Are there unphotographable, but scannable ID cards?
up vote
49
down vote
favorite
We have a client who hosts an event, with a tight budget, that uses lanyarded Photo-ID cards with barcodes on them. The barcodes are used to gain access to various areas at the event.
We were thinking of proposing a hashed code (currently the IDs are sequential), but then it occured that it's pretty easy to 'swipe' a card
with high resolution photography, and then overlay one's existing barcode with a printout of the swipe.
Bearing in mind that we are using ean13 scanners, and there really is a tight budget (so NFC is out for the time being) - would an overlay, such as red cellophane, serve any purpose in mitigating this specific kind of attack?
identity barcode
|
show 19 more comments
up vote
49
down vote
favorite
We have a client who hosts an event, with a tight budget, that uses lanyarded Photo-ID cards with barcodes on them. The barcodes are used to gain access to various areas at the event.
We were thinking of proposing a hashed code (currently the IDs are sequential), but then it occured that it's pretty easy to 'swipe' a card
with high resolution photography, and then overlay one's existing barcode with a printout of the swipe.
Bearing in mind that we are using ean13 scanners, and there really is a tight budget (so NFC is out for the time being) - would an overlay, such as red cellophane, serve any purpose in mitigating this specific kind of attack?
identity barcode
32
I think you are looking at the wrong layer for a solution. Why not use a 2nd factor? Or provide additional authentication token with the badge that is not observable? Like adding a sticker to the back of the card (scan the barcode, then check for the sticker)
– schroeder♦
Nov 28 at 9:31
23
Just putting the barcode on the back of the card might be good enough solution. Also consider, is there a particularly high incentive for people to fake the cards? Does it cause the event a lot of trouble if there are one or two cheaters?
– jpa
Nov 28 at 12:38
40
This question misses too much information, i.e. a better definition of your threat model. In addition to the other comnment questions: Is event access also checked with the barcode, i.e. at your outside perimeter? Are people going to leave and re-enter that perimeter? How are the codes going to be distributed to the users - what are the chances of them falling into the wrong hands before the legitimate users present him/herself at the event?
– Jan Doggen
Nov 28 at 13:46
14
You should checkout DEFCON 16: Toying with Barcodes. Barcode give very little security. And authentication is not the only problem. Your scanners can be configured via barcodes so someone can fabricate some barcodes to "break" your scanners.
– Bakuriu
Nov 28 at 19:05
12
I agree with @JanDoggen. We need a threat model. If you have ultra-high risk associated with a single mishap, and no budget to actually implement the security procedures, then you need a very sharp focused threat model to focus your efforts. As an example: are the self-verification "what table am I at" as sensitive as the "enter this room" verifications? I assume not, and that helps you focus your dollars on the parts of the threat model which really matter to your client.
– Cort Ammon
Nov 28 at 20:37
|
show 19 more comments
up vote
49
down vote
favorite
up vote
49
down vote
favorite
We have a client who hosts an event, with a tight budget, that uses lanyarded Photo-ID cards with barcodes on them. The barcodes are used to gain access to various areas at the event.
We were thinking of proposing a hashed code (currently the IDs are sequential), but then it occured that it's pretty easy to 'swipe' a card
with high resolution photography, and then overlay one's existing barcode with a printout of the swipe.
Bearing in mind that we are using ean13 scanners, and there really is a tight budget (so NFC is out for the time being) - would an overlay, such as red cellophane, serve any purpose in mitigating this specific kind of attack?
identity barcode
We have a client who hosts an event, with a tight budget, that uses lanyarded Photo-ID cards with barcodes on them. The barcodes are used to gain access to various areas at the event.
We were thinking of proposing a hashed code (currently the IDs are sequential), but then it occured that it's pretty easy to 'swipe' a card
with high resolution photography, and then overlay one's existing barcode with a printout of the swipe.
Bearing in mind that we are using ean13 scanners, and there really is a tight budget (so NFC is out for the time being) - would an overlay, such as red cellophane, serve any purpose in mitigating this specific kind of attack?
identity barcode
identity barcode
asked Nov 28 at 7:20
Konchog
352125
352125
32
I think you are looking at the wrong layer for a solution. Why not use a 2nd factor? Or provide additional authentication token with the badge that is not observable? Like adding a sticker to the back of the card (scan the barcode, then check for the sticker)
– schroeder♦
Nov 28 at 9:31
23
Just putting the barcode on the back of the card might be good enough solution. Also consider, is there a particularly high incentive for people to fake the cards? Does it cause the event a lot of trouble if there are one or two cheaters?
– jpa
Nov 28 at 12:38
40
This question misses too much information, i.e. a better definition of your threat model. In addition to the other comnment questions: Is event access also checked with the barcode, i.e. at your outside perimeter? Are people going to leave and re-enter that perimeter? How are the codes going to be distributed to the users - what are the chances of them falling into the wrong hands before the legitimate users present him/herself at the event?
– Jan Doggen
Nov 28 at 13:46
14
You should checkout DEFCON 16: Toying with Barcodes. Barcode give very little security. And authentication is not the only problem. Your scanners can be configured via barcodes so someone can fabricate some barcodes to "break" your scanners.
– Bakuriu
Nov 28 at 19:05
12
I agree with @JanDoggen. We need a threat model. If you have ultra-high risk associated with a single mishap, and no budget to actually implement the security procedures, then you need a very sharp focused threat model to focus your efforts. As an example: are the self-verification "what table am I at" as sensitive as the "enter this room" verifications? I assume not, and that helps you focus your dollars on the parts of the threat model which really matter to your client.
– Cort Ammon
Nov 28 at 20:37
|
show 19 more comments
32
I think you are looking at the wrong layer for a solution. Why not use a 2nd factor? Or provide additional authentication token with the badge that is not observable? Like adding a sticker to the back of the card (scan the barcode, then check for the sticker)
– schroeder♦
Nov 28 at 9:31
23
Just putting the barcode on the back of the card might be good enough solution. Also consider, is there a particularly high incentive for people to fake the cards? Does it cause the event a lot of trouble if there are one or two cheaters?
– jpa
Nov 28 at 12:38
40
This question misses too much information, i.e. a better definition of your threat model. In addition to the other comnment questions: Is event access also checked with the barcode, i.e. at your outside perimeter? Are people going to leave and re-enter that perimeter? How are the codes going to be distributed to the users - what are the chances of them falling into the wrong hands before the legitimate users present him/herself at the event?
– Jan Doggen
Nov 28 at 13:46
14
You should checkout DEFCON 16: Toying with Barcodes. Barcode give very little security. And authentication is not the only problem. Your scanners can be configured via barcodes so someone can fabricate some barcodes to "break" your scanners.
– Bakuriu
Nov 28 at 19:05
12
I agree with @JanDoggen. We need a threat model. If you have ultra-high risk associated with a single mishap, and no budget to actually implement the security procedures, then you need a very sharp focused threat model to focus your efforts. As an example: are the self-verification "what table am I at" as sensitive as the "enter this room" verifications? I assume not, and that helps you focus your dollars on the parts of the threat model which really matter to your client.
– Cort Ammon
Nov 28 at 20:37
32
32
I think you are looking at the wrong layer for a solution. Why not use a 2nd factor? Or provide additional authentication token with the badge that is not observable? Like adding a sticker to the back of the card (scan the barcode, then check for the sticker)
– schroeder♦
Nov 28 at 9:31
I think you are looking at the wrong layer for a solution. Why not use a 2nd factor? Or provide additional authentication token with the badge that is not observable? Like adding a sticker to the back of the card (scan the barcode, then check for the sticker)
– schroeder♦
Nov 28 at 9:31
23
23
Just putting the barcode on the back of the card might be good enough solution. Also consider, is there a particularly high incentive for people to fake the cards? Does it cause the event a lot of trouble if there are one or two cheaters?
– jpa
Nov 28 at 12:38
Just putting the barcode on the back of the card might be good enough solution. Also consider, is there a particularly high incentive for people to fake the cards? Does it cause the event a lot of trouble if there are one or two cheaters?
– jpa
Nov 28 at 12:38
40
40
This question misses too much information, i.e. a better definition of your threat model. In addition to the other comnment questions: Is event access also checked with the barcode, i.e. at your outside perimeter? Are people going to leave and re-enter that perimeter? How are the codes going to be distributed to the users - what are the chances of them falling into the wrong hands before the legitimate users present him/herself at the event?
– Jan Doggen
Nov 28 at 13:46
This question misses too much information, i.e. a better definition of your threat model. In addition to the other comnment questions: Is event access also checked with the barcode, i.e. at your outside perimeter? Are people going to leave and re-enter that perimeter? How are the codes going to be distributed to the users - what are the chances of them falling into the wrong hands before the legitimate users present him/herself at the event?
– Jan Doggen
Nov 28 at 13:46
14
14
You should checkout DEFCON 16: Toying with Barcodes. Barcode give very little security. And authentication is not the only problem. Your scanners can be configured via barcodes so someone can fabricate some barcodes to "break" your scanners.
– Bakuriu
Nov 28 at 19:05
You should checkout DEFCON 16: Toying with Barcodes. Barcode give very little security. And authentication is not the only problem. Your scanners can be configured via barcodes so someone can fabricate some barcodes to "break" your scanners.
– Bakuriu
Nov 28 at 19:05
12
12
I agree with @JanDoggen. We need a threat model. If you have ultra-high risk associated with a single mishap, and no budget to actually implement the security procedures, then you need a very sharp focused threat model to focus your efforts. As an example: are the self-verification "what table am I at" as sensitive as the "enter this room" verifications? I assume not, and that helps you focus your dollars on the parts of the threat model which really matter to your client.
– Cort Ammon
Nov 28 at 20:37
I agree with @JanDoggen. We need a threat model. If you have ultra-high risk associated with a single mishap, and no budget to actually implement the security procedures, then you need a very sharp focused threat model to focus your efforts. As an example: are the self-verification "what table am I at" as sensitive as the "enter this room" verifications? I assume not, and that helps you focus your dollars on the parts of the threat model which really matter to your client.
– Cort Ammon
Nov 28 at 20:37
|
show 19 more comments
21 Answers
21
active
oldest
votes
up vote
76
down vote
Simple answer: No
If you can see it, you can photograph it.
There have been countless attempts over the years to solve this part of DRM and all have failed.
Instead of focusing on the barcode, have you considered making it difficult to copy the id card itself? So that security for each area can quickly check it isn't an overlay? For example a hologram over the barcode that the scanner ignores but a human can check, or a high quality plastic card with the barcode in the coloured coating - a guard can spot a fake overlay.
6
I'd think something akin to a monitor privacy filter would help a bit. It would at least ensure that the barcode would have to be viewed from a very precise angle, which is easy for a scanner but not a photographer.
– forest
Nov 28 at 8:08
5
Yeah - I have one for my luggage tags (3M were at a conference I went to and were giving out interesting swag) but it's not useful enough: lanyards swing etc
– Rory Alsop♦
Nov 28 at 8:09
1
@RoryAlsop, Do you have a photo of what that (the monitor privacy thing) looks like? (never mind I googled it - 3M are easy to find, but again quite expensive). The client cannot afford holograms! How about if we stick it on the inside of a folded id - booklet style - with the photo on the outside? Hmm but it makes UX a bit fiddly. stumped
– Konchog
Nov 28 at 8:34
10
I like the idea. For one time events, it is easier to stick a cheap unique hologram sticker to defeat photocopy.
– mootmoot
Nov 28 at 9:38
5
@Konchog IMHO, the purpose is to defeat photocopy, any cheapo hologram will do.
– mootmoot
Nov 28 at 9:41
|
show 5 more comments
up vote
52
down vote
Simple answer is yes. Unfortunately I think you might be struggling to do so on a tight budget, barcodes can be printed using inks that are only visible under UV/IR light, so they aren't visible to the naked eye and can't be replicated without specialist equipment and inks.
Unfortunately the scanners that can read these codes aren't cheap and neither is the ink so unless you're going to be having more than a couple of thousand attendees the NFC route is going to be cheaper. And as the question indicates this isn't something you think they will pay for so that probably puts the "unphotographable" barcode solutions out of your price range.
5
Yeah they aren't completely foolproof - most of the inks work by fluorescing in the visible spectrum when under the appropriate type of light so using that to uncover the barcode and then reproducing it would probably fool scanners, that actually gives me an idea - I wonder if printing the barcodes using UV ink and then having a cheap UV light set up next to a standard scanner to reveal it would work. It's a bit rough and ready (and would be vulnerable to the above flaw for certain) but might be on-budget?
– motosubatsu
Nov 28 at 12:16
7
I really want to test this now with a cheap barcode reader, a strong UV lamp and UV ink. Could cheap materials work?
– schroeder♦
Nov 28 at 13:38
1
@schroeder me too! I've got access to a reader at work but would need a way to produce UV barcodes
– motosubatsu
Nov 28 at 13:42
6
My kid has a "secret writing pen" with a built-in lamp. Hit a dollar store? Use a stencil to copy an existing barcode
– schroeder♦
Nov 28 at 13:43
5
Unfortunately, many phone cameras can "see" infrared.
– MGOwen
Nov 29 at 6:33
|
show 7 more comments
up vote
28
down vote
While a simple red cellophane does little to hide the barcode, you could apply multiple colors to hide the barcode from human eye. If the barcode scanner only uses a single wavelength (such as red), it will see the colors differently than a human or a color camera.
This would be more difficult to photograph and print successfully, because cameras and printers will blur the colors more easily than they would blur a black and white image. Further, you could experiment with making the foreground and background some kind of random pattern, so that it is not obvious that it is a barcode at all.
For example, you replace black with blue and green, and white with red and orange:
To a red-light barcode scanner, this should appear like a normal black and white barcode. But I expect it would be more difficult to copy successfully.
Theoretical background: The human eye is most sensitive to brightness variations, and less sensitive to color variations. Most of our equipment, such as cameras, printers and image formats reflect this, and methods such as Chroma subsampling and Bayer filter are in common use. But a scanner at a single wavelength is completely insensitive to brightness variations in other colors, and very sensitive to color variations that affect the amount of red in the color.
Thus the pattern should be designed so that it has a lot of brightness variation to make copying difficult, while keeping the brightness seen by scanner the same. One way to do this in image editors is to separate red/green/blue channels and only edit the green and blue channels.
4
Looks like some kind of tartan. But still, if you can scan it, you can also make a photograph of it, can't you?
– Trilarion
Nov 28 at 13:54
3
@Trilarion Yeah, but it's more work to do so successfully. At least color vs. bw printer, or some photoshopping. And I expect it could blur more easily in camera or JPEG compression, though of course with care you can still do it.
– jpa
Nov 28 at 13:56
4
Great practical solution! The thread model is currently someone getting a quick "blurry" photograph from the original card and printing this photograph with a consumer-grade printer onto simple paper. - The color differences from the original to this one coupled with some blurriness will probably lead to copies being ineffective at scanners and very easily identifiable by human security.
– Falco
Nov 29 at 13:45
4
I think this answer is theoretically correct, but in practical reality won't work: There's enough of a safety margin on labels that you get a good read (say) 9-out-of-10-times. To be so borderline-illegible that a good photo is made to reliably fail (that's what you're proposing) seems a recipe for frustration --- for chaos and long queues and social engineering opportunities to enter your venue. Coincidentally today I got offered a (non-sensitive) product I asked after, when my ID proved illegible; the vendor said "You were here on Saturday, right? I remember you" when I absolutely hadn't.
– user3445853
Nov 29 at 21:45
Unless you had a scanner setup to be sensitive to precise customized ink variants, photographing this and printing on a run of the mill consumer color printer will duplicate this just fine. Human eye response is not relevant.
– user10216038
Nov 30 at 22:59
|
show 1 more comment
up vote
23
down vote
The cheapest solution for your situation in this case is utilising the human security guard to do photo check. Use the barcode tag to quickly lookup the user's record from the participant database, the database should store participant's photo and the guard should check that the participant that presented themselves match the photo on the database.
The barcode in this case should not really be considered part of the security, it's just a quick way to lookup database records, so it doesn't matter if it gets copied. The real security comes from the photo matching. Obviously, you can't really enforce security on self scan spots in this case, which is the main weakness.
4
Photo check is not required. Just verify that a badge is legitimate. The vulnerability becomes the ability to source and print a badge that will pass inspection, which raises the bar significantly.
– schroeder♦
Nov 28 at 11:55
2
"Oh, the event has already started? I reeeeally need to get in! Here's my legit barcode. You can skip the photo check, okay? Okay! Bye!!"
– Tom K.
Nov 28 at 13:23
@schroeder Depends on if "sharing" badges is considered a problem. (Or, if this is a heist novel, knocking someone out for 8+ hours and "borrowing" theirs.)
– user3067860
Nov 28 at 14:45
add a comment |
up vote
17
down vote
You can’t, because as long as both a human and a barcode scanner needs to be able to see the whole thing, so can a camera and copier.
A barcode is no different than printing a string of text, except a machine can read it faster. Security-wise it adds no protection.
This issue might not be part of the threat model — have you checked that?
8
Indeed. The organisers will have to decide which is more of a threat to their tight budget: spending more on useful ID cards, or risking someone photographing a card, reprinting it, entering the event and then drinking all the champagne themselves (is this likely?)
– Lightness Races in Orbit
Nov 28 at 10:42
16
@forest I think you misunderstood me. It's a common way to perform an attack, yes. But will it be likely for someone to attack this event in this way for the purpose of ... doing what? What would be their goal? What resources are at risk? Is it a champagne reception? If so, can they even really possibly drink enough to harm you to the extent that it's economical to spend a ton of money on NFC hard passes? Of course you don't want uninviteds at your party but you have to apply balance when deciding what to spend on mitigation.
– Lightness Races in Orbit
Nov 28 at 10:45
3
.. OP says they can't afford secure passes so the [IMO low] risk in this case is probably worth it from that perspective. Any possible financial losses are not likely to cost as much as the technology that they can't afford.
– Lightness Races in Orbit
Nov 28 at 10:47
1
@Konchog Indeed!
– Lightness Races in Orbit
Nov 28 at 12:16
12
@Konchog People who want to protect high-value things without spending money on it always remind me of the old saying "If you've got a $5 head buy a $5 helmet" :D
– motosubatsu
Nov 28 at 12:36
|
show 2 more comments
up vote
15
down vote
Is NFC really too expensive? I found a 50-pack of MiFARE NFC stickers for $13.20, making them < $0.27 per attendee; if you plan on 500 attendees, that's $132 which really isn't that much in the scheme of a catered event of that scale. If you can manage to swing $0.89 per attendee, you can actually get inkjet-printable MiFARE cards, saving the step of printing and separately applying a sticker (though you'd have to have a flat-paper-path printer that the cards could be fed through).
Since NFC can't be photographed, it can't be easily duplicated, but tags are easily read by any smartphone and a variety of other devices, and are often less finicky. For example, if the badge is in a plastic holder, a barcode scanner might pick up too much reflected ambient light to be able to read the barcode, and the person would have to tilt it this way and that (pausing a bit each time to give the scanner time to focus), hoping to reduce the glare enough for the scanner to read the code; with NFC, just pressing the card against the reader and maybe wiggling it around a bit until you hit the sweet spot. By the 10th or 15th scan, the security person should have a pretty good clue where the sweet spot is and be able to scan almost instantaneously from there on out.
