Piggybacking (security)

Last updated November 18, 2024

In security, piggybacking, similar to tailgating, refers to when a person tags along with another person who is authorized to gain entry into a restricted area, or pass a certain checkpoint.^[1] It can be either electronic or physical.^[2] The act may be legal or illegal, authorized or unauthorized, depending on the circumstances. However, the term more often has the connotation of being an illegal or unauthorized act.^[1]

To describe the act of an unauthorized person who follows someone to a restricted area without the consent of the authorized person, the term tailgating is also used. "Tailgating" implies no consent (similar to a car tailgating another vehicle on a road), while "piggybacking" usually implies consent of the authorized person, similar to a person giving another person a piggyback on their shoulders.^[3]

Piggybacking came to the public's attention particularly in 1999, when a series of weaknesses were exposed in airport security. A study showed that the majority of undercover agents attempting to pass through checkpoints, bring banned items on planes, or board planes without tickets were successful. Piggybacking was revealed as one of the methods that were used in order to enter off-limits areas.^[4]

Methods

Electronic

A user fails to properly log off their computer, allowing an unauthorized user to "piggyback" on the authorized user's session.^[2]
Using authorized shared or common log in credentials to gain access to systems

Physical

Piggybackers have various methods of breaching security. These may include:

Surreptitiously following an individual authorized to enter a location, giving the appearance of being legitimately escorted
Joining a large crowd authorized to enter, and pretending to be a member of the crowd that is largely unchecked
Finding an authorized person who either disregards the law or the rules of the facility, or is tricked into believing the piggybacker is authorized, and agreeably allows the piggybacked to tag along
Donning counterfeit identification badges or cards to seamlessly integrate into the environment
Gaining access through alternative entrances like rear or side doors, such as those found in parking lots^[5]

Piggybacking can be regarded as one of the simpler forms of social engineering.^[6]^[7]

Related Research Articles

<span class="mw-page-title-main">Authentication</span> Act of proving an assertion

Authentication is the act of proving an assertion, such as the identity of a computer system user. In contrast with identification, the act of indicating a person or thing's identity, authentication is the process of verifying that identity. It might involve validating personal identity documents, verifying the authenticity of a website with a digital certificate, determining the age of an artifact by carbon dating, or ensuring that a product or document is not counterfeit.

Keystroke logging, often referred to as keylogging or keyboard capturing, is the action of recording (logging) the keys struck on a keyboard, typically covertly, so that a person using the keyboard is unaware that their actions are being monitored. Data can then be retrieved by the person operating the logging program. A keystroke recorder or keylogger can be either software or hardware.

<span class="mw-page-title-main">Border checkpoint</span> Passage point on an international border

A border checkpoint is a location on an international border where travelers or goods are inspected and allowed passage through. Authorization often is required to enter a country through its borders. Access-controlled borders often have a limited number of checkpoints where they can be crossed without legal sanctions. Arrangements or treaties may be formed to allow or mandate less restrained crossings. Land border checkpoints can be contrasted with the customs and immigration facilities at seaports, international airports, and other ports of entry.

Bank fraud is the use of potentially illegal means to obtain money, assets, or other property owned or held by a financial institution, or to obtain money from depositors by fraudulently posing as a bank or other financial institution. In many instances, bank fraud is a criminal offence.

Data security means protecting digital data, such as those in a database, from destructive forces and from the unwanted actions of unauthorized users, such as a cyberattack or a data breach.

Secure communication is when two entities are communicating and do not want a third party to listen in. For this to be the case, the entities need to communicate in a way that is unsusceptible to eavesdropping or interception. Secure communication includes means by which people can share information with varying degrees of certainty that third parties cannot intercept what is said. Other than spoken face-to-face communication with no possible eavesdropper, it is probable that no communication is guaranteed to be secure in this sense, although practical obstacles such as legislation, resources, technical issues, and the sheer volume of communication serve to limit surveillance.

Piggybacking on Internet access is the practice of establishing a wireless Internet connection by using another subscriber's wireless Internet access service without the subscriber's explicit permission or knowledge. It is a legally and ethically controversial practice, with laws that vary by jurisdiction around the world. While completely outlawed or regulated in some places, it is permitted in others.

A number of computer operating systems employ security features to help prevent malicious software from gaining sufficient privileges to compromise the computer system. Operating systems lacking such features, such as DOS, Windows implementations prior to Windows NT, CP/M-80, and all Mac operating systems prior to Mac OS X, had only one category of user who was allowed to do anything. With separate execution contexts it is possible for multiple users to store private files, for multiple users to use a computer at the same time, to protect the system against malicious users, and to protect the system against malicious programs. The first multi-user secure system was Multics, which began development in the 1960s; it wasn't until UNIX, BSD, Linux, and NT in the late 80s and early 90s that multi-tasking security contexts were brought to x86 consumer machines.

A seasoned tradeline is a line of credit that the borrower has held open in good standing for a long period of time, typically at least two years. The "seasoned" part implies that the account is aged or that it has an established history.

ISO/IEC 27002 is an information security standard published by the International Organization for Standardization (ISO) and by the International Electrotechnical Commission (IEC), titled Information security, cybersecurity and privacy protection — Information security controls.

Computer trespass is a computer crime in the United States involving unlawful access to computers. It is defined under the Computer Fraud and Abuse act.

Laws regarding "unauthorized access of a computer network" exist in many legal codes, though the wording and meaning differs from one to the next. However, the interpretation of terms like "access" and "authorization" is not clear, and there is no general agreement on whether piggybacking falls under this classification. Some jurisdictions prohibit it, some permit it, and others are not well-defined.

Database activity monitoring is a database security technology for monitoring and analyzing database activity. DAM may combine data from network-based monitoring and native audit information to provide a comprehensive picture of database activity. The data gathered by DAM is used to analyze and report on database activity, support breach investigations, and alert on anomalies. DAM is typically performed continuously and in real-time.

Cloud computing security or, more simply, cloud security, refers to a broad set of policies, technologies, applications, and controls utilized to protect virtualized IP, data, applications, services, and the associated infrastructure of cloud computing. It is a sub-domain of computer security, network security, and, more broadly, information security.

In computer security, a threat is a potential negative action or event enabled by a vulnerability that results in an unwanted impact to a computer system or application.

Social hacking describes the act of attempting to manipulate outcomes of social behaviour through orchestrated actions. The general function of social hacking is to gain access to restricted information or to a physical space without proper permission. Most often, social hacking attacks are achieved by impersonating an individual or group who is directly or indirectly known to the victims or by representing an individual or group in a position of authority. This is done through pre-meditated research and planning to gain victims’ confidence. Social hackers take great measures to present overtones of familiarity and trustworthiness to elicit confidential or personal information. Social hacking is most commonly associated as a component of “social engineering”.

A Piggyback attack is an active form of wiretapping where the attacker gains access to a system via intervals of inactivity in another user's legitimate connection. It is also called a “between the line attack” or "piggyback-entry wiretapping".

In cybersecurity, cyber self-defense refers to self-defense against cyberattack. While it generally emphasizes active cybersecurity measures by computer users themselves, cyber self-defense is sometimes used to refer to the self-defense of organizations as a whole, such as corporate entities or entire nations. Surveillance self-defense is a variant of cyber self-defense and largely overlaps with it. Active and passive cybersecurity measures provide defenders with higher levels of cybersecurity, intrusion detection, incident handling and remediation capabilities. Various sectors and organizations are legally obligated to adhere to cyber security standards.

Internet security awareness or Cyber security awareness refers to how much end-users know about the cyber security threats their networks face, the risks they introduce and mitigating security best practices to guide their behavior. End users are considered the weakest link and the primary vulnerability within a network. Since end-users are a major vulnerability, technical means to improve security are not enough. Organizations could also seek to reduce the risk of the human element. This could be accomplished by providing security best practice guidance for end users' awareness of cyber security. Employees could be taught about common threats and how to avoid or mitigate them.

References

1 2 John Kingsley-Hefty (25 September 2013). Physical Security Strategy and Process Playbook. Elsevier Science. pp. 85–. ISBN 978-0-12-417237-1.
1 2 Krause, Micki (6 April 2006). Information Security Management Handbook on CD-ROM, 2006 Edition. CRC Press. p. 3800. ISBN 978-0-8493-8585-8.
↑ Mark Ciampa (27 July 2012). Security+ Guide to Network Security Fundamentals. Cengage Learning. ISBN 978-1-111-64012-5.
↑ Kettle, Martin (1999-12-03). "Inspectors walk through US airport security". The Guardian. London. Retrieved 2010-05-22.
↑ Moallem, Abbas, ed. (2021). "HCI for Cybersecurity, Privacy and Trust". Lecture Notes in Computer Science. doi:10.1007/978-3-030-77392-2. ISSN 0302-9743.
↑ Siobhan Chapman (2009-05-11). "How a man used social engineering to trick a FTSE-listed financial firm". Computerworlduk.
↑ "CROA case shows why piggybacking isn't the answer for consumers shouldering bad credit". Federal Trade Commission. 2020-03-09. Retrieved 2020-11-21.

This terminology-related article is a stub. You can help Wikipedia by expanding it.

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[Kingsley-Hefty2013-1] 1 2 John Kingsley-Hefty (25 September 2013). Physical Security Strategy and Process Playbook. Elsevier Science. pp. 85–. ISBN 978-0-12-417237-1.

[Krause2006-2] 1 2 Krause, Micki (6 April 2006). Information Security Management Handbook on CD-ROM, 2006 Edition. CRC Press. p. 3800. ISBN 978-0-8493-8585-8.

[Ciampa2012-3] Mark Ciampa (27 July 2012). Security+ Guide to Network Security Fundamentals. Cengage Learning. ISBN 978-1-111-64012-5.

[4] Kettle, Martin (1999-12-03). "Inspectors walk through US airport security". The Guardian. London. Retrieved 2010-05-22.

[5] Moallem, Abbas, ed. (2021). "HCI for Cybersecurity, Privacy and Trust". Lecture Notes in Computer Science. doi:10.1007/978-3-030-77392-2. ISSN 0302-9743.

[6] Siobhan Chapman (2009-05-11). "How a man used social engineering to trick a FTSE-listed financial firm". Computerworlduk.

[7] "CROA case shows why piggybacking isn't the answer for consumers shouldering bad credit". Federal Trade Commission. 2020-03-09. Retrieved 2020-11-21.

[1]

[2]

[3]

[4]

[5]

[6]

[7]