As you build additional layers of defense into your cybersecurity framework, it's important to implement physical security strategies as well.
One common physical security layer that many organizations believe they can set and forget is the implementation of key card readers that force authorization to access their building and specific rooms.
Below, we’ll discuss how threat actors can utilize social engineering tactics to bypass key card access and door locks, as well as what you can do to best protect your organization — and staff — from these attacks.
Social Engineering Tactics Used To Bypass or Gain Key Card Access
While there are several tactics threat actors use to social engineer their targets, here are some of the most common methods they use for gaining key card access or ID badges:
Key card lending or theft. Often, key cards are compromised simply because an employee didn’t think twice about lending their key card to someone who supposedly works at the company.
Tailgating social engineering. Tailgating social engineering attacks are when a threat actor impersonates an employee, courier, or delivery driver and pretends to have either forgotten their key card or has their hands full to get an employee to open the doors to a company for them.
Diversion and dropoff theft. One tactic threat actors use to compromise key cards is to create a diversion or dropoff area for important documents.
Key card scanning. Threat actors can simply shoulder surf or hover around an employee while secretly scanning their ID badge or key card to gain access to different areas of your company.
Physical Security Tips and Techniques
1. Don’t Lend Your Key Card to Anyone
Never, under any circumstances, loan your key card or any means of identity to another employee. It’s better to lead them to the front desk or work with the appropriate members of your staff to identify the person as well as get them a new key card if they are truly an employee.
2. Don’t Let Someone in Who Doesn’t Have a Key Card or ID Badge
Whether it’s you or another employee who notices someone doesn’t have their key card or ID badge and is trying to access your facility, ensure the person is reported and verified by your team. Don’t let them into important areas of your building without verifying their identity.
3. Implement Company-wide Security Measures and Policies
You can’t be everywhere throughout your facility at one time. To protect your company from unauthorized access, your entire organization should understand and implement cyber security best practices. For example, radio frequency identification (RFID technology) uses radio waves to detect objects and people. It is also used for credit cards and key cards for contactless scanning.
Threat actors use this technology to scan credit and key cards to gain access to sensitive information without the employee being the wiser. This is why all ID badges and key cards should have RFID-blocking sleeves to eliminate a quick avenue for threat actors to bypass door locks in your facility. If some employees don’t have protected cards, then the entire company is still at risk.
4. Properly Dispose of Old Sensitive Data and Documents, Including Key Cards
While we understand you must keep specific employee information, it should be properly disposed of once this information is no longer in use. This includes disposing of key cards and ID badges associated with former employees. This doesn’t mean tossing it in the dumpster either, as threat actors may go dumpster diving for any confidential information. Ensure you are shredding them with cross or micro-cutting shredders before having a third-party company handle the contents offsite.
Is Your Organization’s Cyber Security Posture Fortified?
To prevent bypassing attacks of key card door locks, investing in the best practices, resources, and standards for your cybersecurity posture can be the difference between a cyber threat causing catastrophic damage to your organization or avoiding a threat before it even occurs.
At Mitnick Security, we offer several advanced cybersecurity testing services designed to protect against the latest and most devastating cyber threats, including:
- Ransomware
- Social engineering attacks
- Malware
- And many more
Put your cybersecurity in the hands of cybersecurity’s most elite group of security consultants — The Global Ghost Team™ — and fortify your most sensitive data and assets today with Mitnick Security’s pentesting services.