EDIT1: Even basic, cheap non-cryptographic NFC tags programmed with simple ID numbers are more difficult to duplicate -- you need to either have close proximity access to a tag (generally less than a foot). This makes them significantly more difficult to clone than a barcode that can be captured by a decent camera from several feet away or across the room or further with a good DSLR and zoom lens. Optimum read range on NFC chips is based on the loop antenna radius of the chip: the radius divided by ~1.414. On a 2"x3.5" NFC card the radius can't be more than 1 inch (2.54cm) since the loop's antenna can't be more than 2 inches in diameter, giving us an "optimum" read range of just under 2cm (less than an inch). Even with a powerful reader, I seriously doubt you're going to be able to read the tags at distances greater than a foot.
EDIT2: As @Falco pointed out in the comments below, if you print a barcode on the badge too, a potential ne'er-do-well might not even realize there's an NFC tag and attempt to just clone the barcode... but of course their counterfeit badge wouldn't scan with NFC, exposing it as a fake.
2
"it can't be easily duplicated, but tags are easily read" - That doesn't make sense. If you can read it, you can duplicate it.
– AndrolGenhald
Nov 28 at 22:08
11
@AndrolGenhald: not necessarily, higher security NFC Smartcards uses cryptography to sign a challenge-response protocol. These type of tags are essentially impossible to duplicate without breaking the physical enclosure of the original tag, and the physical enclosure are often rigged to destroy the signing key if it's tampered with. These types of tags aren't as cheap as the static passive tags though.
– Lie Ryan
Nov 28 at 23:07
1
@LieRyan I suppose "tags are easily read" is a bit ambiguous, I wouldn't call authenticating with a smartcard "reading" it, as you're sending it data to sign and checking the response, but I guess you could still call it that. Smartcards are likely too expensive for OP though, which is probably why they specifically rule out NFC.
– AndrolGenhald
Nov 29 at 0:30
3
NFC stickers are not expensive - and NFC scanners are getting far more affordable. However, when this was last tried out it did not work so well - there were problems with the scanners at that time (which may well have been an upsteam issue). Also, there were problems with getting NFC embedded cards printed on time, and then matching each NFC identity with the system identity without pre-printing identity details. The client may revisit NFC at some point - but we are told that they are staying with EAN13 scanners for the time being..
– Konchog
Nov 29 at 7:25
3
At a one shot event obscurity can be used as a valid strategy to increase security. Printing Barcodes on the NFC-Tagged cards will lead many potential threats to try and copy the barcodes before realizing NFC-Equipment might be necessary.
– Falco
Nov 29 at 13:49
|
show 3 more comments
up vote
11
down vote
Not sure how you are planning to carry the id cards, whether hung directly from the lanyard with a simple hole punched through the card or if in a carrier or plastic wallet hung from the lanyard.
If you use the clear wallet style of carrier you could have something printed, or a sticker applied, on the outside that covers the area of the barcode but leaving the photo and other identifying information visible to human readers, make sure this is on both sides if there in case the card is placed in the carrier reversed. This would mean a 'drive by' photo of someone would not reveal the barcode at all. The card would have to be removed, or moved within the carrier, for scanning the barcode however.
If using a more substantial plastic carrier print the barcode on the reverse of the card ensuring it is obscured from view while in the carrier.
add a comment |
up vote
5
down vote
One thing you could do that's been a staple of anti-counterfeiting for millenia is to introduce a deliberate flaw into your barcode that causes it to read, for example, the last two characters "incorrectly." Make it look like an accidental misprint of the card.
You then instruct your scanner/software to ignore the error and pass you the data anyway, leaving out the invalid bits.
Someone forging cards will likely assume that their photograph was imperfect or that they got a smudged card and manually correct the "error".
Your software can then notice that it's being sent the "this card is a forgery" code and alert security.
This is not the best security mechanism as it depends on an attacker both not knowing what you're doing and not just blindly copying the card without checking that it printed correctly.
Pair this with some kind of watermarking. Either a literal watermark if you're using a paper card, or say stamping all the cards with an additional code that only shows up under UV light.
If you stamp on a QR code, building a scanner that consists of a box with a slot in the front containing a camera and a UV lamp would be the work of an afternoon. Pipe it to the QR reader program of your choice. As long as you manage to keep the presence of the watermark a secret it should be nearly impossible for anyone to forge a card.
add a comment |
up vote
5
down vote
Yes, there is a way to do it*
Use fluorescent materials for the barcode itself, making it so that duplication cannot be done by photograph without ruining the duplicate's "invisibility", which distinguishes fakes. Modern ID cards use this.
*This only works for polycarbonate cards, not PVC. Unfortunately, this may not fit your client's budget.
2
Simple trick to make a document copy-evident: use flourescent highlighter pens on it. Color photocopiers will copy the apparent colour but not the flourescent property, usually causing the copy to look different.
– rackandboneman
Nov 30 at 20:49
add a comment |
up vote
4
down vote
How about if the first time they're scanned in at the door by a human, the security person (i.e. scanner) checks the photo to make sure it matches the person with the badge. If it matches, the security person puts on one of those inexpensive tyvek wristbands of a specific color. These are often used at amusement parks, ball games, etc. to indicate specific access levels, age qualifications, etc. This would at least prevent unauthorized people from getting into your venue in the first place.
These wristbands are one-time use, and are very difficult to take off and put on someone else without noticing that they've been removed. If you keep secret the "wristband color of the day", or get some specially made with a specific color or colors, then they should be fairly secure from copying. I also believe that these are typically rather inexpensive in bulk.
Though in general, if security is this critically important at this event, then security should have been allocated enough funds up front to support its importance and value.
add a comment |
up vote
4
down vote
I know I'm late to the game, but here are two suggestions from me:
1) Make the barcode really small, just big enough to be picked up by the a barcode scanner. This makes it difficult (but not impossible) to take useable copies with a camera without making it obvious that you're trying to do it.
2) Split the barcode in two pairs (for instance, just every other bar) and print one half on the ID card, and one half on a transparent overlay -- you would then have to manually align the two halves to make a useful barcode. This makes it more tedious to actually use, but makes it unlikely that the parts will line up while dangling on the lanyard (especially if you make the transparent part with a different balance).
You can of course combine the two approaches.
It's great fun - but I think it's way too complicated for the wearers, and slows down entry/exit points even moreso..
– Konchog
Nov 29 at 8:24
add a comment |
up vote
3
down vote
Easy solution: Print the barcode on the lanyard and not on the badge.
Everybody can print out a Photo-ID made out of paper with a barcode. It is rather complicated to print a barcode on a lanyard with your home printing equipment.
If your PhotoID looks something like this:
It is very hard for a guard to tell if this barcode is the real deal or just a printed and glued on version of the barcode. If your event is attended by 300+ people, it gets very tedious to check these things. The bigger the barcode the better. If you are planning to use PhotoID that are made out of paper then it becomes impossible to tell if a printout is real or fake.
If the barcode is on the lanyard it is extremely easy for the guards to tell if this is fake or real. But keep in mind this is by no means a failsafe method. It is really a "we have no more money left" control, and not something you should rely on.
While a cool suggestion, I'm not sure this fixes anything. I can take a snapshot of the barcode and use a slip of paper in the reader. The best control here is to have a human verify the validity of the barcode media. The human would reject a slip of paper in both instances.
– schroeder♦
Nov 28 at 13:29
1
OP stated here that access to a room is always granted by a person who scans the barcode. The person will recognize if the barcode is on the lanyard or on something else.
– Tom K.
Nov 28 at 13:33
1
Right, so I'm not sure how this control adds anything but unnecessary complexity. The paper barcode would be detected in either case.
– schroeder♦
Nov 28 at 13:35
1
I was a bouncer at several high class events. I was underpaid, tired and everyone looked at me like I was dirt. I (and all my colleagues) would have never tested several hundred cards with our fingernails. But we could've probably spotted a "cheater" from 50 meters away. Controls that rely on humans only work when enforced. And this is a control that will not work, because it will not be enforced.
– Tom K.
Nov 28 at 13:52
2
I can't stand lanyards and would use a safety pin or fasten the card to a button or similar. If the lanyard holds the real barcode then its required. Whoops!
– Criggie
Nov 28 at 18:07
|
show 3 more comments
up vote
3
down vote
While not a complete solution to the problem, you can make life slightly more difficult by including the EURion Constellation on your cards. This may be used in conjunction with other approaches.
EURion constellation is a pattern of symbols incorporated into a number of banknote designs worldwide since about 1996. ... [It] consists of a pattern of five small yellow, green or orange circles, which is repeated across areas of the banknote at different orientations. The mere presence of five of these circles on a page is sufficient for some colour photocopiers to refuse processing.
Yeah I was thinking of something like this too last night - but it would still mean upgrading the scanners; also, and in fairness, the need (as I see it) isn't really trying to prevent counterfeits, as much as being able to protect identity.
– Konchog
Nov 29 at 7:17
2
@Konchog: No, your scanners don't need to detect the pattern. The hope is that the attacker cannot scan the pattern. You are only scanning barcodes.
– MSalters
Nov 29 at 8:05
@MSalters, ok - right.. But are cameras defeated by EURion? I just took a photo of a €20 note with no problems using an iPhone..
– Konchog
Nov 29 at 8:18
1
@Konchog: I did write "hope" intentionally there. Still, many printers also detect the pattern, so you might have a second line of defense.
– MSalters
Nov 29 at 8:26
add a comment |
up vote
3
down vote
While it might be simple to take a photo of one side, it's much harder to capture both sides in a casual attack. You can do various things to build on that idea, depending on the event.
- Unique barcodes on each side, attendee puts card between two readers
- Barcode on one side, human-verifiable information on the other. Manually compared against account.
Or you could add a second factor. Send the participant a registration SMS when they first scan in, that captures their beacon with the local wifi and then you can do approximation checks every time they scan in the future. If their phone isn't where it should be, block access and send another SMS-link. You could two-factor all the way, but you'd probably want an app to provide a quicker notification.
Or you could just obscure the barcode entirely. Your idea was red cellophane... Why not just a blackout cover? This could be as dirty as a postit or some high-tack tape, or as pretty as a sleeve that only obscures the barcode.
add a comment |
up vote
2
down vote
As stated in other comments, it is unclear what the threats you are facing are. If you are purely worried about people photographing the identification, just do something so that the natural physical state of the pass obscures the barcode. For example, you can distribute the passes folded in half (the lanyard can help keep it in half) and the bar code can be on the inside. When people go to scan them, you can have security 'unfold' the pass to reveal the barcode. Or you can have people wear ID's but carry a bar-coded card in their pockets for entry.
1
Yes, the idea is mentioned above. It may seem unlikely, but it should be clear that I cannot reveal too much about anything on a public forum, and I err on the side of caution here. However, the 'threat' is access to high-value people rather than free champagne.. Not exactly meeting the president - but - you get the picture...
– Konchog
Nov 29 at 7:20
add a comment |
up vote
2
down vote
Theoretically you can print in something polarised.
Then view it with polarised light or through a polarised filter.
Not necessarily cheap though.
Presumably you can choose linear or circularly polarised in order to avoid any filter that might typically be in a common camera.
add a comment |
up vote
2
down vote
Strictly speaking, there isn't. If the scanner can read it, it can be recorded and reproduced. But that doesn't tell the whole story.
Although cameras and screens/printers these days are pretty universal, they can't capture and reproduce every single color. There are actually colors that the human eye can see, but which are difficult to capture on camera, display on screen or print on paper:
Some simple examples include fluorescent colors, actual fluorescence triggered by a certain color light emitted by the scanner (for instance, green plants glow orange under UV light), non-visible colors like UV or infrared. You could also go the reverse way and include features that are visible normally but invisible to your scanner, for instance perhaps part of the barcode is sandwiched between sheets of paper and which becomes properly transparent only under your scanner. Many banknotes incorporate such security measure based on transparency, special dyes and paper, glowing/hologrammed elements and so on.
This doesn't mean your card is unphotographable, since obviously your scanner can detect it - an adversary could build a similar device and record your card. But it does mean that readily available consumer cameras won't be able to, so the adversary will have to obtain specialized equipment (which may not even be legal to purchase) or even build their own device. Similarly, reproducing will also be a challenge. If you use a color outside the CMYK space they can't print it, and if outside RGB their phone screen won't show it. Again, they can obtain or make specialized screens/papers that can do it (after all, whoever made your legitimate ID cards was able to) but it will be harder. Not to mention it will be easier for law enforcement to find them, because not many people would have such specialized equipment with no good reason.
Really the ideal solution here is to just use RFID chips with encryption. Few people have the technical skills to reproduce those, and even if they do, they won't be able to easily find out the encryption key in the chip. As a lower cost option, magnetic cards should be cheaper, those can be easily cloned but it requires equipment. The time tested physical access control solution is of course a plain key (also not so simple to copy). Or you could just forget it all and go with memorized passwords.
If you really have to use the scanners, I would either look into fluorescent ink, or printing on some material that doesn't look right except for a specific wavelength (which the scanner would presumably provide. But it's hard to be more precise without knowing what your scanner is.
add a comment |
up vote
1
down vote
If you can ensure all barcodes are printed at the exact same spot, you could modify the slot of the barcode reader to position the ID exactly with something covering the borders. So if someone tries to print a photo but it is slightly off-center, the barcode wont be read.
However I would suggest that the reception do not have such thing, and just the ones with sensitive data. This way a "cheater" gets in thinking it worked, then he is stuck inside when trying to pass thru restricted areas. Depending on the person, it would be risky to go out and try to get it fixed and reveal their intention. If he gets blocked before entering the "common area", they might have a chance to fix that and try again with another person.
5
Scanners are not that precise. Photoshop is not that imprecise.
– schroeder♦
Nov 28 at 13:31
1
"Stuck inside" sounds like a potential fire code violation
– infixed
Nov 30 at 17:19
add a comment |
up vote
0
down vote
I think you are too much focussed on copying the barcode. The correct way to do this is to issue an unique ID to each and every visiting person and keeping track of that ID, checking it in to (and possibly out of) the different venues. If an ID already is inside a venue then entry would be prohibited.
There still is the possibility that a visitor gains entry with a copied barcode before the rightful ID owner. But in such a case the rightful owner could prove that he is the rightful owner of the ID by means of some type of receipt. You could then invalidate that ID in the computer, thus locking out the copied ID form further attendances.
But is this worth the effort? What harm is done by a few unrightful visitors? The best security measure might be just to tell people there is a security measure to prevent fraud. "Please note that we will keep track of issued IDs and should we find that somebody has gained unrightful entry we will have our security guards take care of him until the police arrives" or similar might just do it... :-)
3
This creates a denial of service for the person who paid to enter the event if the illegitimate person enters first. While the receipt is a nice idea, it becomes a crucial part of their authorisation, which is what the ID is supposed to be
– schroeder♦
Nov 29 at 14:06
add a comment |
up vote
0
down vote
If protecting the guard-supervised access points is enough, how about two-factor authentication on the cheap? Along with the ID card, hand out a plastic token, casino chip, rubber ducky or other trinket that cannot be obtained quickly by would-be gatecrashers.
It should have a hole or other way to attach to the lanyard, otherwise you'll have people losing or "losing" it right and left.
add a comment |
up vote
0
down vote
It actually is not THAT easy to photograph without at least the wearer noticing it if the barcode is sufficiently small (think about the height of 8pt or 6pt lettering...)
Let's assume we are talking handheld mobile phone cameras here, no high-end (dual lens) phones, clip-on teleconverters, professional/enthusiast grade cameras, optical zooms, RAW processing, or tripods involved. Someone affording all that bother can probably afford to pay your tickets.
Let's assume a 12MP phone camera, yielding an effective resolution of 2000 pixels on the longest side of the photo. Not 4000, there will be either aliasing or antialising in your way once you try to faithfully reproduce structures smaller than 2 pixels.
In many cases, you can again halve the effective resolution available for exact reproduction due to the image being automatically postprocessed by the phone firmware to correct for lens defects, especially in off-center parts of the image. Pixels get bumped off their raster to do that....
Let's assume a standard phone camera lens, which will be a 24mm or 28mm equivalent wide angle with no optical zoom, so increasing magnification will not give you extra resolution.
If your barcode would need 100 pixels resolution to work, that would mean someone would have to photograph it in a way that it fills 1/20th of the frame, and would have to do so without introducing perspective distortion, shake, other errors...
A 1cm long tiny barcode would merely fill 1/100th of the frame width snapped with an 28mm equivalent lens from a distance of 1 meter.... or 1/50th if somebody came up to someone at half a meter distance, probably getting told off for encroaching.
add a comment |
protected by schroeder♦ Nov 29 at 15:13
Thank you for your interest in this question.
Because it has attracted low-quality or spam answers that had to be removed, posting an answer now requires 10 reputation on this site (the association bonus does not count).
Would you like to answer one of these unanswered questions instead?
21 Answers
21
active
oldest
votes
21 Answers
21
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
76
down vote
Simple answer: No
If you can see it, you can photograph it.
There have been countless attempts over the years to solve this part of DRM and all have failed.
Instead of focusing on the barcode, have you considered making it difficult to copy the id card itself? So that security for each area can quickly check it isn't an overlay? For example a hologram over the barcode that the scanner ignores but a human can check, or a high quality plastic card with the barcode in the coloured coating - a guard can spot a fake overlay.
6
I'd think something akin to a monitor privacy filter would help a bit. It would at least ensure that the barcode would have to be viewed from a very precise angle, which is easy for a scanner but not a photographer.
– forest
Nov 28 at 8:08
5
Yeah - I have one for my luggage tags (3M were at a conference I went to and were giving out interesting swag) but it's not useful enough: lanyards swing etc
– Rory Alsop♦
Nov 28 at 8:09
1
@RoryAlsop, Do you have a photo of what that (the monitor privacy thing) looks like? (never mind I googled it - 3M are easy to find, but again quite expensive). The client cannot afford holograms! How about if we stick it on the inside of a folded id - booklet style - with the photo on the outside? Hmm but it makes UX a bit fiddly. stumped
– Konchog
Nov 28 at 8:34
10
I like the idea. For one time events, it is easier to stick a cheap unique hologram sticker to defeat photocopy.
– mootmoot
Nov 28 at 9:38
5
@Konchog IMHO, the purpose is to defeat photocopy, any cheapo hologram will do.
– mootmoot
Nov 28 at 9:41
|
show 5 more comments
up vote
76
down vote
Simple answer: No
If you can see it, you can photograph it.
There have been countless attempts over the years to solve this part of DRM and all have failed.
Instead of focusing on the barcode, have you considered making it difficult to copy the id card itself? So that security for each area can quickly check it isn't an overlay? For example a hologram over the barcode that the scanner ignores but a human can check, or a high quality plastic card with the barcode in the coloured coating - a guard can spot a fake overlay.
6
I'd think something akin to a monitor privacy filter would help a bit. It would at least ensure that the barcode would have to be viewed from a very precise angle, which is easy for a scanner but not a photographer.
– forest
Nov 28 at 8:08
5
Yeah - I have one for my luggage tags (3M were at a conference I went to and were giving out interesting swag) but it's not useful enough: lanyards swing etc
– Rory Alsop♦
Nov 28 at 8:09
1
@RoryAlsop, Do you have a photo of what that (the monitor privacy thing) looks like? (never mind I googled it - 3M are easy to find, but again quite expensive). The client cannot afford holograms! How about if we stick it on the inside of a folded id - booklet style - with the photo on the outside? Hmm but it makes UX a bit fiddly. stumped
– Konchog
Nov 28 at 8:34
10
I like the idea. For one time events, it is easier to stick a cheap unique hologram sticker to defeat photocopy.
– mootmoot
Nov 28 at 9:38
5
@Konchog IMHO, the purpose is to defeat photocopy, any cheapo hologram will do.
– mootmoot
Nov 28 at 9:41
|
show 5 more comments
up vote
76
down vote
up vote
76
down vote
Simple answer: No
If you can see it, you can photograph it.
