The Passback Problem

By: Brian Rhodes, Published on Sep 14, 2016

Every security system has flaws, even high-tech ones. While Electronic Access Control helps keep sensitive areas safe, it is not without weaknesses.

One of the most troubling vulnerabilities is called 'Passback' - the practice of using someone else's credentials to gain entry. In this note, we take a look at the problem and how designers can minimize vulnerabilities, looking at:

  • Passback vs Tailgaiting
  • Software solutions including time limit and reader pattern and flow
  • Other solutions including biometrics, cameras, turnstiles and signange
  • Ignoring it

***** ******** ****** *** flaws, **** ****-**** ****. While ********** ****** ******* helps **** ********* ***** safe, ** ** *** without **********.

*** ** *** **** troubling *************** ** ****** 'Passback' - *** ******** of ***** ******* ****'* credentials ** **** *****. In **** ****, ** take * **** ** the ******* *** *** designers *** ******** ***************, looking **:

  • ******** ** ***********
  • ******** ********* ********* **** limit *** ****** ******* and ****
  • ***** ********* ********* **********, cameras, ********** *** ********
  • ******** **

[***************]

The ******* *******

'********' ** *** ********** term *** '******* ***********', taken **** *** ******* of *** ****** ******* through ** ******-******* *********. Suppose '****** *' ***** their ***** *** ****** through ********, *** '****** B' ** *** ******* access **** *** ****. 'Passback' ****** **** '****** A' ***** ***** ***** to '****** *' ** that ****** *** **** access.

**** ******** ** ******* equivalent ** ******** * door *** ******* ** mail **** ** ** outside ******, ** ******* your ******** **** ******* else. ** ****, ** means **** *** ****** is *** *********** ****** in *** *** ** was ********, *** ** worst ** ***** **** the ****** *** ** knowledge ** * ********* threat.

Less ***** **** **********, ***** * *******

** ***** ** ******** threats,************ * '******' ****, while ******** ** ********* less *******. **** ******** events ***** **** ****** try ** **** **** to ********* *** ****** control ******, ***** ********** typically ****** ******* **. So ** *******, ******** is ****** ** ****** with '****' ******* ** with ****** ********* ** users ** ***** ******* credentials.

****** *******, '**********' ***** that **** * **** has **** ****** ** a **********, ** ** left **** ** **** more **** *** ********** is ******* ** ****-*******. In ******** ** '********', 'tailgating' ****** ******** *** requirement ** **** ********** credentials. ******* '****-********' ********, especially ***** ** *** 'Pattern *** ****' *******, may ** **** ** combat *** '**********' *******.

*** ****, *** ************* - ****** ******* Tutorial.

Basic ******** *********

** ******* *** ****, Access ******* ******* ***** feature '****-********' ********, ***** generally ********* * *** of ******** ******* ** credential ***. *** *******:

**** *****:* **** ****** ** used ** *** **** reader ***** ****** * certain ****** ** ****. While **** ********** * decidedly '***-****' ********, ** is *** ******* ** implement. ****** ******** * card ** ** **** on *** **** ****** for * ****** ** 3 ** * ******* discourages *** *********** ** improperly '*******-****' * **********. However, **** **** ** control *** ** ************ to *****, ** *** occasion **** ************ **** something ***** ******* * card, ****** ********** ** a ************, ** **** some ***** ********** ****** for ******* **-************* ******* an *******.

****** ******* *** ****: **** **** ** control ******** ********** ***** follow * ******* ******* within * ******. *** example, * ********** **** be **** ** ** 'OUT' ****** ****** ** can ** **** *** an '**' ********. ******** a ********** ****** ** used ** ***** '******** B' ** '******** *' has *** ***** **** exited. **** ****** ** anti-passback ** *** **** comprehensive ** *********** *** problem, *** ** ******** the **** ************* *** places ** ******** ** having *** ***** ********** within * ********, **** doors **** *** ************ used.

**** ****** *** ****** Patterning *** ******** ******** that ****, *** *** all, ****** ******* ********** software ********. *** *****, more ****** *********, ********** hardware ********* ******* ********* is ********.

Other *********

************ ******** ******** ********* involves **** **** **** software. *** *******, ** our********* ********* ** ************ and ****************, **** **** ** solution ***** **** *****, and **** **** **% ** those ********* ********* ***** more **** *** ******** method:

*** **** ****** '***** solutions' ******* ***** ******** cited:

  • **********:* **** *** ** prevent ******** ** ** credential ***** ** ********** instead ** '*********' ***********. Tying ****** *********** ** unique ******** ******** ********* stops **** *******.
  • *******:******* ****** ******** ******** using ************ ******* ** record *** ****** ** misuse *** ********* ** access ******.
  • **********:*** **** ****** '******' method **** ***** **********, revolving *****, ** ******** to ********** ******* **** than ** ****** ****** entry ** *** ****.
  • *******:*** **** ****** '****' measure ** ***** **** indirectly ** ********* ******* the **** *** *** use ** ***** ** remind ****** **** ******** the ****** ******* ****** or ********** ******** ********.

Ignoring ************ **** ******

*******, ******* *** ***** identified ** *** ******* was ******** *** *****. About **% ** ********* said **** ****** ** nothing, ******* ********** ** is *** ******, ** it ** *** ****** of * **** ** warrant ***************.

******** ** ****** *** threat *** **** ******* for ****, *** ***** so ********** *** *********** to ********* *** **** invalidate *** ***** ******** that ******* ***** ********** access ******* ****** *********** mechanical **** *** *****.

Comments (8)

Undisclosed #1

09/14/16 04:08pm

Good article. At least you started out okay. It seems that you are using the terms passback and piggyback as synonyms and then juxtaposing them to tailgating.

In their common use, tailgating and piggybacking are synonyms but passback is entirely different.

The big difference is that passback is an act done by two or more people specifically to deceive the system while tailgating (or piggybacking) is more commonly an act of convenience done by a single person.

Avatar

Brian Rhodes

IPVMU Certified | In reply to Undisclosed #1 | 09/14/16 04:41pm

I agree they are distinct issues, which is why our tailgating report (Tailgating - Access Control Tutorial) gets separate treatment.

However, the methods of dealing with both issues can be similar (ie: cameras, biometrics, signage) so that is where the lines blur a bit. Especially given the results of how APB is practically addressed, 'tailgating' enters the conversation.

If only dealing with tailgating was as simple as the 'antipassback' settings are!

Undisclosed #2

In reply to Brian Rhodes | 09/14/16 05:03pm

So is piggybacking "users sharing credentials" or not?

Avatar

Brian Rhodes

IPVMU Certified | In reply to Undisclosed #2 | 09/14/16 05:13pm

Piggybacking is one form of sharing credentials.

Igor Falomkin

AxxonSoft | 09/15/16 05:34am

Thank you for this article. The problem may be solved using face verification. Using it an access control management software checks that it's exactly card owner has applied the card. I'm from AxxonSoft and this scenario is frequently used by our partners. It's much more reliable than face recognition itself, may be used at must important access control points only and does not need physical contact like fingerprint readers.

Avatar

Skip Cusack

In reply to Igor Falomkin | 09/19/16 02:20pm

Igor, are you making the point that biometric authentication, unlike possession and knowledge authentication, makes passback much less likely? If so, I agree, but the type of authentication does not impact the likelihood of tailgating or piggybacking as far as I can figure....

Avatar

Skip Cusack

09/19/16 02:00pm

Brian, good article, as always. Passback is very different from Tailgating or Piggybacking. Tailgating is when somebody tucks in behind an authorized user without their knowledge or consent. Piggybacking is when the authorized user is complicit in allowing the unauthorized user through the portal.

Avatar

Paul Govero

IPVMU Certified | 05/14/19 01:32pm

I have a number of high-security sites I visit that the order we card in and out of areas matters.

I have to enter a secured area after my escort and leave before my escort, ( so I am not in while my escort is on the out).

I am curious how common this is

Login to read this IPVM report.
Why do I need to log in?
IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

Related Reports on Access Control

Facial Recognition Systems Fail Simple Liveness Detection Test on May 17, 2019
Facial recognition is being widely promoted as a solution to physical access control but we were able to simply spoof 3 systems because they had no...
Maglock Selection Guide on May 16, 2019
One of the most misunderstood yet valuable pieces of electrified hardware is the maglock. Few locks are stronger, but myths and confusion surround...
Milestone XProtect 2019 R1 Tested on May 15, 2019
For the past few years, Milestone has released quarterly software updates XProtect VMS platform. What is new and how much impact do the updates...
Access Control Request to Exit (RTE) Tutorial on May 13, 2019
For access controlled doors, especially those with maglocks, 'Request to Exit', or 'RTE' devices are required to override electrified locks to...
Mining Company Security Manager Interview on May 10, 2019
First Quantum Minerals Limited (FQML) is a global enterprise with offices on 4 continents and operations in 7 countries with exploratory operations...
10 Facial Recognition Providers Review (Secutech) on May 09, 2019
Adding to our 19 Facial Recognition Providers Profiled report from ISC West, IPVM focused on facial recognition technology for our Day 2 coverage...
Proxy Access Control Tested on May 09, 2019
Silicon Valley Access Startup Proxy raised $13.6 Million in May 2019, focusing on mobile physical access control. Beyond the fund raising, Proxy...
Restaurant Security Manager Interview on May 06, 2019
Wright’s Gourmet House in Tampa, Florida has been around for over 50 years. During most of that time, there were no security measures in place. Now...
Door Closers Access Control Tutorial on May 02, 2019
Door Closers have an important job: automatically shut doors when they are opened, because an open door cannot control access. In this note, we...
Ex-Integrator Now Growth Strategist Interviewed on Apr 24, 2019
For more than a decade, Scot MacTaggart was a security integrator (at PA-based PSX). In late 2018, he left the industry. He is now a Growth...

Most Recent Industry Reports

Facial Recognition Systems Fail Simple Liveness Detection Test on May 17, 2019
Facial recognition is being widely promoted as a solution to physical access control but we were able to simply spoof 3 systems because they had no...
Inside Look Into Scam Market Research on May 17, 2019
Scam market research has exploded over the last few years becoming the most commonly cited 'statistics' for most industries, despite there clearly...
Maglock Selection Guide on May 16, 2019
One of the most misunderstood yet valuable pieces of electrified hardware is the maglock. Few locks are stronger, but myths and confusion surround...
Panasonic 32MP Multi Imager Camera Tested (WV-X8570N) on May 16, 2019
Panasonic has released their first multi imager models including the 32MP (4x4K) WV-X8570N, claiming "Extreme image quality for evidence capturing...
Trump Signs 'Huawei Ban' - Executive Order Targeting Foreign Adversary Technology on May 16, 2019
US President Donald Trump has signed an executive order targeting technology provided by 'foreign adversaries', in what is widely being called a...
Bank Security Manager Interview on May 15, 2019
Bank security contends with many significant threats - from fraudsters to robbers and more. In this interview, IPVM spoke with bank security...
Milestone XProtect 2019 R1 Tested on May 15, 2019
For the past few years, Milestone has released quarterly software updates XProtect VMS platform. What is new and how much impact do the updates...
San Francisco Face Recognition Ban And Surveillance Regulation Details Examined on May 14, 2019
San Francisco passed the legislation 8-1 today. While the face recognition 'ban' has already received significant attention over the past few...
Security Fail: ASISNYC Auto Emails Passwords In Plain Text on May 14, 2019
ASIS NYC automatically emails a user with the password the user just entered, in plain text, when one registers for the site / event, as the...
Hikvision VP On Muslim Oppression on May 14, 2019
Hikvision has won tens of millions of dollars, at least, in direct contracts with the Chinese government that oppresses Muslims, including a forced...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact