Have you ever been stopped by an in-store security guard because the tag on a product you bought elsewhere triggered the door alarm in their shop? It turns out there’s a brand of stock-control chip that has such a reputation for doing this, it actually causes a security vulnerability. The problem is especially interesting because it involves social engineering.
I set off the alarm on the way out of my local supermarket at the weekend. The security guard came over and asked whether I’d bought any electronic items. I hadn’t, but I did have a CD in my pocket that I’d bought elsewhere earlier, and its security tag had triggered the system. The guard gave me a knowing look and said that this particular brand of RFID chip is notorious for causing false positives in a number of other stores. He enthusiastically demonstrated the problem by using my CD to set off the alarm a couple more times, and then cheerfully waved me on my way. He also unwittingly revealed a vulnerability in the supermarket’s security procedures.
At no time did the guard examine the content of my shopping bags, which I had left on the street side of the sensors during our entire conversation. In other words, the existence of a false positive was enough of an explanation to convince him I wasn’t a thief.
Luckily for the supermarket, he was right.
Now I know what you’re thinking: surely at this point the guard should eliminate the CD as a possibility and then ask you to push the trolley through the sensor again, right? This is where the social engineering comes in. If you appear to be well dressed, articulate, polite and helpful, chances are you’ll fail to raise any suspicion, and the explanation for the alarm that you’re presenting will be accepted – especially if the guard has seen it happen before. The odds are good that you’ll get away with it.
It’s very difficult to defend against this sort of trickery with minimum wage security guards and a system that is prone to false positives. I’m sure that if you asked any shop with one these alarms, they would say their procedures should prevent this kind of con, but in the real world it’s often possible to get round systems that rely on humans to be effective: people are usually the weakest link in any security system.
Something to think about next time you go through an airport security checkpoint.