Yeah, time restrictions are generally a terrible idea because the people imposing them often have no idea of what actual work schedules or access needs are. A subcontractor facility I worked at imposed time restrictions that were basically normal office hours, not understanding that employees often have to come in early or late for secure calls hosted in different time zones, or meetings that go long, or just people ‘burning the midnight oil’ to meet critical time lines. Which, surprise, resulted in people chocking doors open or using other means to ensure after hours access, which actually makes the facility less secure. It is like requiring 32 digit passwords, or an easily hacked 2FA verification app on your personal smartphone, or any of a multitude that making complying with security requirements so difficult that employees come up with workarounds that completely compromise security.
Well, we are certainly not that secure. But back when I worked in the office, I was the only guy with two other women. I’m a pretty big guy. It was hinted, that for security, I should be there when he (boss) was gone. Ummm. The women said that if something happened (some weirdo came to do harm) they would run. I guess I was supposed to protect them. We are HARDLY in a dangerous area. Not at all.
I could be there by myself of course. Gosh. Thanks. One of the women was a Rugby player in college (22 years younger than I). I want her to have MY back.
The second aspect is reproducing the entry credential. A QR code is easily printed by any number of devices. The RF id data can be spoofed but it’s a lot harder than printing a sticker.
The building I used to work in was closed and locked after hours and on Sundays. Due to the nature of my job, I occasionally had to come in on a Sunday, using a badge swipe to gain access. I was always the only soul in the entire building at those times.
More often than not, the building was not even locked. I simply walked in the door. The building is located in a large urban area, not in the best of neighborhoods.
Right - but if someone grabs that sticky note, they’re in the population of people that is targeting you, or at least employees of your agency. If you drop that sticky note (or your badge) on the sidewalk a block away from the office, chances are whomever picks it up has no interest in sneaking into your building. I doubt the average random person is going to say “well lookee here. Maybe I’ll go in and steal a computer or blow some shit up.”. Sure, it might happen, but very few people would go that route (unless, as noted,t hey were targeting your agency already, in which case it’s not random). I just think the odds of a dropped key card falling into the hands of someone who’s likely to do mischief are not terribly high. If you WERE being targeted, that brass key would be plenty useful.
Personally, if I found such a card, I’d likely either a) ignore it, b) make a point to try to contact the agency or the holder and get it back to them, or c) toss it in my purse, meaning to do so, then discover it 6 months later buried under other purse contents.
The QR code approach does strike me as less secure - too easily duplicated, even if someone wants to make up a fake card with photo ID, which would satisfy the “gotta wear a badge” requirement. If the entrance is staffed by a security guard, that’s an additional layer of protection - those guys aren’t going to catch EVERYONE, but they might recognize that “you” aren’t really “you” as the card thief sails by.
All in all, it isn’t a new problem, nor one that overly concerns me. Having your office address seems unnecessary, I’ll admit - I think a simple “Enipla, Such-and-such County” would be sufficient (my own just say my name and the agency).
Note: I’m also IT, and have a security certification, so I’m not at all unaware of the concerns.
My cousin is a lawyer; first job out of law school was as an ADA; eventually quit there to go into private practice & make real money but was allowed to keep his badge when he left. He gets a call one day from the PD; they’ve found his badge/wallet in a drug den in the 'hood. Seems he went to work one day & hung his suit coat on the back of his office door, with his wallet in the interior pocket. While he was in the office but not his office someone got in & found his wallet & immediately used the cash/cards to score their next hit.
Don’t make it too easy for someone to steal stuff. If you lose it & I* find it & I know that’s a access card for a place only a block away I know that the key for me to get some goodies (phones, laptops, etc.)
I’ve had badges that say, “If found, return to PO Box ___, City, State, Zip. No postage required.” One couldn’t do anything with that badge as you don’t know what building it gets you into.
.
-* Well, not me personally, I wouldn’t do that, but you get my point.
Yes - but again, most people won’t do that sort of thing.
And yeah, you need to take reasonable precautions with wallets etc. anywhere. Years back, I was on a project which had an admin assistant. One day, she was out (sick or something) and a temp was brought in for the day. She went out for lunch - and never came back.
Most / all of the project had been upstairs at a meeting - and she went through several wallets, stole credit cards, and went shopping that afternoon. I found about it when the project manager called me at home that night, and asked me to check my wallet as several colleagues had their cards used (mine was not stolen).
It was clearly a crime of opportunity in that place. I would bet your cousin’s badge had not been used to access his former employer, right? Just the money/cards?
ISTM/IME, any entity that is at least semi-serious about cardkey security has plain blank cards with no info beyond face, name, and maybe barcode/QR code, but better an RFID chip.
Which sounds good until your employer is the biggest most obvious in town or you lose your badge on the outskirts of their perimeter.
Anyone who is serious about security does not grant access to badges. They grant access to badges accompanied by fingerprints, PINs, faces, passwords, etc. The badge is necessary, but much short of sufficient. And those other things are chosen to be hard to spoof.
To check for an RFID or NFC chip in the card, install an NFC reader on your phone. On Android I can recommend NFC Tools, and I’m sure there are ones for iPhone. Then just put the card to the back of your phone. It might identify a MIFARE or something, or nothing at all.
A proper RFID or NFC chip can have a cryptographic challenge, so in theory the card can’t be cloned. I think the only thing that makes a QR code less secure than a magnetic strip is the QR code can be copied while the card sits in your car by a device everyone carries. The magnetic strip at least requires spending $20 on a writer.
Oh yeah, Summit, Clear Creek, Eagle, Lake, Park? Asking for a friend.
I just looked at one of my badges. It has my name, a serial number, photo, and the agency I work for. Which doesn’t narrow it down much. as that agency has many, many locations (but to the best of my knowledge, the card would get me into almost any of them - though by showing it to a guard, versus scanning it). I also use that card to log into my client computer - and for that, I do need a PIN.
My other badge is put away. IIRC, it has similar information. When I go to that client’s site, I scan it on a reader at the main entrance. So almost anyone COULD get in using it. I would probably need to use a PIN if I used it to access a government-owned computer.
In neither case do I need to provide anything other than the card , to physically access the building.
I work at a fintech firm providing software and services to large financial institutions which have rigorous security rules and pass those rules onto their vendors. My office access card is blank white on both sides, just a small serial number, for exactly the reasons described in the OP.
It’s also why many hotels — not all, but many — don’t put identifying information on their guest keycards. When these were first introduced, they were yet another opportunity to emphasize the brand, but then hotel security experts realized a lost card was basically labeled “use me here!” If the guest reported the loss, it would be canceled, and even if not reported (e.g. it was a second card) it would still be deactivated on checkout, but there was still a window in which someone could bring the card, use it in the elevator, and then prowl around.
So now many hotels (again, not all) issue keycards with pleasant but generic decoration, like those “enjoy your pizza!” boxes used by restaurants that can’t afford their own branded material. If someone finds a lost card and it’s still active, they don’t know where to use it. The card can’t be returned, but there’s no security risk.
Boggles the mind that a professional corporation doesn’t understand this.
That’s what my card used to be. So it did have a chip in it.
I understand that very few would find the card and want to do mischief. But, we are county government, as such we are the ‘tax man’. Home valuations went up 100% last year. Thus, raising taxes. People where pissed. Just so happens that my card also gets me into the Assessors office. Not sure yet, but I think all the server rooms too.
Information Systems departments need pretty wide access. And often have to work after hours.
It’s kinda weird. Why do we need a picture ID? Our buildings are open to the public. We have no security guards. And no policy about someone that does not have an ID. At least yet.
I totally get that cards are more secure than a key. A fired employee that ‘lost’ his key can be a dangerous thing.
Knowing the specific room is useful, yes, but just knowing the hotel means you can use it in the elevator to get past the lobby and wander around unsupervised.
There’s something about QR codes that seems to trick people into thinking they are some kind of magic. Just because they’re not human readable. I think - non-technical people sometimes regard them as being like encryption or otherwise being somehow secure.
Wow, that is an amazing upgrade to the military ID card.
The ones we had in my own time (1980s) were comically primitive as far as security features went. They were fancy printed documents that were hand-typed, a photograph laid on, and then laminated.
It was quite common for guys to cut a typewritten digit from their pay statement and lay it over the last digit of their birth year, then laminate over the top, so they could appear to be of drinking age. The bosses knew this trick and would occasionally inspect our ID cards, feeling for extra thickness and tilting the card in the light to see if there was a telltale bump on the birth year.
