Piggybacking (security)

In security, piggybacking, similar to tailgating, refers to when a person tags along with another person who is authorized to gain entry into a restricted area, or pass a certain checkpoint.[1] It can be either electronic or physical.[2] The act may be legal or illegal, authorized or unauthorized, depending on the circumstances. However, the term more often has the connotation of being an illegal or unauthorized act.[1]

No Tailgating sign at Apple Inc. office

To describe the act of an unauthorized person who follows someone to a restricted area without the consent of the authorized person, the term tailgating is also used. "Tailgating" implies no consent (similar to a car tailgating another vehicle on a road), while "piggybacking" usually implies consent of the authorized person.[3]

Piggybacking came to the public's attention particularly in 1999, when a series of weaknesses were exposed in airport security. A study showed that the majority of undercover agents attempting to pass through checkpoints, bring banned items on planes, or board planes without tickets, were successful. Piggybacking was revealed as one of the methods that was used in order to enter off-limits areas.[4]

Methods

Electronic
This list is incomplete; you can help by expanding it.
  • A user fails to properly log off their terminal allowing an unauthorized user to "piggyback" on the authorized user's session.[2]

Physical

Piggybackers have various methods of breaching security. These may include:

  • Surreptitiously following an individual authorized to enter a location, giving the appearance of being legitimately escorted
  • Joining a large crowd authorized to enter, and pretending to be a member of the crowd that is largely unchecked
  • Finding an authorized person who either disregards the law or the rules of the facility, or is tricked into believing the piggybacker is authorized, and agreeably allows the piggybacker to tag along

Piggybacking can be regarded as one of the simpler forms of social engineering.[5]

gollark: My thing stores all its data in a single SQLite3 database which is apparently 32KB.
gollark: The only thing I have which stores data associated with a particular user is the `++remind` command, and I feel like people shouldn't set reminders if they don't want their user ID stored with them.
gollark: For most you can probably get away with manually handling requests.
gollark: My bot technically doesn't have a "clear user data" command, but it only stores user data if you explicitly run a command which obviously stores user data, and nobody asked to have their data deleted yet.
gollark: I feel like the opt-out thing should perhaps be more clearly provided.

See also

References
  1. John Kingsley-Hefty (25 September 2013). Physical Security Strategy and Process Playbook. Elsevier Science. pp. 85–. ISBN 978-0-12-417237-1.
  2. Krause, Micki (6 April 2006). Information Security Management Handbook on CD-ROM, 2006 Edition. CRC Press. p. 3800. ISBN 978-0-8493-8585-8.
  3. Mark Ciampa (27 July 2012). Security+ Guide to Network Security Fundamentals. Cengage Learning. ISBN 1-111-64012-2.
  4. Kettle, Martin (1999-12-03). "Inspectors walk through US airport security". The Guardian. London. Retrieved 2010-05-22.
  5. Siobhan Chapman (2009-05-11). "How a man used social engineering to trick a FTSE-listed financial firm". Computerworlduk.
This article is issued from Wikipedia. The text is licensed under Creative Commons - Attribution - Sharealike. Additional terms may apply for the media files.