Bypassing Key Card Access: Shoring Up Your Physical Security

As you build additional layers of defense into your cybersecurity framework, it's important to implement physical security strategies as well.

One common physical security layer that many organizations believe they can set and forget is the implementation of key card readers that force authorization to access their building and specific rooms.

Below, we’ll discuss how threat actors can utilize social engineering tactics to bypass key card access and door locks, as well as what you can do to best protect your organization — and staff — from these attacks.


Social Engineering Tactics Used To Bypass or Gain Key Card Access

While there are several tactics threat actors use to social engineer their targets, here are some of the most common methods they use for gaining key card access or ID badges:

Key card lending or theft. Often, key cards are compromised simply because an employee didn’t think twice about lending their key card to someone who supposedly works at the company.

Tailgating social engineering. Tailgating social engineering attacks are when a threat actor impersonates an employee, courier, or delivery driver and pretends to have either forgotten their key card or has their hands full to get an employee to open the doors to a company for them.

Diversion and dropoff theft. One tactic threat actors use to compromise key cards is to create a diversion or dropoff area for important documents.

Key card scanning. Threat actors can simply shoulder surf or hover around an employee while secretly scanning their ID badge or key card to gain access to different areas of your company.



Physical Security Tips and Techniques

1. Don’t Lend Your Key Card to Anyone

Never, under any circumstances, loan your key card or any means of identity to another employee. It’s better to lead them to the front desk or work with the appropriate members of your staff to identify the person as well as get them a new key card if they are truly an employee.

2. Don’t Let Someone in Who Doesn’t Have a Key Card or ID Badge

Whether it’s you or another employee who notices someone doesn’t have their key card or ID badge and is trying to access your facility, ensure the person is reported and verified by your team. Don’t let them into important areas of your building without verifying their identity.

3. Implement Company-wide Security Measures and Policies

You can’t be everywhere throughout your facility at one time. To protect your company from unauthorized access, your entire organization should understand and implement cyber security best practices. For example, radio frequency identification (RFID technology) uses radio waves to detect objects and people. It is also used for credit cards and key cards for contactless scanning. 

Threat actors use this technology to scan credit and key cards to gain access to sensitive information without the employee being the wiser. This is why all ID badges and key cards should have RFID-blocking sleeves to eliminate a quick avenue for threat actors to bypass door locks in your facility. If some employees don’t have protected cards, then the entire company is still at risk. 

4. Properly Dispose of Old Sensitive Data and Documents, Including Key Cards

While we understand you must keep specific employee information, it should be properly disposed of once this information is no longer in use. This includes disposing of key cards and ID badges associated with former employees. This doesn’t mean tossing it in the dumpster either, as threat actors may go dumpster diving for any confidential information. Ensure you are shredding them with cross or micro-cutting shredders before having a third-party company handle the contents offsite.


Is Your Organization’s Cyber Security Posture Fortified?

To prevent bypassing attacks of key card door locks, investing in the best practices, resources, and standards for your cybersecurity posture can be the difference between a cyber threat causing catastrophic damage to your organization or avoiding a threat before it even occurs.

At Mitnick Security, we offer several advanced cybersecurity testing services designed to protect against the latest and most devastating cyber threats, including:


Put your cybersecurity in the hands of cybersecurity’s most elite group of security consultants — The Global Ghost Team™ — and fortify your most sensitive data and assets today with Mitnick Security’s pentesting services.


Latest Posts

Kevin offers three excellent presentations, two are based on his best-selling books. His presentations are akin to technology magic shows that educate and inform while keeping people on the edge of their seats. He offers expert commentary on issues related to information security and increases “security awareness.”

Bypassing Key Card Access: Shoring Up Your Physical Security

As you build additional layers of defense into your cybersecurity framework, it's important to implement physical security strategies as well.

Read more ›

How to Prioritize Your Pentesting Report’s Remediation Recommendations

If you recently received a penetration test, you’re on the right track to improving your cybersecurity posture. However, you may be wondering what the..

Read more ›

Understanding Post-Inoculation Cybersecurity Attack Vectors

If you’ve recently improved your cybersecurity posture, you should know that the work to protect your company’s data is not over.

Read more ›