Roles to play when tailgaiting into a residential building
up vote
80
down vote
favorite
Following people into a large RFID protected residential building is ridiculously easy, as not everyone knows everyone else. Just the other day I was let in with a rifle (an airgun, but how could have they known).
But standing helplessly in front of the door, looking in sorrow at the lock, is not the best role to play as it attracts questions like "who are you" or "who are you visiting".
What is a more appropriate behavior when waiting around for someone to enter?
social-engineering physical-access
asked Nov 15 at 13:13
Vorac
82821221
|
show 2 more comments
up vote
80
down vote
favorite
Following people into a large RFID protected residential building is ridiculously easy, as not everyone knows everyone else. Just the other day I was let in with a rifle (an airgun, but how could have they known).
But standing helplessly in front of the door, looking in sorrow at the lock, is not the best role to play as it attracts questions like "who are you" or "who are you visiting".
What is a more appropriate behavior when waiting around for someone to enter?
social-engineering physical-access
asked Nov 15 at 13:13
Vorac
82821221
29
Wait for people to come out for a smoke, smoke with them while talking to them. When they go back in, you join them.
– Jeroen - IT Nerdbox
Nov 15 at 13:15
12
"but how could have they known" - Not sure where you're located but if you can buy an air rifle and carry it around without much bother then that likely means you're in a place where the locals know what air rifles look like and you happened to run into one.
– Freiheit
Nov 15 at 20:27
41
If someone carrying a rifle tried to follow you into a building, would you challenge them?
– Jeffrey Bosboom
Nov 15 at 21:29
5
What has become of pushing every button on the doorbell panel? Someone always opens...
– Damon
yesterday
1
Buy one of these: images-na.ssl-images-amazon.com/images/I/… . Look rushed, and knock on the window/door until someone lets you in.
– 0112
yesterday
|
show 2 more comments
up vote
80
down vote
favorite
up vote
80
down vote
favorite
Following people into a large RFID protected residential building is ridiculously easy, as not everyone knows everyone else. Just the other day I was let in with a rifle (an airgun, but how could have they known).
But standing helplessly in front of the door, looking in sorrow at the lock, is not the best role to play as it attracts questions like "who are you" or "who are you visiting".
What is a more appropriate behavior when waiting around for someone to enter?
social-engineering physical-access
asked Nov 15 at 13:13
Vorac
82821221
Following people into a large RFID protected residential building is ridiculously easy, as not everyone knows everyone else. Just the other day I was let in with a rifle (an airgun, but how could have they known).
But standing helplessly in front of the door, looking in sorrow at the lock, is not the best role to play as it attracts questions like "who are you" or "who are you visiting".
What is a more appropriate behavior when waiting around for someone to enter?
social-engineering physical-access
social-engineering physical-access
asked Nov 15 at 13:13
Vorac
82821221
asked Nov 15 at 13:13
Vorac
82821221
asked Nov 15 at 13:13
Vorac
82821221
asked Nov 15 at 13:13
Vorac
82821221
asked Nov 15 at 13:13
Vorac
82821221
82821221
29
Wait for people to come out for a smoke, smoke with them while talking to them. When they go back in, you join them.
– Jeroen - IT Nerdbox
Nov 15 at 13:15
12
"but how could have they known" - Not sure where you're located but if you can buy an air rifle and carry it around without much bother then that likely means you're in a place where the locals know what air rifles look like and you happened to run into one.
– Freiheit
Nov 15 at 20:27
41
If someone carrying a rifle tried to follow you into a building, would you challenge them?
– Jeffrey Bosboom
Nov 15 at 21:29
5
What has become of pushing every button on the doorbell panel? Someone always opens...
– Damon
yesterday
1
Buy one of these: images-na.ssl-images-amazon.com/images/I/… . Look rushed, and knock on the window/door until someone lets you in.
– 0112
yesterday
|
show 2 more comments
29
Wait for people to come out for a smoke, smoke with them while talking to them. When they go back in, you join them.
– Jeroen - IT Nerdbox
Nov 15 at 13:15
12
"but how could have they known" - Not sure where you're located but if you can buy an air rifle and carry it around without much bother then that likely means you're in a place where the locals know what air rifles look like and you happened to run into one.
– Freiheit
Nov 15 at 20:27
41
If someone carrying a rifle tried to follow you into a building, would you challenge them?
– Jeffrey Bosboom
Nov 15 at 21:29
5
What has become of pushing every button on the doorbell panel? Someone always opens...
– Damon
yesterday
1
Buy one of these: images-na.ssl-images-amazon.com/images/I/… . Look rushed, and knock on the window/door until someone lets you in.
– 0112
yesterday
29
29
Wait for people to come out for a smoke, smoke with them while talking to them. When they go back in, you join them.
– Jeroen - IT Nerdbox
Nov 15 at 13:15
Wait for people to come out for a smoke, smoke with them while talking to them. When they go back in, you join them.
– Jeroen - IT Nerdbox
Nov 15 at 13:15
12
12
"but how could have they known" - Not sure where you're located but if you can buy an air rifle and carry it around without much bother then that likely means you're in a place where the locals know what air rifles look like and you happened to run into one.
– Freiheit
Nov 15 at 20:27
"but how could have they known" - Not sure where you're located but if you can buy an air rifle and carry it around without much bother then that likely means you're in a place where the locals know what air rifles look like and you happened to run into one.
– Freiheit
Nov 15 at 20:27
41
41
If someone carrying a rifle tried to follow you into a building, would you challenge them?
– Jeffrey Bosboom
Nov 15 at 21:29
If someone carrying a rifle tried to follow you into a building, would you challenge them?
– Jeffrey Bosboom
Nov 15 at 21:29
5
5
What has become of pushing every button on the doorbell panel? Someone always opens...
– Damon
yesterday
What has become of pushing every button on the doorbell panel? Someone always opens...
– Damon
yesterday
1
1
Buy one of these: images-na.ssl-images-amazon.com/images/I/… . Look rushed, and knock on the window/door until someone lets you in.
– 0112
yesterday
Buy one of these: images-na.ssl-images-amazon.com/images/I/… . Look rushed, and knock on the window/door until someone lets you in.
– 0112
yesterday
|
show 2 more comments
6 Answers
6
active
oldest
votes
up vote
121
down vote
There are some basic social engineering approaches to use that work in most situations, not just tailgating:
- urgency
- authority
- curiosity
- pretexting
Urgency
Be someone with a specific task to perform that needs to be done right now. The classics are a delivery person with full arms and someone looking to pick someone else up. A family member needing to check on an elderly resident. People want to be helpful and they don't think that you will be around long enough to be a threat.
Authority
Be someone who the gatekeeper has no right or reason to refuse. Fire marshal, utilities inspector, law enforcement, building security, process server. Lots of studies of people being let in with a just clipboard and a high-visibility vest.
Curiosity
To get close to someone, be very interesting in such a way that they want to know more. Dress up as a clown to deliver a telegram.
Pretexting
Establish a shallow relationship that appears to be deeper. Smoking with people outside on their break is classic. The smokers will assume you are also an employee (why else would you be there?)
Combinations
But these work even better in combination. A fire marshal in an awful rush. A clown who claims he was at the last company party (and knows a few important names). The more combinations you can combine, the more effective the process is — an authority figure, in a rush, to do something interesting, who claims to have a preexisting relationship. If you go over the top or try too hard, it will backfire, though.
edited yesterday
NieDzejkob
1033
answered Nov 15 at 13:29
schroeder♦
70.9k29154189
181
So you are saying a smoking clown with with a fire axe on his back and a police cap on the head hodling 6 packages with a cliboard lying on top demanding to enter the building to check on his elderly mother because he is worried that there is a gas leak would not work? I guess, I'll have to send everything back then.
– problemofficer
Nov 15 at 15:08
63
"Lots of studies of people being let in with a just clipboard and a high-visibility vest." - for most large buildings I've worked/lived in, all you'd have to say is "I'm here to work on the AC (or heater)" and they'll roll out the red carpet for you.
– Lord Farquaad
Nov 15 at 16:05
9
I suspect combinations are a bad idea. You want to avoid making the mark think too closely. Each of the examples seems to be a normal individual and a lazy thinking mark will let them in. I think you are right with the last sentence that combinations can backfire, but I think the threshold for decreasing your chance of success is lower.
– Ross Millikan
Nov 15 at 16:44
41
This is a good answer. I would also add "social awkwardness," as in people will avoid interacting with you if they think it would be awkward. For example, you could wait for someone to approach the gate then walk in with them while talking continuously on your cell phone-- most people won't want to interrupt.
– John Wu
Nov 15 at 19:36
14
@John that's definitely something you could combine. A guy with a vest and clipboard (or suit and clipboard, depending on the place), on the phone with a confident nod toward the security guard as he walks in would be pretty solid.
– Cullub
Nov 16 at 4:13
|
show 4 more comments
up vote
51
down vote
Just stand outside the door at some distance talking on your phone. Don't look at the door, don't look at the person coming to open it, don't look like you want to get in. Don't ask to be let in. Don't engage in conversation. Just let the person open the door and go through. Then in the last second before it closes and lock, you walk through still talking on your phone.
Wearing a costume or high-vis will make you... well, highly visible. In some places you might need the costume and the excuse to get in. But in a lot of places, just blending in like an unmemorable nobody is quite enough. Dress like you belong, don't ask, just walk.
As a disclaimer I should note that I have no professional experience with this. But I do use it all the time to get into my office when I forget my RFID tag.
answered Nov 16 at 9:54
Anders
47.8k21136157
19
I do use it all the time to get into my office when I forget my RFID tag- I sure hope your office doesn't handle any sensitive information.
– Strikegently
2 days ago
1
Ethics aside, this is a good practical solution. Being on the phone and looking like you belong is the key.
– Lightness Races in Orbit
1 hour ago
add a comment |
up vote
26
down vote
The main element, as you've said, is to not look like you're waiting for your mark to arrive. What you need is a prop that gives a visual indication why you're standing outside the door.
Useful props (that would explain your presence) would include:
- Cigarette or e-Cig.
- Lunch-bag(s).
- Coffee(s) from a local distributor.
- Box of doughnuts.
Having a bulky item or two of something (one in each hand) is especially useful because it would explain why you can't reach for a pass.
Story-time. I was working for a company that had access passes. A local hoodlum bought himself a cheap suit and tried to tailgate into the side-entrance. He was stopped by a member of staff as per the company policy. The hoodlum brazened it out by asking him "was it because he was black?" and the member of staff immediately apologised. The hoodlum demanded his manager's name (so he could make a complaint) and received even more profuse apologies.
The 'mark' then helped him to take laptops out of the conference suite and load them into the back of an unmarked van.
Moral of the story? Social engineering simply requires confidence
answered 2 days ago
Richard
75059
add a comment |
up vote
9
down vote
Buy one of these: 
Look rushed, and knock on the window/door until someone lets you in. Once inside ask for a random name, and have a screenshot of the doordash app on your phone. (Preferably with the name showing)
If you're feeling ambitious:
Become a legitimate employee of doordash (it's not difficult), and then order food to that building from yourself with instructions to go and find someone specific at the company you are targeting.
Have the "customer" leave specific instructions as to where in the building they are. "I'm in the far east corner, in the meeting room. Just show this to the receptionist and tell her that [the CEO] said to let you in". If you encounter further locked doors show the note to the receptionist and ask if they can help you out: "Could you help me find that room?" "My phone is out of data, do you have wifi I could log into?" etc. etc.
answered yesterday
0112
1914
New contributor
0112 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
2
I can see this working, but if you "become a legitimate employee of doordash" wouldn't that make you more traceable after whatever nefarious activity you've gained access for has been discovered?
– James Bradbury
5 hours ago
@JamesBradbury You don't become an employee, you just get enough stuff to look convincing enough, like a uniform or bag. You can't be traced if you aren't with the company. It's all about keeping up appearances.
– shadowmanwkp
3 hours ago
@JamesBradbury that is certainly a risk if you do not wish to be traced. For a hired pentest however, this approach may make more sense.
– 0112
45 mins ago
add a comment |
up vote
0
down vote
People are helpful by nature. Approaching a door with your hands full, for example with a huge gift wrapped box, will encourage people to open the door for you, no questions asked.
answered yesterday
Teun Vink
5,26722029
add a comment |
up vote
0
down vote
Residential building? "pretend" to be a tradesman - you don't even need a costume or fake ID in many cases.
I know of a number of residential buildings in my area where on a weekday before 12:00, pressing the TRADE button on the access panel just opens the door.
Instant access and no subterfuge. Of course it depends on the building, but if it has an access option like this...
answered 3 hours ago
Baldrickk
1013
New contributor
Baldrickk is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
6 Answers
6
active
oldest
votes
6 Answers
6
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
121
down vote
There are some basic social engineering approaches to use that work in most situations, not just tailgating:
- urgency
- authority
- curiosity
- pretexting
Urgency
Be someone with a specific task to perform that needs to be done right now. The classics are a delivery person with full arms and someone looking to pick someone else up. A family member needing to check on an elderly resident. People want to be helpful and they don't think that you will be around long enough to be a threat.
Authority
Be someone who the gatekeeper has no right or reason to refuse. Fire marshal, utilities inspector, law enforcement, building security, process server. Lots of studies of people being let in with a just clipboard and a high-visibility vest.
Curiosity
To get close to someone, be very interesting in such a way that they want to know more. Dress up as a clown to deliver a telegram.
Pretexting
Establish a shallow relationship that appears to be deeper. Smoking with people outside on their break is classic. The smokers will assume you are also an employee (why else would you be there?)
Combinations
But these work even better in combination. A fire marshal in an awful rush. A clown who claims he was at the last company party (and knows a few important names). The more combinations you can combine, the more effective the process is — an authority figure, in a rush, to do something interesting, who claims to have a preexisting relationship. If you go over the top or try too hard, it will backfire, though.
edited yesterday
NieDzejkob
1033
answered Nov 15 at 13:29
schroeder♦
70.9k29154189
181
So you are saying a smoking clown with with a fire axe on his back and a police cap on the head hodling 6 packages with a cliboard lying on top demanding to enter the building to check on his elderly mother because he is worried that there is a gas leak would not work? I guess, I'll have to send everything back then.
– problemofficer
Nov 15 at 15:08
63
"Lots of studies of people being let in with a just clipboard and a high-visibility vest." - for most large buildings I've worked/lived in, all you'd have to say is "I'm here to work on the AC (or heater)" and they'll roll out the red carpet for you.
– Lord Farquaad
Nov 15 at 16:05
9
I suspect combinations are a bad idea. You want to avoid making the mark think too closely. Each of the examples seems to be a normal individual and a lazy thinking mark will let them in. I think you are right with the last sentence that combinations can backfire, but I think the threshold for decreasing your chance of success is lower.
– Ross Millikan
Nov 15 at 16:44
41
This is a good answer. I would also add "social awkwardness," as in people will avoid interacting with you if they think it would be awkward. For example, you could wait for someone to approach the gate then walk in with them while talking continuously on your cell phone-- most people won't want to interrupt.
– John Wu
Nov 15 at 19:36
14
@John that's definitely something you could combine. A guy with a vest and clipboard (or suit and clipboard, depending on the place), on the phone with a confident nod toward the security guard as he walks in would be pretty solid.
– Cullub
Nov 16 at 4:13
|
show 4 more comments
up vote
121
down vote
There are some basic social engineering approaches to use that work in most situations, not just tailgating:
- urgency
- authority
- curiosity
- pretexting
Urgency
Be someone with a specific task to perform that needs to be done right now. The classics are a delivery person with full arms and someone looking to pick someone else up. A family member needing to check on an elderly resident. People want to be helpful and they don't think that you will be around long enough to be a threat.
Authority
Be someone who the gatekeeper has no right or reason to refuse. Fire marshal, utilities inspector, law enforcement, building security, process server. Lots of studies of people being let in with a just clipboard and a high-visibility vest.
Curiosity
To get close to someone, be very interesting in such a way that they want to know more. Dress up as a clown to deliver a telegram.
Pretexting
Establish a shallow relationship that appears to be deeper. Smoking with people outside on their break is classic. The smokers will assume you are also an employee (why else would you be there?)
Combinations
But these work even better in combination. A fire marshal in an awful rush. A clown who claims he was at the last company party (and knows a few important names). The more combinations you can combine, the more effective the process is — an authority figure, in a rush, to do something interesting, who claims to have a preexisting relationship. If you go over the top or try too hard, it will backfire, though.
edited yesterday
NieDzejkob
1033
answered Nov 15 at 13:29
schroeder♦
70.9k29154189
181
So you are saying a smoking clown with with a fire axe on his back and a police cap on the head hodling 6 packages with a cliboard lying on top demanding to enter the building to check on his elderly mother because he is worried that there is a gas leak would not work? I guess, I'll have to send everything back then.
– problemofficer
Nov 15 at 15:08
63
"Lots of studies of people being let in with a just clipboard and a high-visibility vest." - for most large buildings I've worked/lived in, all you'd have to say is "I'm here to work on the AC (or heater)" and they'll roll out the red carpet for you.
– Lord Farquaad
Nov 15 at 16:05
9
I suspect combinations are a bad idea. You want to avoid making the mark think too closely. Each of the examples seems to be a normal individual and a lazy thinking mark will let them in. I think you are right with the last sentence that combinations can backfire, but I think the threshold for decreasing your chance of success is lower.
– Ross Millikan
Nov 15 at 16:44
41
This is a good answer. I would also add "social awkwardness," as in people will avoid interacting with you if they think it would be awkward. For example, you could wait for someone to approach the gate then walk in with them while talking continuously on your cell phone-- most people won't want to interrupt.
– John Wu
Nov 15 at 19:36
14
@John that's definitely something you could combine. A guy with a vest and clipboard (or suit and clipboard, depending on the place), on the phone with a confident nod toward the security guard as he walks in would be pretty solid.
– Cullub
Nov 16 at 4:13
|
show 4 more comments
up vote
121
down vote
up vote
121
down vote
There are some basic social engineering approaches to use that work in most situations, not just tailgating:
- urgency
- authority
- curiosity
- pretexting
Urgency
Be someone with a specific task to perform that needs to be done right now. The classics are a delivery person with full arms and someone looking to pick someone else up. A family member needing to check on an elderly resident. People want to be helpful and they don't think that you will be around long enough to be a threat.
Authority
Be someone who the gatekeeper has no right or reason to refuse. Fire marshal, utilities inspector, law enforcement, building security, process server. Lots of studies of people being let in with a just clipboard and a high-visibility vest.
Curiosity
To get close to someone, be very interesting in such a way that they want to know more. Dress up as a clown to deliver a telegram.
Pretexting
Establish a shallow relationship that appears to be deeper. Smoking with people outside on their break is classic. The smokers will assume you are also an employee (why else would you be there?)
Combinations
But these work even better in combination. A fire marshal in an awful rush. A clown who claims he was at the last company party (and knows a few important names). The more combinations you can combine, the more effective the process is — an authority figure, in a rush, to do something interesting, who claims to have a preexisting relationship. If you go over the top or try too hard, it will backfire, though.
edited yesterday
NieDzejkob
1033
answered Nov 15 at 13:29
schroeder♦
70.9k29154189
There are some basic social engineering approaches to use that work in most situations, not just tailgating:
- urgency
- authority
- curiosity
- pretexting
Urgency
Be someone with a specific task to perform that needs to be done right now. The classics are a delivery person with full arms and someone looking to pick someone else up. A family member needing to check on an elderly resident. People want to be helpful and they don't think that you will be around long enough to be a threat.
Authority
Be someone who the gatekeeper has no right or reason to refuse. Fire marshal, utilities inspector, law enforcement, building security, process server. Lots of studies of people being let in with a just clipboard and a high-visibility vest.
Curiosity
To get close to someone, be very interesting in such a way that they want to know more. Dress up as a clown to deliver a telegram.
Pretexting
Establish a shallow relationship that appears to be deeper. Smoking with people outside on their break is classic. The smokers will assume you are also an employee (why else would you be there?)
Combinations
But these work even better in combination. A fire marshal in an awful rush. A clown who claims he was at the last company party (and knows a few important names). The more combinations you can combine, the more effective the process is — an authority figure, in a rush, to do something interesting, who claims to have a preexisting relationship. If you go over the top or try too hard, it will backfire, though.
edited yesterday
NieDzejkob
1033
answered Nov 15 at 13:29
schroeder♦
70.9k29154189
edited yesterday
NieDzejkob
1033
edited yesterday
NieDzejkob
1033
edited yesterday
NieDzejkob
1033
1033
answered Nov 15 at 13:29
schroeder♦
70.9k29154189
answered Nov 15 at 13:29
schroeder♦
70.9k29154189
answered Nov 15 at 13:29
schroeder♦
70.9k29154189
70.9k29154189
181
So you are saying a smoking clown with with a fire axe on his back and a police cap on the head hodling 6 packages with a cliboard lying on top demanding to enter the building to check on his elderly mother because he is worried that there is a gas leak would not work? I guess, I'll have to send everything back then.
– problemofficer
Nov 15 at 15:08
63
"Lots of studies of people being let in with a just clipboard and a high-visibility vest." - for most large buildings I've worked/lived in, all you'd have to say is "I'm here to work on the AC (or heater)" and they'll roll out the red carpet for you.
– Lord Farquaad
Nov 15 at 16:05
9
I suspect combinations are a bad idea. You want to avoid making the mark think too closely. Each of the examples seems to be a normal individual and a lazy thinking mark will let them in. I think you are right with the last sentence that combinations can backfire, but I think the threshold for decreasing your chance of success is lower.
– Ross Millikan
Nov 15 at 16:44
41
This is a good answer. I would also add "social awkwardness," as in people will avoid interacting with you if they think it would be awkward. For example, you could wait for someone to approach the gate then walk in with them while talking continuously on your cell phone-- most people won't want to interrupt.
– John Wu
Nov 15 at 19:36
14
@John that's definitely something you could combine. A guy with a vest and clipboard (or suit and clipboard, depending on the place), on the phone with a confident nod toward the security guard as he walks in would be pretty solid.
– Cullub
Nov 16 at 4:13
|
show 4 more comments
181
So you are saying a smoking clown with with a fire axe on his back and a police cap on the head hodling 6 packages with a cliboard lying on top demanding to enter the building to check on his elderly mother because he is worried that there is a gas leak would not work? I guess, I'll have to send everything back then.
– problemofficer
Nov 15 at 15:08
63
"Lots of studies of people being let in with a just clipboard and a high-visibility vest." - for most large buildings I've worked/lived in, all you'd have to say is "I'm here to work on the AC (or heater)" and they'll roll out the red carpet for you.
– Lord Farquaad
Nov 15 at 16:05
9
I suspect combinations are a bad idea. You want to avoid making the mark think too closely. Each of the examples seems to be a normal individual and a lazy thinking mark will let them in. I think you are right with the last sentence that combinations can backfire, but I think the threshold for decreasing your chance of success is lower.
– Ross Millikan
Nov 15 at 16:44
41
This is a good answer. I would also add "social awkwardness," as in people will avoid interacting with you if they think it would be awkward. For example, you could wait for someone to approach the gate then walk in with them while talking continuously on your cell phone-- most people won't want to interrupt.
– John Wu
Nov 15 at 19:36
14
@John that's definitely something you could combine. A guy with a vest and clipboard (or suit and clipboard, depending on the place), on the phone with a confident nod toward the security guard as he walks in would be pretty solid.
– Cullub
Nov 16 at 4:13
181
181
So you are saying a smoking clown with with a fire axe on his back and a police cap on the head hodling 6 packages with a cliboard lying on top demanding to enter the building to check on his elderly mother because he is worried that there is a gas leak would not work? I guess, I'll have to send everything back then.
– problemofficer
Nov 15 at 15:08
So you are saying a smoking clown with with a fire axe on his back and a police cap on the head hodling 6 packages with a cliboard lying on top demanding to enter the building to check on his elderly mother because he is worried that there is a gas leak would not work? I guess, I'll have to send everything back then.
– problemofficer
Nov 15 at 15:08
63
63
"Lots of studies of people being let in with a just clipboard and a high-visibility vest." - for most large buildings I've worked/lived in, all you'd have to say is "I'm here to work on the AC (or heater)" and they'll roll out the red carpet for you.
– Lord Farquaad
Nov 15 at 16:05
"Lots of studies of people being let in with a just clipboard and a high-visibility vest." - for most large buildings I've worked/lived in, all you'd have to say is "I'm here to work on the AC (or heater)" and they'll roll out the red carpet for you.
– Lord Farquaad
Nov 15 at 16:05
9
9
I suspect combinations are a bad idea. You want to avoid making the mark think too closely. Each of the examples seems to be a normal individual and a lazy thinking mark will let them in. I think you are right with the last sentence that combinations can backfire, but I think the threshold for decreasing your chance of success is lower.
– Ross Millikan
Nov 15 at 16:44
I suspect combinations are a bad idea. You want to avoid making the mark think too closely. Each of the examples seems to be a normal individual and a lazy thinking mark will let them in. I think you are right with the last sentence that combinations can backfire, but I think the threshold for decreasing your chance of success is lower.
– Ross Millikan
Nov 15 at 16:44
41
41
This is a good answer. I would also add "social awkwardness," as in people will avoid interacting with you if they think it would be awkward. For example, you could wait for someone to approach the gate then walk in with them while talking continuously on your cell phone-- most people won't want to interrupt.
– John Wu
Nov 15 at 19:36
This is a good answer. I would also add "social awkwardness," as in people will avoid interacting with you if they think it would be awkward. For example, you could wait for someone to approach the gate then walk in with them while talking continuously on your cell phone-- most people won't want to interrupt.
– John Wu
Nov 15 at 19:36
14
14
@John that's definitely something you could combine. A guy with a vest and clipboard (or suit and clipboard, depending on the place), on the phone with a confident nod toward the security guard as he walks in would be pretty solid.
– Cullub
Nov 16 at 4:13
@John that's definitely something you could combine. A guy with a vest and clipboard (or suit and clipboard, depending on the place), on the phone with a confident nod toward the security guard as he walks in would be pretty solid.
– Cullub
Nov 16 at 4:13
|
show 4 more comments
up vote
51
down vote
Just stand outside the door at some distance talking on your phone. Don't look at the door, don't look at the person coming to open it, don't look like you want to get in. Don't ask to be let in. Don't engage in conversation. Just let the person open the door and go through. Then in the last second before it closes and lock, you walk through still talking on your phone.
Wearing a costume or high-vis will make you... well, highly visible. In some places you might need the costume and the excuse to get in. But in a lot of places, just blending in like an unmemorable nobody is quite enough. Dress like you belong, don't ask, just walk.
As a disclaimer I should note that I have no professional experience with this. But I do use it all the time to get into my office when I forget my RFID tag.
answered Nov 16 at 9:54
Anders
47.8k21136157
19
I do use it all the time to get into my office when I forget my RFID tag- I sure hope your office doesn't handle any sensitive information.
– Strikegently
2 days ago
1
Ethics aside, this is a good practical solution. Being on the phone and looking like you belong is the key.
– Lightness Races in Orbit
1 hour ago
add a comment |
up vote
51
down vote
Just stand outside the door at some distance talking on your phone. Don't look at the door, don't look at the person coming to open it, don't look like you want to get in. Don't ask to be let in. Don't engage in conversation. Just let the person open the door and go through. Then in the last second before it closes and lock, you walk through still talking on your phone.
Wearing a costume or high-vis will make you... well, highly visible. In some places you might need the costume and the excuse to get in. But in a lot of places, just blending in like an unmemorable nobody is quite enough. Dress like you belong, don't ask, just walk.
As a disclaimer I should note that I have no professional experience with this. But I do use it all the time to get into my office when I forget my RFID tag.
answered Nov 16 at 9:54
Anders
47.8k21136157
19
I do use it all the time to get into my office when I forget my RFID tag- I sure hope your office doesn't handle any sensitive information.
– Strikegently
2 days ago
1
Ethics aside, this is a good practical solution. Being on the phone and looking like you belong is the key.
– Lightness Races in Orbit
1 hour ago
add a comment |
up vote
51
down vote
up vote
51
down vote
Just stand outside the door at some distance talking on your phone. Don't look at the door, don't look at the person coming to open it, don't look like you want to get in. Don't ask to be let in. Don't engage in conversation. Just let the person open the door and go through. Then in the last second before it closes and lock, you walk through still talking on your phone.
Wearing a costume or high-vis will make you... well, highly visible. In some places you might need the costume and the excuse to get in. But in a lot of places, just blending in like an unmemorable nobody is quite enough. Dress like you belong, don't ask, just walk.
As a disclaimer I should note that I have no professional experience with this. But I do use it all the time to get into my office when I forget my RFID tag.
answered Nov 16 at 9:54
Anders
47.8k21136157
Just stand outside the door at some distance talking on your phone. Don't look at the door, don't look at the person coming to open it, don't look like you want to get in. Don't ask to be let in. Don't engage in conversation. Just let the person open the door and go through. Then in the last second before it closes and lock, you walk through still talking on your phone.
Wearing a costume or high-vis will make you... well, highly visible. In some places you might need the costume and the excuse to get in. But in a lot of places, just blending in like an unmemorable nobody is quite enough. Dress like you belong, don't ask, just walk.
As a disclaimer I should note that I have no professional experience with this. But I do use it all the time to get into my office when I forget my RFID tag.
answered Nov 16 at 9:54
Anders
47.8k21136157
answered Nov 16 at 9:54
Anders
47.8k21136157
answered Nov 16 at 9:54
Anders
47.8k21136157
answered Nov 16 at 9:54
Anders
47.8k21136157
47.8k21136157
19
I do use it all the time to get into my office when I forget my RFID tag- I sure hope your office doesn't handle any sensitive information.
– Strikegently
2 days ago
1
Ethics aside, this is a good practical solution. Being on the phone and looking like you belong is the key.
– Lightness Races in Orbit
1 hour ago
add a comment |
19
I do use it all the time to get into my office when I forget my RFID tag- I sure hope your office doesn't handle any sensitive information.
– Strikegently
2 days ago
1
Ethics aside, this is a good practical solution. Being on the phone and looking like you belong is the key.
– Lightness Races in Orbit
1 hour ago
19
19
I do use it all the time to get into my office when I forget my RFID tag - I sure hope your office doesn't handle any sensitive information.– Strikegently
2 days ago
I do use it all the time to get into my office when I forget my RFID tag - I sure hope your office doesn't handle any sensitive information.– Strikegently
2 days ago
1
1
Ethics aside, this is a good practical solution. Being on the phone and looking like you belong is the key.
– Lightness Races in Orbit
1 hour ago
Ethics aside, this is a good practical solution. Being on the phone and looking like you belong is the key.
– Lightness Races in Orbit
1 hour ago
add a comment |
up vote
26
down vote
The main element, as you've said, is to not look like you're waiting for your mark to arrive. What you need is a prop that gives a visual indication why you're standing outside the door.
Useful props (that would explain your presence) would include:
- Cigarette or e-Cig.
- Lunch-bag(s).
- Coffee(s) from a local distributor.
- Box of doughnuts.
Having a bulky item or two of something (one in each hand) is especially useful because it would explain why you can't reach for a pass.
Story-time. I was working for a company that had access passes. A local hoodlum bought himself a cheap suit and tried to tailgate into the side-entrance. He was stopped by a member of staff as per the company policy. The hoodlum brazened it out by asking him "was it because he was black?" and the member of staff immediately apologised. The hoodlum demanded his manager's name (so he could make a complaint) and received even more profuse apologies.
The 'mark' then helped him to take laptops out of the conference suite and load them into the back of an unmarked van.
Moral of the story? Social engineering simply requires confidence
answered 2 days ago
Richard
75059
add a comment |
up vote
26
down vote
The main element, as you've said, is to not look like you're waiting for your mark to arrive. What you need is a prop that gives a visual indication why you're standing outside the door.
Useful props (that would explain your presence) would include:
- Cigarette or e-Cig.
- Lunch-bag(s).
- Coffee(s) from a local distributor.
- Box of doughnuts.
Having a bulky item or two of something (one in each hand) is especially useful because it would explain why you can't reach for a pass.
Story-time. I was working for a company that had access passes. A local hoodlum bought himself a cheap suit and tried to tailgate into the side-entrance. He was stopped by a member of staff as per the company policy. The hoodlum brazened it out by asking him "was it because he was black?" and the member of staff immediately apologised. The hoodlum demanded his manager's name (so he could make a complaint) and received even more profuse apologies.
The 'mark' then helped him to take laptops out of the conference suite and load them into the back of an unmarked van.
Moral of the story? Social engineering simply requires confidence
answered 2 days ago
Richard
75059
add a comment |
up vote
26
down vote
up vote
26
down vote
The main element, as you've said, is to not look like you're waiting for your mark to arrive. What you need is a prop that gives a visual indication why you're standing outside the door.
Useful props (that would explain your presence) would include:
- Cigarette or e-Cig.
- Lunch-bag(s).
- Coffee(s) from a local distributor.
- Box of doughnuts.
Having a bulky item or two of something (one in each hand) is especially useful because it would explain why you can't reach for a pass.
Story-time. I was working for a company that had access passes. A local hoodlum bought himself a cheap suit and tried to tailgate into the side-entrance. He was stopped by a member of staff as per the company policy. The hoodlum brazened it out by asking him "was it because he was black?" and the member of staff immediately apologised. The hoodlum demanded his manager's name (so he could make a complaint) and received even more profuse apologies.
The 'mark' then helped him to take laptops out of the conference suite and load them into the back of an unmarked van.
Moral of the story? Social engineering simply requires confidence
answered 2 days ago
Richard
75059
The main element, as you've said, is to not look like you're waiting for your mark to arrive. What you need is a prop that gives a visual indication why you're standing outside the door.
Useful props (that would explain your presence) would include:
- Cigarette or e-Cig.
- Lunch-bag(s).
- Coffee(s) from a local distributor.
- Box of doughnuts.
Having a bulky item or two of something (one in each hand) is especially useful because it would explain why you can't reach for a pass.
Story-time. I was working for a company that had access passes. A local hoodlum bought himself a cheap suit and tried to tailgate into the side-entrance. He was stopped by a member of staff as per the company policy. The hoodlum brazened it out by asking him "was it because he was black?" and the member of staff immediately apologised. The hoodlum demanded his manager's name (so he could make a complaint) and received even more profuse apologies.
The 'mark' then helped him to take laptops out of the conference suite and load them into the back of an unmarked van.
Moral of the story? Social engineering simply requires confidence
answered 2 days ago
Richard
75059
edited 2 days ago
answered 2 days ago
Richard
75059
answered 2 days ago
Richard
75059
answered 2 days ago
Richard
75059
75059
add a comment |
add a comment |
up vote
9
down vote
Buy one of these:
Look rushed, and knock on the window/door until someone lets you in. Once inside ask for a random name, and have a screenshot of the doordash app on your phone. (Preferably with the name showing)
If you're feeling ambitious:
Become a legitimate employee of doordash (it's not difficult), and then order food to that building from yourself with instructions to go and find someone specific at the company you are targeting.
Have the "customer" leave specific instructions as to where in the building they are. "I'm in the far east corner, in the meeting room. Just show this to the receptionist and tell her that [the CEO] said to let you in". If you encounter further locked doors show the note to the receptionist and ask if they can help you out: "Could you help me find that room?" "My phone is out of data, do you have wifi I could log into?" etc. etc.
answered yesterday
0112
1914
New contributor
0112 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
2
I can see this working, but if you "become a legitimate employee of doordash" wouldn't that make you more traceable after whatever nefarious activity you've gained access for has been discovered?
– James Bradbury
5 hours ago
@JamesBradbury You don't become an employee, you just get enough stuff to look convincing enough, like a uniform or bag. You can't be traced if you aren't with the company. It's all about keeping up appearances.
– shadowmanwkp
3 hours ago
@JamesBradbury that is certainly a risk if you do not wish to be traced. For a hired pentest however, this approach may make more sense.
– 0112
45 mins ago
add a comment |
up vote
9
down vote
Buy one of these:
Look rushed, and knock on the window/door until someone lets you in. Once inside ask for a random name, and have a screenshot of the doordash app on your phone. (Preferably with the name showing)
If you're feeling ambitious:
Become a legitimate employee of doordash (it's not difficult), and then order food to that building from yourself with instructions to go and find someone specific at the company you are targeting.
Have the "customer" leave specific instructions as to where in the building they are. "I'm in the far east corner, in the meeting room. Just show this to the receptionist and tell her that [the CEO] said to let you in". If you encounter further locked doors show the note to the receptionist and ask if they can help you out: "Could you help me find that room?" "My phone is out of data, do you have wifi I could log into?" etc. etc.
answered yesterday
0112
1914
New contributor
0112 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
2
I can see this working, but if you "become a legitimate employee of doordash" wouldn't that make you more traceable after whatever nefarious activity you've gained access for has been discovered?
– James Bradbury
5 hours ago
@JamesBradbury You don't become an employee, you just get enough stuff to look convincing enough, like a uniform or bag. You can't be traced if you aren't with the company. It's all about keeping up appearances.
– shadowmanwkp
3 hours ago
@JamesBradbury that is certainly a risk if you do not wish to be traced. For a hired pentest however, this approach may make more sense.
– 0112
45 mins ago
add a comment |
up vote
9
down vote
up vote
9
down vote
Buy one of these:
Look rushed, and knock on the window/door until someone lets you in. Once inside ask for a random name, and have a screenshot of the doordash app on your phone. (Preferably with the name showing)
If you're feeling ambitious:
Become a legitimate employee of doordash (it's not difficult), and then order food to that building from yourself with instructions to go and find someone specific at the company you are targeting.
Have the "customer" leave specific instructions as to where in the building they are. "I'm in the far east corner, in the meeting room. Just show this to the receptionist and tell her that [the CEO] said to let you in". If you encounter further locked doors show the note to the receptionist and ask if they can help you out: "Could you help me find that room?" "My phone is out of data, do you have wifi I could log into?" etc. etc.
answered yesterday
0112
1914
New contributor
0112 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Buy one of these:
Look rushed, and knock on the window/door until someone lets you in. Once inside ask for a random name, and have a screenshot of the doordash app on your phone. (Preferably with the name showing)
If you're feeling ambitious:
Become a legitimate employee of doordash (it's not difficult), and then order food to that building from yourself with instructions to go and find someone specific at the company you are targeting.
Have the "customer" leave specific instructions as to where in the building they are. "I'm in the far east corner, in the meeting room. Just show this to the receptionist and tell her that [the CEO] said to let you in". If you encounter further locked doors show the note to the receptionist and ask if they can help you out: "Could you help me find that room?" "My phone is out of data, do you have wifi I could log into?" etc. etc.
answered yesterday
0112
1914
New contributor
0112 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
edited 10 hours ago
answered yesterday
0112
1914
New contributor
0112 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered yesterday
0112
1914
answered yesterday
0112
1914
1914
New contributor
0112 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
0112 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
0112 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
2
I can see this working, but if you "become a legitimate employee of doordash" wouldn't that make you more traceable after whatever nefarious activity you've gained access for has been discovered?
– James Bradbury
5 hours ago
@JamesBradbury You don't become an employee, you just get enough stuff to look convincing enough, like a uniform or bag. You can't be traced if you aren't with the company. It's all about keeping up appearances.
– shadowmanwkp
3 hours ago
@JamesBradbury that is certainly a risk if you do not wish to be traced. For a hired pentest however, this approach may make more sense.
– 0112
45 mins ago
add a comment |
2
I can see this working, but if you "become a legitimate employee of doordash" wouldn't that make you more traceable after whatever nefarious activity you've gained access for has been discovered?
– James Bradbury
5 hours ago
@JamesBradbury You don't become an employee, you just get enough stuff to look convincing enough, like a uniform or bag. You can't be traced if you aren't with the company. It's all about keeping up appearances.
– shadowmanwkp
3 hours ago
@JamesBradbury that is certainly a risk if you do not wish to be traced. For a hired pentest however, this approach may make more sense.
– 0112
45 mins ago
2
2
I can see this working, but if you "become a legitimate employee of doordash" wouldn't that make you more traceable after whatever nefarious activity you've gained access for has been discovered?
– James Bradbury
5 hours ago
I can see this working, but if you "become a legitimate employee of doordash" wouldn't that make you more traceable after whatever nefarious activity you've gained access for has been discovered?
– James Bradbury
5 hours ago
@JamesBradbury You don't become an employee, you just get enough stuff to look convincing enough, like a uniform or bag. You can't be traced if you aren't with the company. It's all about keeping up appearances.
– shadowmanwkp
3 hours ago
@JamesBradbury You don't become an employee, you just get enough stuff to look convincing enough, like a uniform or bag. You can't be traced if you aren't with the company. It's all about keeping up appearances.
– shadowmanwkp
3 hours ago
@JamesBradbury that is certainly a risk if you do not wish to be traced. For a hired pentest however, this approach may make more sense.
– 0112
45 mins ago
@JamesBradbury that is certainly a risk if you do not wish to be traced. For a hired pentest however, this approach may make more sense.
– 0112
45 mins ago
add a comment |
up vote
0
down vote
People are helpful by nature. Approaching a door with your hands full, for example with a huge gift wrapped box, will encourage people to open the door for you, no questions asked.
answered yesterday
Teun Vink
5,26722029
add a comment |
up vote
0
down vote
People are helpful by nature. Approaching a door with your hands full, for example with a huge gift wrapped box, will encourage people to open the door for you, no questions asked.
answered yesterday
Teun Vink
5,26722029
add a comment |
up vote
0
down vote
up vote
0
down vote
People are helpful by nature. Approaching a door with your hands full, for example with a huge gift wrapped box, will encourage people to open the door for you, no questions asked.
answered yesterday
Teun Vink
5,26722029
People are helpful by nature. Approaching a door with your hands full, for example with a huge gift wrapped box, will encourage people to open the door for you, no questions asked.
answered yesterday
Teun Vink
5,26722029
answered yesterday
Teun Vink
5,26722029
answered yesterday
Teun Vink
5,26722029
answered yesterday
Teun Vink
5,26722029
5,26722029
add a comment |
add a comment |
up vote
0
down vote
Residential building? "pretend" to be a tradesman - you don't even need a costume or fake ID in many cases.
I know of a number of residential buildings in my area where on a weekday before 12:00, pressing the TRADE button on the access panel just opens the door.
Instant access and no subterfuge. Of course it depends on the building, but if it has an access option like this...
answered 3 hours ago
Baldrickk
1013
New contributor
Baldrickk is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
up vote
0
down vote
Residential building? "pretend" to be a tradesman - you don't even need a costume or fake ID in many cases.
I know of a number of residential buildings in my area where on a weekday before 12:00, pressing the TRADE button on the access panel just opens the door.
Instant access and no subterfuge. Of course it depends on the building, but if it has an access option like this...
answered 3 hours ago
Baldrickk
1013
New contributor
Baldrickk is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
up vote
0
down vote
up vote
0
down vote
Residential building? "pretend" to be a tradesman - you don't even need a costume or fake ID in many cases.
I know of a number of residential buildings in my area where on a weekday before 12:00, pressing the TRADE button on the access panel just opens the door.
Instant access and no subterfuge. Of course it depends on the building, but if it has an access option like this...
answered 3 hours ago
Baldrickk
1013
New contributor
Baldrickk is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Residential building? "pretend" to be a tradesman - you don't even need a costume or fake ID in many cases.
I know of a number of residential buildings in my area where on a weekday before 12:00, pressing the TRADE button on the access panel just opens the door.
Instant access and no subterfuge. Of course it depends on the building, but if it has an access option like this...
answered 3 hours ago
Baldrickk
1013
New contributor
Baldrickk is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered 3 hours ago
Baldrickk
1013
New contributor
Baldrickk is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered 3 hours ago
Baldrickk
1013
answered 3 hours ago
Baldrickk
1013
1013
New contributor
Baldrickk is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
Baldrickk is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Baldrickk is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
add a comment |
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f197732%2froles-to-play-when-tailgaiting-into-a-residential-building%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
29
Wait for people to come out for a smoke, smoke with them while talking to them. When they go back in, you join them.
– Jeroen - IT Nerdbox
Nov 15 at 13:15
12
"but how could have they known" - Not sure where you're located but if you can buy an air rifle and carry it around without much bother then that likely means you're in a place where the locals know what air rifles look like and you happened to run into one.
– Freiheit
Nov 15 at 20:27
41
If someone carrying a rifle tried to follow you into a building, would you challenge them?
– Jeffrey Bosboom
Nov 15 at 21:29
5
What has become of pushing every button on the doorbell panel? Someone always opens...
– Damon
yesterday
1
Buy one of these: images-na.ssl-images-amazon.com/images/I/… . Look rushed, and knock on the window/door until someone lets you in.
– 0112
yesterday