Physical Security - Bad Design Practices

June 18, 2015

Today I happened to visit a store that had the front desk, and a designated area in the back that was only accessible to employees. It had a nice big lock that only opened after successful RFID Authentication. It seemed like a system that may not be trivial to bypass unless you get a card cloner, get the card content and hope it’s not dynamic, and in general it seemed secure.

However, we all know that the weakest link is the human factor in these cases. You could try to socially engineer an employee to open the door for you by claiming to be someone or that you want to do something. This can work, but you need to sound convincing.

But what if you didn’t have to do any of these? What if near the RFID Reader there was an RFID Access Card, nailed from its strap to the wall, just a centimeter or two to the left and by moving it a little bit you could get full access?

Turns out this helpful utility was there, just because the employees, despite having all their Access Cards hanging from their necks, wanted an even faster way to access the place.

Turns out that we Security Engineers and System Designers, think in our paranoid way, which is much different that the users’ way of thinking, and come up with solutions that may seem secure, but users don’t like them, so they will not use them that way or another. This incident reminded me of how important it is to take the users’ point of view into account when designing a system. You might have to sacrifice some security some times, but if you try to force someone to use your product just because it’s secure while it makes his life more difficult, he’s not going to choose it or he’ll find a bypass for it.