LAS VEGAS-Just because a door requires an entry card does not make it "secure."
Randy Romes, principal, information security services, for LarsonAllen LLP, shared a video with attendees of the recent NAFCU Technology & Security Conference here. As filmed by a "secret shopper" camera in his tie, Romes gained access to a credit union simply by taking advantage of human nature.
Romes timed his visit to the end of lunch hour, when he knew people would be coming back to the credit union. Knowing that most people are attuned to look out for "tailgating," or walking into a secure door after an authorized person swipes their key or enters a password, Romes took a different tack.
"I got to the door first, and I had an access card that I repeatedly swiped," he reported. "I made sure anyone driving by could clearly see I was trying to swipe a card."
On the video, as Romes is swiping away, a credit union employee approaches. She asks who he is, and Romes simply replies that he is "new" and his card does not work. Seconds later, he is in the building.
"This takes advantage of the fact people don't want to be inconvenienced," he told Credit Union Journal. "It would have taken her 30 seconds to walk me around to the front door, but instead she just let me in."
Once inside, a hacker can steal laptops or plug in thumb drives with malicious software installed, so it is important to keep unwanted people out of the credit union, Romes reminded. Similarly, careful eye should be kept on people purporting to be there "to fix the printer."
"One of my people snuck into a company, went to the kitchen and grabbed a coffee mug with the company's logo on it, and then walked around as if the mug was an ID badge. Because he had the mug, no one questioned him," Romes recalled with a laugh, adding the incident shows the importance of training employees to challenge an unfamiliar face.