There have been countless attempts over the years to solve this part of DRM and all have failed.
Instead of focusing on the barcode, have you considered making it difficult to copy the id card itself? So that security for each area can quickly check it isn't an overlay? For example a hologram over the barcode that the scanner ignores but a human can check, or a high quality plastic card with the barcode in the coloured coating - a guard can spot a fake overlay.
Simple answer: No
If you can see it, you can photograph it.
There have been countless attempts over the years to solve this part of DRM and all have failed.
Instead of focusing on the barcode, have you considered making it difficult to copy the id card itself? So that security for each area can quickly check it isn't an overlay? For example a hologram over the barcode that the scanner ignores but a human can check, or a high quality plastic card with the barcode in the coloured coating - a guard can spot a fake overlay.
edited Nov 28 at 12:07
answered Nov 28 at 8:02
Rory Alsop♦
56.7k11103295
56.7k11103295
6
I'd think something akin to a monitor privacy filter would help a bit. It would at least ensure that the barcode would have to be viewed from a very precise angle, which is easy for a scanner but not a photographer.
– forest
Nov 28 at 8:08
5
Yeah - I have one for my luggage tags (3M were at a conference I went to and were giving out interesting swag) but it's not useful enough: lanyards swing etc
– Rory Alsop♦
Nov 28 at 8:09
1
@RoryAlsop, Do you have a photo of what that (the monitor privacy thing) looks like? (never mind I googled it - 3M are easy to find, but again quite expensive). The client cannot afford holograms! How about if we stick it on the inside of a folded id - booklet style - with the photo on the outside? Hmm but it makes UX a bit fiddly. stumped
– Konchog
Nov 28 at 8:34
10
I like the idea. For one time events, it is easier to stick a cheap unique hologram sticker to defeat photocopy.
– mootmoot
Nov 28 at 9:38
5
@Konchog IMHO, the purpose is to defeat photocopy, any cheapo hologram will do.
– mootmoot
Nov 28 at 9:41
|
show 5 more comments
6
I'd think something akin to a monitor privacy filter would help a bit. It would at least ensure that the barcode would have to be viewed from a very precise angle, which is easy for a scanner but not a photographer.
– forest
Nov 28 at 8:08
5
Yeah - I have one for my luggage tags (3M were at a conference I went to and were giving out interesting swag) but it's not useful enough: lanyards swing etc
– Rory Alsop♦
Nov 28 at 8:09
1
@RoryAlsop, Do you have a photo of what that (the monitor privacy thing) looks like? (never mind I googled it - 3M are easy to find, but again quite expensive). The client cannot afford holograms! How about if we stick it on the inside of a folded id - booklet style - with the photo on the outside? Hmm but it makes UX a bit fiddly. stumped
– Konchog
Nov 28 at 8:34
10
I like the idea. For one time events, it is easier to stick a cheap unique hologram sticker to defeat photocopy.
– mootmoot
Nov 28 at 9:38
5
@Konchog IMHO, the purpose is to defeat photocopy, any cheapo hologram will do.
– mootmoot
Nov 28 at 9:41
6
6
I'd think something akin to a monitor privacy filter would help a bit. It would at least ensure that the barcode would have to be viewed from a very precise angle, which is easy for a scanner but not a photographer.
– forest
Nov 28 at 8:08
I'd think something akin to a monitor privacy filter would help a bit. It would at least ensure that the barcode would have to be viewed from a very precise angle, which is easy for a scanner but not a photographer.
– forest
Nov 28 at 8:08
5
5
Yeah - I have one for my luggage tags (3M were at a conference I went to and were giving out interesting swag) but it's not useful enough: lanyards swing etc
– Rory Alsop♦
Nov 28 at 8:09
Yeah - I have one for my luggage tags (3M were at a conference I went to and were giving out interesting swag) but it's not useful enough: lanyards swing etc
– Rory Alsop♦
Nov 28 at 8:09
1
1
@RoryAlsop, Do you have a photo of what that (the monitor privacy thing) looks like? (never mind I googled it - 3M are easy to find, but again quite expensive). The client cannot afford holograms! How about if we stick it on the inside of a folded id - booklet style - with the photo on the outside? Hmm but it makes UX a bit fiddly. stumped
– Konchog
Nov 28 at 8:34
@RoryAlsop, Do you have a photo of what that (the monitor privacy thing) looks like? (never mind I googled it - 3M are easy to find, but again quite expensive). The client cannot afford holograms! How about if we stick it on the inside of a folded id - booklet style - with the photo on the outside? Hmm but it makes UX a bit fiddly. stumped
– Konchog
Nov 28 at 8:34
10
10
I like the idea. For one time events, it is easier to stick a cheap unique hologram sticker to defeat photocopy.
– mootmoot
Nov 28 at 9:38
I like the idea. For one time events, it is easier to stick a cheap unique hologram sticker to defeat photocopy.
– mootmoot
Nov 28 at 9:38
5
5
@Konchog IMHO, the purpose is to defeat photocopy, any cheapo hologram will do.
– mootmoot
Nov 28 at 9:41
@Konchog IMHO, the purpose is to defeat photocopy, any cheapo hologram will do.
– mootmoot
Nov 28 at 9:41
|
show 5 more comments
up vote
52
down vote
Simple answer is yes. Unfortunately I think you might be struggling to do so on a tight budget, barcodes can be printed using inks that are only visible under UV/IR light, so they aren't visible to the naked eye and can't be replicated without specialist equipment and inks.
Unfortunately the scanners that can read these codes aren't cheap and neither is the ink so unless you're going to be having more than a couple of thousand attendees the NFC route is going to be cheaper. And as the question indicates this isn't something you think they will pay for so that probably puts the "unphotographable" barcode solutions out of your price range.
5
Yeah they aren't completely foolproof - most of the inks work by fluorescing in the visible spectrum when under the appropriate type of light so using that to uncover the barcode and then reproducing it would probably fool scanners, that actually gives me an idea - I wonder if printing the barcodes using UV ink and then having a cheap UV light set up next to a standard scanner to reveal it would work. It's a bit rough and ready (and would be vulnerable to the above flaw for certain) but might be on-budget?
– motosubatsu
Nov 28 at 12:16
7
I really want to test this now with a cheap barcode reader, a strong UV lamp and UV ink. Could cheap materials work?
– schroeder♦
Nov 28 at 13:38
1
@schroeder me too! I've got access to a reader at work but would need a way to produce UV barcodes
– motosubatsu
Nov 28 at 13:42
6
My kid has a "secret writing pen" with a built-in lamp. Hit a dollar store? Use a stencil to copy an existing barcode
– schroeder♦
Nov 28 at 13:43
5
Unfortunately, many phone cameras can "see" infrared.
– MGOwen
Nov 29 at 6:33
|
show 7 more comments
up vote
52
down vote
Simple answer is yes. Unfortunately I think you might be struggling to do so on a tight budget, barcodes can be printed using inks that are only visible under UV/IR light, so they aren't visible to the naked eye and can't be replicated without specialist equipment and inks.
Unfortunately the scanners that can read these codes aren't cheap and neither is the ink so unless you're going to be having more than a couple of thousand attendees the NFC route is going to be cheaper. And as the question indicates this isn't something you think they will pay for so that probably puts the "unphotographable" barcode solutions out of your price range.
5
Yeah they aren't completely foolproof - most of the inks work by fluorescing in the visible spectrum when under the appropriate type of light so using that to uncover the barcode and then reproducing it would probably fool scanners, that actually gives me an idea - I wonder if printing the barcodes using UV ink and then having a cheap UV light set up next to a standard scanner to reveal it would work. It's a bit rough and ready (and would be vulnerable to the above flaw for certain) but might be on-budget?
– motosubatsu
Nov 28 at 12:16
7
I really want to test this now with a cheap barcode reader, a strong UV lamp and UV ink. Could cheap materials work?
– schroeder♦
Nov 28 at 13:38
1
@schroeder me too! I've got access to a reader at work but would need a way to produce UV barcodes
– motosubatsu
Nov 28 at 13:42
6
My kid has a "secret writing pen" with a built-in lamp. Hit a dollar store? Use a stencil to copy an existing barcode
– schroeder♦
Nov 28 at 13:43
5
Unfortunately, many phone cameras can "see" infrared.
– MGOwen
Nov 29 at 6:33
|
show 7 more comments
up vote
52
down vote
up vote
52
down vote
Simple answer is yes. Unfortunately I think you might be struggling to do so on a tight budget, barcodes can be printed using inks that are only visible under UV/IR light, so they aren't visible to the naked eye and can't be replicated without specialist equipment and inks.
Unfortunately the scanners that can read these codes aren't cheap and neither is the ink so unless you're going to be having more than a couple of thousand attendees the NFC route is going to be cheaper. And as the question indicates this isn't something you think they will pay for so that probably puts the "unphotographable" barcode solutions out of your price range.
Simple answer is yes. Unfortunately I think you might be struggling to do so on a tight budget, barcodes can be printed using inks that are only visible under UV/IR light, so they aren't visible to the naked eye and can't be replicated without specialist equipment and inks.
Unfortunately the scanners that can read these codes aren't cheap and neither is the ink so unless you're going to be having more than a couple of thousand attendees the NFC route is going to be cheaper. And as the question indicates this isn't something you think they will pay for so that probably puts the "unphotographable" barcode solutions out of your price range.
answered Nov 28 at 11:18
motosubatsu
87426
87426
5
Yeah they aren't completely foolproof - most of the inks work by fluorescing in the visible spectrum when under the appropriate type of light so using that to uncover the barcode and then reproducing it would probably fool scanners, that actually gives me an idea - I wonder if printing the barcodes using UV ink and then having a cheap UV light set up next to a standard scanner to reveal it would work. It's a bit rough and ready (and would be vulnerable to the above flaw for certain) but might be on-budget?
– motosubatsu
Nov 28 at 12:16
7
I really want to test this now with a cheap barcode reader, a strong UV lamp and UV ink. Could cheap materials work?
– schroeder♦
Nov 28 at 13:38
1
@schroeder me too! I've got access to a reader at work but would need a way to produce UV barcodes
– motosubatsu
Nov 28 at 13:42
6
My kid has a "secret writing pen" with a built-in lamp. Hit a dollar store? Use a stencil to copy an existing barcode
– schroeder♦
Nov 28 at 13:43
5
Unfortunately, many phone cameras can "see" infrared.
– MGOwen
Nov 29 at 6:33
|
show 7 more comments
5
Yeah they aren't completely foolproof - most of the inks work by fluorescing in the visible spectrum when under the appropriate type of light so using that to uncover the barcode and then reproducing it would probably fool scanners, that actually gives me an idea - I wonder if printing the barcodes using UV ink and then having a cheap UV light set up next to a standard scanner to reveal it would work. It's a bit rough and ready (and would be vulnerable to the above flaw for certain) but might be on-budget?
– motosubatsu
Nov 28 at 12:16
7
I really want to test this now with a cheap barcode reader, a strong UV lamp and UV ink. Could cheap materials work?
– schroeder♦
Nov 28 at 13:38
1
@schroeder me too! I've got access to a reader at work but would need a way to produce UV barcodes
– motosubatsu
Nov 28 at 13:42
6
My kid has a "secret writing pen" with a built-in lamp. Hit a dollar store? Use a stencil to copy an existing barcode
– schroeder♦
Nov 28 at 13:43
5
Unfortunately, many phone cameras can "see" infrared.
– MGOwen
Nov 29 at 6:33
5
5
Yeah they aren't completely foolproof - most of the inks work by fluorescing in the visible spectrum when under the appropriate type of light so using that to uncover the barcode and then reproducing it would probably fool scanners, that actually gives me an idea - I wonder if printing the barcodes using UV ink and then having a cheap UV light set up next to a standard scanner to reveal it would work. It's a bit rough and ready (and would be vulnerable to the above flaw for certain) but might be on-budget?
– motosubatsu
Nov 28 at 12:16
Yeah they aren't completely foolproof - most of the inks work by fluorescing in the visible spectrum when under the appropriate type of light so using that to uncover the barcode and then reproducing it would probably fool scanners, that actually gives me an idea - I wonder if printing the barcodes using UV ink and then having a cheap UV light set up next to a standard scanner to reveal it would work. It's a bit rough and ready (and would be vulnerable to the above flaw for certain) but might be on-budget?
– motosubatsu
Nov 28 at 12:16
7
7
I really want to test this now with a cheap barcode reader, a strong UV lamp and UV ink. Could cheap materials work?
– schroeder♦
Nov 28 at 13:38
I really want to test this now with a cheap barcode reader, a strong UV lamp and UV ink. Could cheap materials work?
– schroeder♦
Nov 28 at 13:38
1
1
@schroeder me too! I've got access to a reader at work but would need a way to produce UV barcodes
– motosubatsu
Nov 28 at 13:42
@schroeder me too! I've got access to a reader at work but would need a way to produce UV barcodes
– motosubatsu
Nov 28 at 13:42
6
6
My kid has a "secret writing pen" with a built-in lamp. Hit a dollar store? Use a stencil to copy an existing barcode
– schroeder♦
Nov 28 at 13:43
My kid has a "secret writing pen" with a built-in lamp. