What’s in an Employee Number

I was reviewing a stalled investigation into an apparent corporate fraud when I noticed something interesting. A surveillance photograph was in the paper file — you don’t see many real surveilance photographs any more, just muddy images taken from video.

This particular photo was so clear and detailed that I had to talk to the investigator who took it. It was taken with a long lens mounted on a camera with a 22 mp full-frame CMOS sensor. The investigator directed me to the server and directory that contained over one hundred images along with video taken using the same camera. All of this data was summarised in two paragraphs in the investigation report. This proved unfortunate, as this fine work happened early in the investigation. The investigator wrote a detailed report that someone summarised without including a proper citation. The person who did this failed to recognise that the problem had been solved. Over one year later I was hired to solve this difficult and persistent problem.

The surveillance picture clearly showed an employee pass card. The pass card clearly showed the name of the security system vendor, employee name, employee picture, and worst of all, the employee number. The employee number was the defacto authentication required for gaining information the crooks needed. During social engineering the crooks were challenged and asked for their employee number. When they provided the number the information flood gates opened.

Further investigation revealed that a fake employee pass card was made and used to gain access to the facility. The card didn’t have any electronic component, but the crook was wearing a authentic-looking employee card just like everybody else, and that was enough for him to repeatedly gain the access he needed. He just walked throughout he front door at the right time of day and followed the real employees to the department where he committed his crime, over and over again.

Once captured, this crook freely admitted that he got everything he needed from the passcards that employees wore prominently around their necks. He copied it from pictures he took, just like the first investigator did.

0 Responses to “What’s in an Employee Number”


Comments are currently closed.