Disclaimer: I work from home now. But I need access to the buildings once in a while.
Work has issued ID’s that have to be worn in the buildings. It has a QR code that allows access to buildings and offices. What building/office you can access is dependent on your job. So far, so good.
About 500 people get these cards. OK.
I have an issue with the cards though. It’s a picture ID. No problem. BUT the card states where you work. So… if you lose the card (is stolen or whatever), and don’t notice or report it for a few days, any nefarious person could say, “Huh, I’ve got access to the buildings of the second largest employer of the county 24/7, hmm”.
You know most people will leave the access card in their car. Or possibly on a table in a restaurant. Lose their wallet or whatever.
I’m in IS/IT. I see a HUGE security hole here. But no one will listen other than “yeah, that’s kind of a problem”. It’s more than a problem, it’s the Keys to the Kingdom.
IMHO It would be fine as long as it did not have the business name on it.
That’s Deviant Ollam a security penetration testing consultant who would find everything about this situation unbelievably stupid as even an attempt at building security.
(I’m reasonably certain that you don’t need to physically have the card, a photo of the QR code would, probably, be enough.)
If it’s the largest employer in the county, then it probably wouldn’t be hard for a nefarious person to know or guess who it’s for. And probably even easier if some of the badges have a job title on them (an RN or MD is a strong hint to a hospital, “Lead Engineer” would indicate some sort of technology field, etc.).
I’m interested in the use of QR codes for accessing buildings and offices. I’ve worked at places that used proximity cards and card readers to unlock doors. How does your employer use QR codes? Are there cameras at each door?
Our cards states where we work, and has our logo on it. The logo is plastered on the sides of trucks that do work in the county. And it has my title on it as well. I am the only one in the county with that title. About 10 others have similar titles.
And in big bold letters, it says GOV
I weep. Or should I be banging my head on my desk?
Looks like it. I don’t think there is a chip in it. It’s a small camera to read the QR right next to the door as far as I can tell. I just picked up my card today. It will be activated tomorrow. I think I could take a picture of the QR and it would work fine. Don’t know.
I never heard of using QR codes for access control but Googling, there are some systems based on it. Is your employer OK with you keeping a picture of the QR code on your phone as an alternative to the physical card?
I don’t think I’ve seen an access control system that used optical barcodes. Are you sure it isn’t an RF contactless chip under the bargraph for door entry?
For that matter, you could take a picture of a high muckety-muck wearing their required badge, and get the QR code with that. Re-generate the code and re-print it on something card-sized, if necessary.
Can’t be sure really. I just got the card today. I’ve got QR on both sides of the card. Suggests to me an optical reader.
But it really doesn’t matter IMHO. Either RF or or QR. It will get you in. And it says where to go to get in. The lanyard and the belt clip also says what this opens. It’s stupid.
I don’t think this is a new problem - I’ve had electronic badges for literally decades. If someone finds it, and guesses where I might work, he or she could easily get in.
You need the following scenario, for this to really be a problem:
person loses badge
Finder picks it up and does not immediately toss it
Finder has some reason to want to get into your employer’s office.
If it’s a random person on the street, or an ordinary burglar, the odds of the badge being used for something inappropriate are pretty small.
If you’re being targeted for some reason (maybe you’re the County Vice President In Charge of Stashing Large Boxes of Unmarked Bills), then it could be a problem.
You could certainly misplace the badge and not realize it for a few days - which would give that nefarious person time to do something. If it is a badge you use daily, of course, it’s quite dIfferent: you’d realize it was gone, call the security office, and the old one would get insta-cancelled.
Me, I have three such badges. One from my employer. One from a client I only occasionally do work for. One from my current client. I could misplace either of the first two and not realize it for a while. The third, I use every day (my computer won’t boot up without it) and I would notice it in a real hurry.
A QR code for building entry is a new one by me (as others have noted). I’d bet you could just have an image of it on your phone. Unless there’s a chip as well (you could put it in a RF-blocking holder, next time you go to the office, and give it a try).
Actually, I’ve seen multiple movies or TV shows that show the clever protagonist swiping or swapping someone’s security key and using it to gain access to some secure location. And actually, many such keycards display the employer name or location. So this is hardly a new issue.
The problem can be mitigated by putting time controls on the badges, too. It’d be very easy to set up a system like this so that the badge-holders can get in… but only during their normal hours. If a burglar manages to get in during normal business hours, they’re probably not going to be able to get away with too much.
There’s a lot of “security” in the world that consists of nothing more than a sign that says “Authorized Personnel Only”. And in a lot of places, that really is enough, because there’s nothing there that really needs securing.
Dress up like a member of the cleaning crew or the person who delivers bottled water or some other outsider who’s regularly there, and you can probably anywhere in the building.
Yeah, this is unrealistic. At my company, we have the equivalent of the DoD CAC. If you want to gain access to a building with both open and secure spaces, you have to be “on the door” for the building, otherwise waving the card near the proximity reader (cards are RFID) will result in exactly nothing. Waiting for an employee to come along and just follow them in wearing the badge? This is called “tailgating” and is strictly forbidden (you will definitely be disciplined if caught), even when employees know each other.
Getting inside the building only allows you to roam. Want to use a computer in an open area like a conference room? You need the card, the card PIN, and the user login information. Want to access a secure area? Need to be on the door and enter a longer PIN (different from the PIN for computer access). (And after hours you also need to know the combination to a separate door lock that is engaged when the last person in the room leaves).
I do see the disadvantage of a QR code. You don’t really need the card itself; you can use a high-resolution image. And the CAC approach also has the advantage that you are going to quickly miss the card in a WFH situation, since you need it to login and when you use a program that runs into connectivity issues (you’ll get a message that the card is not detected, which is your cue to insert it and type in your PIN).
I also recall a few buildings with mixed secure and open areas that had mantraps. With a mantrap, even if you were on the door, the card only got you into the mantrap. In order to get into the building, a guard had to look at you on camera and your information from the computer and determine a match before buzzing you out of the mantrap.
