Piggybacking (security)

Last updated April 19, 2024

In security, piggybacking, similar to tailgating, refers to when a person tags along with another person who is authorized to gain entry into a restricted area, or pass a certain checkpoint.^[1] It can be either electronic or physical.^[2] The act may be legal or illegal, authorized or unauthorized, depending on the circumstances. However, the term more often has the connotation of being an illegal or unauthorized act.^[1]

To describe the act of an unauthorized person who follows someone to a restricted area without the consent of the authorized person, the term tailgating is also used. "Tailgating" implies no consent (similar to a car tailgating another vehicle on a road), while "piggybacking" usually implies consent of the authorized person.^[3]

Piggybacking came to the public's attention particularly in 1999, when a series of weaknesses were exposed in airport security. A study showed that the majority of undercover agents attempting to pass through checkpoints, bring banned items on planes, or board planes without tickets were successful. Piggybacking was revealed as one of the methods that were used in order to enter off-limits areas.^[4]

Methods

Electronic

A user fails to properly log off their computer, allowing an unauthorized user to "piggyback" on the authorized user's session.^[2]
Using authorized shared or common log in credentials to gain access to systems

Physical

Piggybackers have various methods of breaching security. These may include:

Surreptitiously following an individual authorized to enter a location, giving the appearance of being legitimately escorted
Joining a large crowd authorized to enter, and pretending to be a member of the crowd that is largely unchecked
Finding an authorized person who either disregards the law or the rules of the facility, or is tricked into believing the piggybacker is authorized, and agreeably allows the piggybacked to tag along
Donning counterfeit identification badges or cards to seamlessly integrate into the environment
Gaining access through alternative entrances like rear or side doors, such as those found in parking lots^[5]

Piggybacking can be regarded as one of the simpler forms of social engineering.^[6]^[7]

Related Research Articles

<span class="mw-page-title-main">Authentication</span> Act of proving an assertion

Authentication is the act of proving an assertion, such as the identity of a computer system user. In contrast with identification, the act of indicating a person or thing's identity, authentication is the process of verifying that identity. It might involve validating personal identity documents, verifying the authenticity of a website with a digital certificate, determining the age of an artifact by carbon dating, or ensuring that a product or document is not counterfeit.

<span class="mw-page-title-main">Physical security</span> Measures designed to deny unauthorized access

Physical security describes security measures that are designed to deny unauthorized access to facilities, equipment, and resources and to protect personnel and property from damage or harm. Physical security involves the use of multiple layers of interdependent systems that can include CCTV surveillance, security guards, protective barriers, locks, access control, perimeter intrusion detection, deterrent systems, fire protection, and other systems designed to protect persons and property.

The Computer Fraud and Abuse Act of 1986 (CFAA) is a United States cybersecurity bill that was enacted in 1986 as an amendment to existing computer fraud law, which had been included in the Comprehensive Crime Control Act of 1984. Prior to computer-specific criminal laws, computer crimes were prosecuted as mail and wire fraud, but the applying law was often insufficient.

Internet security is a branch of computer security. It encompasses the Internet, browser security, web site security, and network security as it applies to other applications or operating systems as a whole. Its objective is to establish rules and measures to use against attacks over the Internet. The Internet is an inherently insecure channel for information exchange, with high risk of intrusion or fraud, such as phishing, online viruses, trojans, ransomware and worms.

Data security means protecting digital data, such as those in a database, from destructive forces and from the unwanted actions of unauthorized users, such as a cyberattack or a data breach.

Secure communication is when two entities are communicating and do not want a third party to listen in. For this to be the case, the entities need to communicate in a way that is unsusceptible to eavesdropping or interception. Secure communication includes means by which people can share information with varying degrees of certainty that third parties cannot intercept what is said. Other than spoken face-to-face communication with no possible eavesdropper, it is probable that no communication is guaranteed to be secure in this sense, although practical obstacles such as legislation, resources, technical issues, and the sheer volume of communication serve to limit surveillance.

A security hacker is someone who explores methods for breaching defenses and exploiting weaknesses in a computer system or network. Hackers may be motivated by a multitude of reasons, such as profit, protest, information gathering, challenge, recreation, or evaluation of a system weaknesses to assist in formulating defenses against potential hackers.

Piggybacking on Internet access is the practice of establishing a wireless Internet connection by using another subscriber's wireless Internet access service without the subscriber's explicit permission or knowledge. It is a legally and ethically controversial practice, with laws that vary by jurisdiction around the world. While completely outlawed or regulated in some places, it is permitted in others.

A guard tour patrol system is a system for logging the rounds of employees in a variety of situations such as security guards patrolling property, technicians monitoring climate-controlled environments, and correctional officers checking prisoner living areas. It helps ensure that the employee makes their appointed rounds at the correct intervals and can offer a record for legal or insurance reasons. Such systems have existed for many years using mechanical watchclock-based systems. Computerized systems were first introduced in Europe in the early 1980s, and in North America in 1986. Modern systems are based on handheld data loggers and RFID sensors. The system provides a means to record the time when the employee reaches certain points on their tour. Checkpoints or watchstations are commonly placed at the extreme ends of the tour route and at critical points such as vaults, specimen refrigerators, vital equipment, and access points. Some systems are set so that the interval between stations is timed so if the employee fails to reach each point within a set time, other staff are dispatched to ensure the employee's well-being. An example of a modern set-up might work as follows: the employee carries a portable electronic sensor (PES) or electronic data collector which is activated at each checkpoint. Checkpoints can consist of iButton semiconductors, magnetic strips, proximity microchips such as RFIDs or NFC- or optical barcodes. The data collector stores the serial number of the checkpoint with the date and time. Later, the information is downloaded from the collector into a computer where the checkpoint's serial number will have an assigned location. Data collectors can also be programmed to ignore duplicate checkpoint activations that occur sequentially or within a certain time period. Computer software used to compile the data from the collector can print out summaries that pinpoint missed checkpoints or patrols without the operator having to review all the data collected. Because devices can be subject to misuse, some have built-in microwave, g-force, and voltage detection.

In computer security, logging in is the process by which an individual gains access to a computer system or program by identifying and authenticating themselves.

Computer trespass is a computer crime in the United States involving unlawful access to computers. It is defined under the Computer Fraud and Abuse act.

Laws regarding "unauthorized access of a computer network" exist in many legal codes, though the wording and meaning differs from one to the next. However, the interpretation of terms like "access" and "authorization" is not clear, and there is no general agreement on whether piggybacking falls under this classification. Some jurisdictions prohibit it, some permit it, and others are not well-defined.

Multi-factor authentication is an electronic authentication method in which a user is granted access to a website or application only after successfully presenting two or more pieces of evidence to an authentication mechanism. MFA protects personal data—which may include personal identification or financial assets—from being accessed by an unauthorized third party that may have been able to discover, for example, a single password.

Cloud computing security or, more simply, cloud security, refers to a broad set of policies, technologies, applications, and controls utilized to protect virtualized IP, data, applications, services, and the associated infrastructure of cloud computing. It is a sub-domain of computer security, network security, and, more broadly, information security.

In computer security, a threat is a potential negative action or event facilitated by a vulnerability that results in an unwanted impact to a computer system or application.

Cyber crime, or computer crime, refers to any crime that involves a computer and a network. The computer may have been used in the commission of a crime, or it may be the target. Netcrime refers, more precisely, to criminal exploitation of the Internet. Issues surrounding this type of crime have become high-profile, particularly those surrounding hacking, copyright infringement, identity theft, child pornography, and child grooming. There are also problems of privacy when confidential information is lost or intercepted, lawfully or otherwise.

Social hacking describes the act of attempting to manipulate outcomes of social behaviour through orchestrated actions. The general function of social hacking is to gain access to restricted information or to a physical space without proper permission. Most often, social hacking attacks are achieved by impersonating an individual or group who is directly or indirectly known to the victims or by representing an individual or group in a position of authority. This is done through pre-meditated research and planning to gain victims’ confidence. Social hackers take great measures to present overtones of familiarity and trustworthiness to elicit confidential or personal information. Social hacking is most commonly associated as a component of “social engineering”.

A Piggyback attack is an active form of wiretapping where the attacker gains access to a system via intervals of inactivity in another user's legitimate connection. It is also called a “between the line attack” or "piggyback-entry wiretapping".

In cybersecurity, cyber self-defense refers to self-defense against cyberattack. While it generally emphasizes active cybersecurity measures by computer users themselves, cyber self-defense is sometimes used to refer to the self-defense of organizations as a whole, such as corporate entities or entire nations. Surveillance self-defense is a variant of cyber self-defense and largely overlaps with it. Active and passive cybersecurity measures provide defenders with higher levels of cybersecurity, intrusion detection, incident handling and remediation capabilities. Various sectors and organizations are legally obligated to adhere to cyber security standards.

Internet security awareness or Cyber security awareness refers to how much end-users know about the cyber security threats their networks face, the risks they introduce and mitigating security best practices to guide their behavior. End users are considered the weakest link and the primary vulnerability within a network. Since end-users are a major vulnerability, technical means to improve security are not enough. Organizations could also seek to reduce the risk of the human element. This could be accomplished by providing security best practice guidance for end users' awareness of cyber security. Employees could be taught about common threats and how to avoid or mitigate them.

References

1 2 John Kingsley-Hefty (25 September 2013). Physical Security Strategy and Process Playbook. Elsevier Science. pp. 85–. ISBN 978-0-12-417237-1.
1 2 Krause, Micki (6 April 2006). Information Security Management Handbook on CD-ROM, 2006 Edition. CRC Press. p. 3800. ISBN 978-0-8493-8585-8.
↑ Mark Ciampa (27 July 2012). Security+ Guide to Network Security Fundamentals. Cengage Learning. ISBN 978-1-111-64012-5.
↑ Kettle, Martin (1999-12-03). "Inspectors walk through US airport security". The Guardian. London. Retrieved 2010-05-22.
↑ Moallem, Abbas, ed. (2021). "HCI for Cybersecurity, Privacy and Trust". Lecture Notes in Computer Science. doi:10.1007/978-3-030-77392-2. ISSN 0302-9743.
↑ Siobhan Chapman (2009-05-11). "How a man used social engineering to trick a FTSE-listed financial firm". Computerworlduk.
↑ "CROA case shows why piggybacking isn't the answer for consumers shouldering bad credit". Federal Trade Commission. 2020-03-09. Retrieved 2020-11-21.

This terminology-related article is a stub. You can help Wikipedia by expanding it.

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[Kingsley-Hefty2013-1] 1 2 John Kingsley-Hefty (25 September 2013). Physical Security Strategy and Process Playbook. Elsevier Science. pp. 85–. ISBN 978-0-12-417237-1.

[Krause2006-2] 1 2 Krause, Micki (6 April 2006). Information Security Management Handbook on CD-ROM, 2006 Edition. CRC Press. p. 3800. ISBN 978-0-8493-8585-8.

[Ciampa2012-3] Mark Ciampa (27 July 2012). Security+ Guide to Network Security Fundamentals. Cengage Learning. ISBN 978-1-111-64012-5.

[4] Kettle, Martin (1999-12-03). "Inspectors walk through US airport security". The Guardian. London. Retrieved 2010-05-22.

[5] Moallem, Abbas, ed. (2021). "HCI for Cybersecurity, Privacy and Trust". Lecture Notes in Computer Science. doi:10.1007/978-3-030-77392-2. ISSN 0302-9743.

[6] Siobhan Chapman (2009-05-11). "How a man used social engineering to trick a FTSE-listed financial firm". Computerworlduk.

[7] "CROA case shows why piggybacking isn't the answer for consumers shouldering bad credit". Federal Trade Commission. 2020-03-09. Retrieved 2020-11-21.

[1]

[2]

[3]

[4]

[5]

[6]

[7]