The Passback Problem

By: Brian Rhodes, Published on Sep 14, 2016

Every security system has flaws, even high-tech ones. While Electronic Access Control helps keep sensitive areas safe, it is not without weaknesses.

One of the most troubling vulnerabilities is called 'Passback' - the practice of using someone else's credentials to gain entry. In this note, we take a look at the problem and how designers can minimize vulnerabilities, looking at:

  • Passback vs Tailgaiting
  • Software solutions including time limit and reader pattern and flow
  • Other solutions including biometrics, cameras, turnstiles and signange
  • Ignoring it

***** ******** ****** *** flaws, **** ****-**** ****. While ********** ****** ******* helps **** ********* ***** safe, ** ** *** without **********.

*** ** *** **** troubling *************** ** ****** 'Passback' - *** ******** of ***** ******* ****'* credentials ** **** *****. In **** ****, ** take * **** ** the ******* *** *** designers *** ******** ***************, looking **:

  • ******** ** ***********
  • ******** ********* ********* **** limit *** ****** ******* and ****
  • ***** ********* ********* **********, cameras, ********** *** ********
  • ******** **

[***************]

The ******* *******

'********' ** *** ********** term *** '******* ***********', taken **** *** ******* of *** ****** ******* through ** ******-******* *********. Suppose '****** *' ***** their ***** *** ****** through ********, *** '****** B' ** *** ******* access **** *** ****. 'Passback' ****** **** '****** A' ***** ***** ***** to '****** *' ** that ****** *** **** access.

**** ******** ** ******* equivalent ** ******** * door *** ******* ** mail **** ** ** outside ******, ** ******* your ******** **** ******* else. ** ****, ** means **** *** ****** is *** *********** ****** in *** *** ** was ********, *** ** worst ** ***** **** the ****** *** ** knowledge ** * ********* threat.

Less ***** **** **********, ***** * *******

** ***** ** ******** threats, ********** ** * '******' ****, while ******** ** ********* less *******.  **** ******** events ***** **** ****** try ** **** **** to ********* *** ****** control ******, ***** ********** typically ****** ******* **. So ** *******, ******** is ****** ** ****** with '****' ******* ** with ****** ********* ** users ** ***** ******* credentials.

****** *******, '**********' ***** that **** * **** has **** ****** ** a **********, ** ** left **** ** **** more **** *** ********** is ******* ** ****-*******. ** contrast ** '********', '**********' simply ******** *** *********** to **** ********** ***********. However '****-********' ********, ********** those ** *** '******* and ****' *******, *** be able ** ****** *** 'tailgating' *******. 

*** ****, *** ************* - ****** ******* Tutorial.

Basic ******** *********

** ******* *** ****, Access ******* ******* ***** feature '****-********' ********, ***** generally ********* * *** of ******** ******* ** credential ***. *** *******:

**** *****:* **** ****** ** used ** *** **** reader ***** ****** * certain ****** ** ****. While **** ********** * decidedly '***-****' ********, ** is *** ******* ** implement. ****** ******** * card ** ** **** on *** **** ****** for * ****** ** 3 ** * ******* discourages *** *********** ** improperly '*******-****' * **********. However, **** **** ** control *** ** ************ to *****, ** *** occasion **** ************ **** something ***** ******* * card, ****** ********** ** a ************, ** **** some ***** ********** ****** for ******* **-************* ******* an *******.

****** ******* *** ****: **** **** ** control ******** ********** ***** follow * ******* ******* within * ******. *** example, * ********** **** be **** ** ** 'OUT' ****** ****** ** can ** **** *** an '**' ********. ******** a ********** ****** ** used ** ***** '******** B' ** '******** *' has *** ***** **** exited. **** ****** ** anti-passback ** *** **** comprehensive ** *********** *** problem, *** ** ******** the **** ************* *** places ** ******** ** having *** ***** ********** within * ********, **** doors **** *** ************ used.

**** ****** *** ****** Patterning *** ******** ******** that ****, *** *** all, ****** ******* ********** software ********. *** *****, more ****** *********, ********** hardware ********* ******* ********* is ********.

Other *********

************ ******** ******** ********* involves **** **** **** software.  *** *******, ** our ********* ********* ** ************ and ********** ******, **** **** ** solution ***** **** *****, and **** **** **% ** those ********* ********* ***** more **** *** ******** method:

*** **** ****** '***** solutions' ******* ***** ******** cited:

  • **********:* **** *** ** prevent ******** ** ** credential ***** ** ********** ******* of '*********' ***********. ***** ****** permissions ** ****** ******** features ********* ***** **** sharing.
  • *******: ******* ****** ******** ******** using ************ ******* ** record *** ****** ** misuse *** ********* ** access ******.
  • **********:*** **** ****** '******' method **** ***** **********, revolving *****, ** ******** to ********** ******* **** than ** ****** ****** entry ** *** ****.
  • *******:*** **** ****** '****' measure ** ***** **** indirectly ** ********* ******* the **** *** *** use ** ***** ** remind ****** **** ******** the ****** ******* ****** or ********** ******** ********.

