Who Needs Badges and IDs?

The receptionist at ABC Financial Institution headquarters glanced up from her work and saw the phone man standing there. He was relaxed and in no hurry to interrupt her. “May I help you?” she smiled. “Hey, yeah,” he said, scratching at the telephone lineman’s helmet with the telephone company logo on it. “We got a call about some funky lines coming into your trunk and need to ring them out.”

The receptionist wasn’t too technical, but she eyed the equipment belt he wore over the dingy blue jeans and scuffed work boots. “Are you expected?” “Well, if you want me to fix the phone lines, I guess I am,” he said with a big toothy smile. She glanced outside and saw the phone van sitting in plain sight, although illegally parked. She laughed and suggested he park his van in the visitor’s area.

When he came back she gave the phone man a temporary visitor badge and pointed down the hall. “Next to the shipping department, you’ll see the door to the telephone room.” “Thanks!” and he casually walked where she directed him. About fifteen minutes later, the switchboard rang and Bob, whom she knew from upstairs asked, “There’s some phone guy up here looking around. Is he alright?” “Sure is. Fixing some bad trunks I think he said.” “OK, I just wanted to check.”

What’s Wrong With This Picture?

What you just read is a perfect example of social engineering in its most blatant form. The con artist works his game right in your face. He doesn’t call you up. He walks right in to your institution and asks you to let him in – right under your nose. That takes nerve and is very, very effective.

How did the receptionist know he was the phone man? She confirmed his identity in several ways:

  • He wore the telco hat.
  • He wore the telco clothes, logo’d shirt and had a tool belt with a phone on it.
  • He was driving a telco van.
  • He was wearing a telco ID badge.

    So she did a good job by verifying his identity, right? Ask yourself these simple questions:

  • How difficult is it to find a white hat and label it with the proper markings? Or how hard is it to find or steal a real one?
  • How difficult is it to find and wear an official looking tool belt? Try a hardware store.
  • The van? How much does it cost to paint a white van to look like a real telco van?
  • Most importantly, what is involved in making a fake badge?

    Are we so sure she made the right judgement?

    The Skinny About Badges

    Fake badges are incredibly easy to create. Kids can get fake IDs from many states; driver’s licenses, State issued photo IDs, student IDs for any school. No problem and a small fee gains a fake ID that looks real.

    At your institution you should already have in place a good method of identifying and admitting people into your offices. Your employees follow very simple rules that you’re your institution secure. All of your employees can and should know these rules, and use them everyday personal and professional life.

    First, be suspicious. Not paranoid, suspicious. If someone with a badge claims to be someone who he might well appear to be, don’t accept that on face value. You never know who is wearing that uniform. ID cards are not really worth a whole lot unless they have magnetic stripes or smart chips that contain verifiable data.

    Second, Trust but Verify, just like the guard who says “Who goes there?” you should ask for verification. At many banks and credit unions, a visitor must carry a valid photo ID. He is then announced to the person he is visiting, and then he is greeted and signed in by an employee with the proper authorization. This is a controlled process of check and double check.

    If the phone man shows up with no appointment, don’t let him in. Get his name, call the phone company and ask what is going on. If you're not sure, ask a superior about this person. Same thing for any type of repair persons, delivery people you don’t know, free pizza guys or anyone else that appears unexpectedly and wants physical access to your institution.

    Have a Code. You should have a secret verbal code that announces trouble. For example, the phrase, “How is Cousin Eunice feeling today?” spoken to the proper person, can mean, “I am in trouble. Please call for help and send security here right away.” Short of tripping a silent alarm button that would alert the local police to a robbery at your institution, this is an effective internal mechanism that can be used to bring your institution’s physical security to your work area.

    At your institution you may use badges to identify people who belong there, and part of our any good security policy is to be on the lookout for people without badges. Instead of inquiring with “Who are you? And what are you doing here?” a simple, “Are you lost? Can I help you?” will suffice the majority of the time. But in the event the person is non-responsive, a phone call to your physical security department will take care of it. Tell them what’s going on. They know what to do.

    While badges seem to be a good security measure, all they really do is keep the good people honest. You need to add a healthy dose of skepticism to make your institution all that much safer and secure.

  • About the Author

    Linda McGlasson

    Linda McGlasson

    Managing Editor

    Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.

    Around the Network

    Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.