Thursday, January 13, 2011


Badges? I don’t have to show you any stinking badges.

Bruce Schneier points out this paper (pdf here) that analyzes the ease of getting fake law enforcement credentials and then using them successfully.

Today, badges convey that the bearer is granted the authority to enforce laws established by a governmental or quasi-governmental entity and are cherished by law enforcement officers. The issue is that there are over 17,000 law enforcement agencies in the United States all with different badges and credentials issued to their personnel. This is not including, the over 70 different federal law enforcement agencies that issue badges and/or credentials. And in there lies the problem. How do you know a cop is a cop?

The most common response to that question is usually, if they walk like a cop. Talk like a cop. And look like a cop, then they are a cop. The assumption is further built upon when being presented with a badge and identification card. But that is not always the case.

It’s probably not surprising that they found it easy to obtain, cheaply, fake badges, and that those badges then allowed them pretty much unimpeded access to whatever they wanted. In other words, real badges provide little real security.

As someone who’s worked in secured facilities, where badges are required for access, I can say that how well all of this works very much depends upon how the badges are used, and the bottom line is that it’s useless to expect reasonable enforcement by having people look at others’ badges. They will too often fail to look, and when they do look they will be unable to detect the fakes.

But not all setups rely only on visual inspection. At one facility, a guard eyed your badge at the gate, but that was designed only to block tourists — to keep arbitrary curious people from wandering onto the premises. But to actually get into the building, everyone had to pass a badge reader and enter an identification code on a keypad, a two-factor authentication process (something I have, and something I know). The reader validated the badge, making it harder to get a fake through. The identification code made sure that I matched the badge — not just that I bore a passing resemblance to the guy in the photo, but that I actually knew the code that was stored in the database for that particular badge.

That defeats attempts to clone a badge, or to put arbitrary information (or none at all) on the magnetic strip. Getting through that system would require compromising an individual and specifically stealing or copying his credentials and obtaining the corresponding identification code... or, alternatively, finding a way to get in that bypasses the badge readers. There might have been such a way, but none was apparent to me.

Once inside, we’re back to the visual checks again, so one can wander unimpeded through much of the building. But the process at the entrances repeats for access to certain areas of the building, again requiring either badging in (with reader and ID code) or opening a lock with a combination unique to that area.

I don’t think there’s any way to completely get rid of visual inspection of credentials, but we have to minimize it. The public is especially vulnerable, in cases where someone dresses like a cop and has something that looks like a badge. But for official buildings and other secured areas we do have alternatives, and we should be using them rigorously.


Thomas J. Brown said...

In the film The Town the main characters use this to their advantage, both to get into a secure area where they commit their robbery, and then later, when they're surrounded by police, to get back out by blending in. They were dressed like cops, so everyone just assumed they were -- including the FBI. Of course, that's just a movie, but I could see it working in real life under the right conditions.

The Ridger, FCD said...

There have been days when I took off my badge (after the reader/keypad thing you describe) to take off my coat, and forgot to put it on, and wandered the building half the day before I noticed it lying on my desk. No one ever said a word. People don't actually tend to look at badges inside such a facility.