Ignoring ************ **** ******

*******, ******* *** ***** identified ** *** ******* was ******** *** *****. About **% ** ********* said **** ****** ** nothing, ******* ********** ** ** too ******, ** ** is *** ****** ** a **** ** ******* countermeasures.

******** ** ****** *** threat *** **** ******* for ****, *** ***** so ********** *** *********** to ********* *** **** invalidate *** ***** ******** that ******* ***** ********** access ******* ****** *********** mechanical **** *** *****.

 

Comments (15)

Good article. At least you started out okay. It seems that you are using the terms passback and piggyback as synonyms and then juxtaposing them to tailgating.

In their common use, tailgating and piggybacking are synonyms but passback is entirely different.

The big difference is that passback is an act done by two or more people specifically to deceive the system while tailgating (or piggybacking) is more commonly an act of convenience done by a single person.

I agree they are distinct issues, which is why our tailgating report (Tailgating - Access Control Tutorial) gets separate treatment.

However, the methods of dealing with both issues can be similar (ie: cameras, biometrics, signage) so that is where the lines blur a bit. Especially given the results of how APB is practically addressed, 'tailgating' enters the conversation.

If only dealing with tailgating was as simple as the 'antipassback' settings are!

So is piggybacking "users sharing credentials" or not?

Piggybacking is one form of sharing credentials.

Thank you for this article. The problem may be solved using face verification. Using it an access control management software checks that it's exactly card owner has applied the card. I'm from AxxonSoft and this scenario is frequently used by our partners. It's much more reliable than face recognition itself, may be used at must important access control points only and does not need physical contact like fingerprint readers.

Igor, are you making the point that biometric authentication, unlike possession and knowledge authentication, makes passback much less likely? If so, I agree, but the type of authentication does not impact the likelihood of tailgating or piggybacking as far as I can figure....

I disagree with both of you as biometrics is often it’s own credential or a second factor. Take a multi turnstile example. Person A presents credential (card and/or biometric) a turnstile to let friend in and then goes to second turnstile and lets themselves in. This is still passback.

Brian, good article, as always. Passback is very different from Tailgating or Piggybacking. Tailgating is when somebody tucks in behind an authorized user without their knowledge or consent. Piggybacking is when the authorized user is complicit in allowing the unauthorized user through the portal.

I have a number of high-security sites I visit that the order we card in and out of areas matters.

I have to enter a secured area after my escort and leave before my escort, ( so I am not in while my escort is on the out).

I am curious how common this is

Not very common as it’s expensive to set up and operationally maintain. In my experience.

I have to enter a secured area after my escort and leave before my escort, ( so I am not in while my escort is on the out).

I am curious how common this is...

Pro-member Fischer’s thoughts on a similar topic can be found here.

For example, a credential must be used at an 'OUT' reader before it can be used for an 'IN' function. Likewise a credential cannot be used to enter 'Building B' if 'Building A' has not first been exited.

and if you are swiping on exit of Building A but never swiped on entry, the controller should call out “Piggybacker!” and hit you with a 15 second* delayed egress penalty.

*or whatever the maximum is by local ordinance

UD2 do you know of a platform that does this?

Appreciate the attempt to take on this subject, as others have stated in comments the article started strong but quickly decayed by bringing in tailgating.

text from the article, “Time Limits and Reader Patterning are software features that some, but not all, access control management software supports.”.

May you give some examples of access control management software that has good features and poor features. Here is an example of a software that has both but still falls short.

I am currently fighting a pass back issue in a manufacturing facility that uses Prowatch, being that Prowatch was originally designed for airports you would think it would have a robust anti-passback feature set. However, it only has timed (soft) and pattern/flow (hard) out of the box. Timed only applies to one reader and does not allow for targeting the card with the rule. For example there are two full height turnstiles next to each other, I can create a rule to prevent the same card being used on the same turnstile for a time period, but can not prevent that card from being used on the neighboring turnstile. In my manufacturing environment there are no outbound readers so a hard anti-passback rule it out of the question. While I am working on some custom programming to help solve the issue, we are currently running audit/compliance reports and using management (HR) as an enforcer.

Would like to understand what you are seeing across multiple access control management software products to help combat this problem.

You could reset APB status very frequently, this will have the same effect as 'timed' but across multiple readers. Not sure how that is done in Prowatch, but should be possible. You have to be careful that the time between valid entries is accounted for though.

Just to note, hard/soft APB is means enforcing/recording violations, not how you seem to be defining it.

Read this IPVM report for free.

This article is part of IPVM's 6,366 reports, 855 tests and is only available to members. To get a one-time preview of our work, enter your work email to access the full article.

Already a member? Login here | Join now

Related Reports

Use Access Control Logs To Constrain Coronavirus on Apr 09, 2020
Access control users have included capabilities that are not commonly used that can help zero-in and discover potential Coronavirus hotspots in a...
Breaking Into A Facility Using Canned Air Tested on Jan 28, 2020
Access control is supposed to make doors more secure, but a $5 can of compressed air may defeat it. With no special training, intruders can...
Securing Access Control Installations Tutorial on Oct 17, 2019
The physical security of access control components is critical to ensuring that a facility is truly secure. Otherwise, the entire system can be...
Fail Safe vs. Fail Secure Tutorial on Oct 02, 2019
Few terms carry greater importance in access control than 'fail safe' and 'fail secure'. Access control professionals must know how these...
Contactless Access Credentials Guide on Oct 29, 2018
Contactless credentials are the most common component used in an access control system and while many look alike externally, important differences...
Cybersecurity for IP Video Surveillance Guide on May 18, 2018
Keeping surveillance networks secure can be a daunting task, but there are several methods that can greatly reduce risk, especially when used in...
Forced Entry / Duress Access Tutorial on May 17, 2018
Even though access control normally keeps people safe, tragedies have revealed a significant issue. If users are forced to unlock doors for...
TVT Backdoor Disclosed on Apr 09, 2018
Security researcher Bashis has disclosed a backdoor in TVT video surveillance products, with TVT issuing its own 'Notification of Critical...
Door Position Switches (DPS) For Access Control Tutorial on Mar 05, 2018
Door position switches do not get enough respect. They solve a major problem of access control systems yet are frequently ignored or...
Geovision Unprecedented Security Vulnerabilities And Backdoor on Feb 06, 2018
Cybersecurity vulnerabilities have plagued the video surveillance market. Now, Bashis, discover of the Dahua backdoor, has discovered 15...

Most Recent Industry Reports

Access Control Online Show - July 2020 - With 40+ Manufacturers - Register Now on Jul 01, 2020
IPVM is excited to announce our July 2020 Access Control Show. With 40+ companies presenting across 4 days, this is a unique opportunity to hear...
Hanwha Face Mask Detection Tested on Jul 01, 2020
Face mask detection or, more specifically lack-of-face-mask detection, is an expanding offering in the midst of coronavirus. Hanwha in partnership...
UK Government Says Fever Cameras "Unsuitable" on Jul 01, 2020
The UK government's medical device regulator, MHRA, told IPVM that fever-seeking thermal cameras are "unsuitable for this purpose" and recommends...
Camera Course Summer 2020 on Jun 30, 2020
This is the only independent surveillance camera course, based on in-depth product and technology testing. Lots of manufacturer training...
Worst Over But Integrators Still Dealing With Coronavirus Problems (June Statistics) on Jun 30, 2020
While numbers of integrators very impacted by Coronavirus continue to drop, most are still moderately dealing with the pandemic's problems, June...
FLIR Screen-EST Screening Software Tested on Jun 30, 2020
In our FLIR A Series Test, the cameras' biggest drawback was their lack of face detection, requiring manual adjustment when screening each...
Dahua Buenos Aires Bus Screening Violates IEC Standards and Dahua's Own Instructions on Jun 30, 2020
Dahua has promoted Buenos Aires bus deployments as "solutions that facilitate community safety". However, they violate IEC standards and,...
UK Firm Markets False Fever Screening, Hikvision Disavows on Jun 30, 2020
A UK security firm falsely claimed its Hikvision-based thermal solution could be used for "accurately detecting fever in any person", even claiming...
Industry Study: 83% of US Temperature Screening Sellers Falsely Say Not Medical Devices on Jun 29, 2020
83% of US companies selling temperature screening devices, aka 'fever' detectors, claim they are not medical devices, contrary to FDA definition,...
Manufacturers on Virtual 'ISC West' 2020 and Potential ISC West 2021 on Jun 29, 2020
With the 2020 ISC West show now officially canceled, attention turns to Reed's new "ISC West 2020 Virtual Event" planned for October and for the...