ** ******** * **** *** through ** **** **** ** ** ******* ******, ** ******* your ******** **** ******* ****. ** ****, ** ***** **** the ****** ** *** *********** ****** ** *** *** ** was ********, *** ** ***** ** ***** **** *** ****** has ** ********* ** * ********* ******.

Less ***** **** **********, ***** * *******

** ***** ** ******** *******,************ * '******' ****, ***** ******** ** ********* **** *******. Many ******** ****** ***** **** ****** *** ** **** **** to ********* *** ****** ******* ******, ***** ********** ********* ****** ignores **. ** ** *******, ******** ** ****** ** ****** with '****' ******* ** **** ****** ********* ** ***** ** avoid ******* ***********.

****** *******, '**********' ***** **** **** * **** *** **** opened ** * **********, ** ** **** **** ** **** more **** *** ********** ** ******* ** ****-*******. ** ******** to '********', '**********' ****** ******** *** *********** ** **** ********** credentials. ******* '****-********' ********, ********** ***** ** *** '******* *** Flow' *******, *** ** **** ** ****** *** '**********' *******.

*** ****, *** ************* - ****** ******* ********.

Basic ******** *********

** ******* *** ****, ****** ******* ******* ***** ******* '****-********' controls, ***** ********* ********* * *** ** ******** ******* ** credential ***. *** *******:

**** *****:* **** ****** ** **** ** *** **** ****** ***** within * ******* ****** ** ****. ***** **** ********** * decidedly '***-****' ********, ** ** *** ******* ** *********. ****** limiting * **** ** ** **** ** *** **** ****** for * ****** ** * ** * ******* *********** *** convenience ** ********** '*******-****' * **********. *******, **** **** ** control *** ** ************ ** *****, ** *** ******** **** accidentally **** ********* ***** ******* * ****, ****** ********** ** a ************, ** **** **** ***** ********** ****** *** ******* re-credentialing ******* ** *******.

****** ******* *** ****: **** **** ** ******* ******** ********** ***** ****** * logical ******* ****** * ******. *** *******, * ********** **** be **** ** ** '***' ****** ****** ** *** ** used *** ** '**' ********. ******** * ********** ****** ** used ** ***** '******** *' ** '******** *' *** *** first **** ******. **** ****** ** ****-******** ** *** **** comprehensive ** *********** *** *******, *** ** ******** *** **** configuration *** ****** ** ******** ** ****** *** ***** ********** within * ********, **** ***** **** *** ************ ****.

**** ****** *** ****** ********** *** ******** ******** **** ****, but *** ***, ****** ******* ********** ******** ********. *** *****, more ****** *********, ********** ******** ********* ******* ********* ** ********.

Other *********

************ ******** ******** ********* ******** **** **** **** ********. *** example, ** ************ ********* ** ************ *** ****************, **** **** ** ******** ***** **** *****, *** **** **** **% ** ***** ********* ********* ***** **** **** one ******** ******:

*** **** ****** '***** *********' ******* ***** ******** *****:

  • **********:* **** *** ** ******* ******** ** ** ********** ***** on ********** ******* ** '*********' ***********. ***** ****** *********** ** unique ******** ******** ********* ***** **** *******.
  • *******:******* ****** ******** ******** ***** ************ ******* ** ****** *** verify ** ****** *** ********* ** ****** ******.
  • **********:*** **** ****** '******' ****** **** ***** **********, ********* *****, or ******** ** ********** ******* **** **** ** ****** ****** entry ** *** ****.
  • *******:*** **** ****** '****' ******* ** ***** **** ********** ** passively ******* *** **** *** *** *** ** ***** ** remind ****** **** ******** *** ****** ******* ****** ** ********** security ********.

Ignoring ************ **** ******

*******, ******* *** ***** ********** ** *** ******* *** ******** the *****. ***** **% ** ********* **** **** ****** ** nothing, ******* ********** ** ** *** ******, ** ** ** not ****** ** * **** ** ******* ***************.

******** ** ****** *** ****** *** **** ******* *** ****, but ***** ** ********** *** *********** ** ********* *** **** invalidate *** ***** ******** **** ******* ***** ********** ****** ******* versus *********** ********** **** *** *****.

Comments (7)

Undisclosed #1

09/14/16 04:08pm

Good article. At least you started out okay. It seems that you are using the terms passback and piggyback as synonyms and then juxtaposing them to tailgating.

In their common use, tailgating and piggybacking are synonyms but passback is entirely different.

The big difference is that passback is an act done by two or more people specifically to deceive the system while tailgating (or piggybacking) is more commonly an act of convenience done by a single person.

Avatar

Brian Rhodes

IPVMU Certified | In reply to Undisclosed #1 | 09/14/16 04:41pm

I agree they are distinct issues, which is why our tailgating report (Tailgating - Access Control Tutorial) gets separate treatment.

However, the methods of dealing with both issues can be similar (ie: cameras, biometrics, signage) so that is where the lines blur a bit. Especially given the results of how APB is practically addressed, 'tailgating' enters the conversation.

If only dealing with tailgating was as simple as the 'antipassback' settings are!

Undisclosed #2

In reply to Brian Rhodes | 09/14/16 05:03pm

So is piggybacking "users sharing credentials" or not?

Avatar

Brian Rhodes

IPVMU Certified | In reply to Undisclosed #2 | 09/14/16 05:13pm

Piggybacking is one form of sharing credentials.

Igor Falomkin

AxxonSoft | 09/15/16 05:34am

Thank you for this article. The problem may be solved using face verification. Using it an access control management software checks that it's exactly card owner has applied the card. I'm from AxxonSoft and this scenario is frequently used by our partners. It's much more reliable than face recognition itself, may be used at must important access control points only and does not need physical contact like fingerprint readers.

Avatar

Skip Cusack

In reply to Igor Falomkin | 09/19/16 02:20pm

Igor, are you making the point that biometric authentication, unlike possession and knowledge authentication, makes passback much less likely? If so, I agree, but the type of authentication does not impact the likelihood of tailgating or piggybacking as far as I can figure....

Avatar

Skip Cusack

09/19/16 02:00pm

Brian, good article, as always. Passback is very different from Tailgating or Piggybacking. Tailgating is when somebody tucks in behind an authorized user without their knowledge or consent. Piggybacking is when the authorized user is complicit in allowing the unauthorized user through the portal.

Login to read this IPVM report.
Why do I need to log in?
IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

Related Reports on Access Control

Large Hospital Security End User Interview on Mar 21, 2019
This large single-state healthcare system consists of many hospitals, and hundreds of health parks, private practices, urgent care facilities, and...
Genetec Security Center 5.8 Tested on Mar 19, 2019
Genetec has released Version 5.8. This comes after a wait of more than a year that caused frustrations for many Genetec partners. Our previous...
Retired Mercury President Returns As Open Options President on Mar 18, 2019
Open Options experienced major changes in 2018, including being acquired by ACRE and losing its President and General Manager, John Berman who...
Large US University End-User Video Surveillance Interview on Mar 18, 2019
Schools have become targets in modern days of active shooters and terrorist fears. The need for video and access security is high. Universities...
Start Up Safe Zone $150 Gunfire Detector Profile on Mar 06, 2019
While gunfire detectors have been around for years, typically they are limited to enterprise level or municipal deployments. Startup AVidea, makers...
Top ISC West 2019 Booth Moves on Mar 05, 2019
With ISC West just a month away, we examine the most notable exhibitor moves including big exhibitors who dropped out and a number of significant...
Prysm PSIM Profile on Mar 05, 2019
A decade ago, PSIM promised significant potential but has always suffered from significant problems. Now, a number of PSIMs have either gone out of...
Genetec Declares "Lead With Synergis" Access Control on Mar 04, 2019
Genetec started with and is best known for its video management software. However, the company is now imploring its partners to lead with Synergis,...
Private School IT Manager Surveillance Interview on Feb 22, 2019
This IT manager describes himself as the "oft-maligned IT person" whose "opinions may not always be appreciated by the integrator crowd." But he is...
HID Favorability Results 2019 on Feb 21, 2019
HID favorability results were strong, in the 2019 IPVM integrator study of 200+ integrators, with a net +62% and low negativity as the table below...

Most Recent Industry Reports

IBM / Genetec Surveillance System Investigated Over Philippines Human Rights Abuses on Mar 22, 2019
A lengthy investigation into an IBM video surveillance project in the Philippines, raising concerns IBM helped local police conduct a bloody...
Eagle Eye Favorability Results 2019 on Mar 21, 2019
Eagle Eye has been the biggest spender in the cloud VMS market including (via their owner) acquiring Brivo for $50 million and CameraManager from...
Large Hospital Security End User Interview on Mar 21, 2019
This large single-state healthcare system consists of many hospitals, and hundreds of health parks, private practices, urgent care facilities, and...
Silicon Valley Cybersecurity Insurance Startup Coalition Profile on Mar 20, 2019
Many industry people believe cybersecurity insurance is not worth it, as the voting and debate in our Cybersecurity Insurance For Security...
Covert IP Camera Shootout - Axis, Hanwha, Hikvision, March, Vivotek on Mar 20, 2019
Covert cameras were one of the last holdout areas for analog cameras. However, in the past few years, IP / HD covert cameras have become...
Top Metrics For Ensuring Integrator Profitability - Statistics on Mar 20, 2019
How do integrators ensure the profitability of their projects? As part of our profitability study, 100+ integrators answered the following...
Avigilon Launches 'Renewed Products Program' on Mar 19, 2019
There are lots of 'pre-owned' cars but pre-owned IP cameras? While such programs are common in other industries, in video surveillance, they are...
Genetec Security Center 5.8 Tested on Mar 19, 2019
Genetec has released Version 5.8. This comes after a wait of more than a year that caused frustrations for many Genetec partners. Our previous...
Retired Mercury President Returns As Open Options President on Mar 18, 2019
Open Options experienced major changes in 2018, including being acquired by ACRE and losing its President and General Manager, John Berman who...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact