Security Blunders

(I probably shouldn’t be posting something like this … but hopefully it’s now generic enough that it can sit in the ‘funny story‘ category instead of the ‘oh-my-god he published that!?‘ category.)

Earlier in the week I had a small issue with a "security device" that I have – basically it wouldn’t work as it insisted I didn’t know the magic combination. Sure, it was annoying but at least it was defaulting to locking me out so this gave me some confidence in the system. Getting a new access code issued for the device isn’t a simple process, and requires you to actually appear in person at one of the organisation’s installations.

I arrived at the security checkpoint for installation A, holding a security pass for installation B. Even though this entire story falls under the one organisational umbrella, the design of the security passes is completely different between installations.

Me: Hi there. How’s your day been?

Security: Alright so far … how ’bout yours?

Me: Can’t complain. Anyway, I haven’t  actually been to this installation before as I usually work out of installation B, but I need to get to an XYZ office and apparently you have one of these.

Security: We sure do … it’s just down that way.

As I walked into the installation, I realised I hadn’t even shown my ID. I’d walked past the big red signs saying "ID must be shown on entry and exit." Even though I’d told the guard that I wasn’t familiar with the installation, I had apparently demonstrated that I was meant to be there.

The best bit happened in the XYZ office:

Me: Hi … I’m having a small problem with this device today. I’ve tried it at two separate terminals and it’s not accepting my password on either.

Girl: Ok … let me take a look at it. 

<girl takes security device and connects it to her system>

Girl: Hmm … there doesn’t seem to be anything here to indicate it’s disabled. Are you sure you aren’t just getting the password wrong?

Me: Hope not … can you give me a new one now?

Girl: No – it’ll take 24 hours to do that. How about I give you what you’re after now, you try again yourself in 24 hours and if it’s still an issue then we’ll issue you a new device?

Me: Great – thanks.

At this point I exited the installation.

A summary:

  • I entered a secure installation without being checked for ID, purely because I had engaged in conversation with the guard and used enough lingo to express that I might actually have a legit reason to be there. Even the post-uni boardies+t-shirt look didn’t highlight that I was a bit different to everyone else there.
  • I accessed a highly secured resource using a security device that I didn’t know the password for and without providing any other ID or even saying my name. In the process of this, the girl even read out several of my details.
  • I exited the installation without being checked for ID, even though this is a clearly stated procedure.

This scenario renews the confidence I have in some of the organisations I trust every day – not!

technorati tags: