Who Needs Badges and IDs?
The receptionist at ABC Financial Institution headquarters glanced up from her work and saw the phone man standing there. He was relaxed and in no hurry to interrupt her. “May I help you?†she smiled. “Hey, yeah,†he said, scratching at the telephone lineman’s helmet with the telephone company logo on it. “We got a call about some funky lines coming into your trunk and need to ring them out.â€
The receptionist wasn’t too technical, but she eyed the equipment belt he wore over the dingy blue jeans and scuffed work boots. “Are you expected?†“Well, if you want me to fix the phone lines, I guess I am,†he said with a big toothy smile. She glanced outside and saw the phone van sitting in plain sight, although illegally parked. She laughed and suggested he park his van in the visitor’s area.
When he came back she gave the phone man a temporary visitor badge and pointed down the hall. “Next to the shipping department, you’ll see the door to the telephone room.†“Thanks!†and he casually walked where she directed him. About fifteen minutes later, the switchboard rang and Bob, whom she knew from upstairs asked, “There’s some phone guy up here looking around. Is he alright?†“Sure is. Fixing some bad trunks I think he said.†“OK, I just wanted to check.â€
What’s Wrong With This Picture?
What you just read is a perfect example of social engineering in its most blatant form. The con artist works his game right in your face. He doesn’t call you up. He walks right in to your institution and asks you to let him in – right under your nose. That takes nerve and is very, very effective.
How did the receptionist know he was the phone man? She confirmed his identity in several ways:
So she did a good job by verifying his identity, right? Ask yourself these simple questions:
Are we so sure she made the right judgement?
The Skinny About Badges
Fake badges are incredibly easy to create. Kids can get fake IDs from many states; driver’s licenses, State issued photo IDs, student IDs for any school. No problem and a small fee gains a fake ID that looks real.
At your institution you should already have in place a good method of identifying and admitting people into your offices. Your employees follow very simple rules that you’re your institution secure. All of your employees can and should know these rules, and use them everyday personal and professional life.
First, be suspicious. Not paranoid, suspicious. If someone with a badge claims to be someone who he might well appear to be, don’t accept that on face value. You never know who is wearing that uniform. ID cards are not really worth a whole lot unless they have magnetic stripes or smart chips that contain verifiable data.
Second, Trust but Verify, just like the guard who says “Who goes there?†you should ask for verification. At many banks and credit unions, a visitor must carry a valid photo ID. He is then announced to the person he is visiting, and then he is greeted and signed in by an employee with the proper authorization. This is a controlled process of check and double check.
If the phone man shows up with no appointment, don’t let him in. Get his name, call the phone company and ask what is going on. If you're not sure, ask a superior about this person. Same thing for any type of repair persons, delivery people you don’t know, free pizza guys or anyone else that appears unexpectedly and wants physical access to your institution.
Have a Code. You should have a secret verbal code that announces trouble. For example, the phrase, “How is Cousin Eunice feeling today?†spoken to the proper person, can mean, “I am in trouble. Please call for help and send security here right away.†Short of tripping a silent alarm button that would alert the local police to a robbery at your institution, this is an effective internal mechanism that can be used to bring your institution’s physical security to your work area.
At your institution you may use badges to identify people who belong there, and part of our any good security policy is to be on the lookout for people without badges. Instead of inquiring with “Who are you? And what are you doing here?†a simple, “Are you lost? Can I help you?†will suffice the majority of the time. But in the event the person is non-responsive, a phone call to your physical security department will take care of it. Tell them what’s going on. They know what to do.
While badges seem to be a good security measure, all they really do is keep the good people honest. You need to add a healthy dose of skepticism to make your institution all that much safer and secure.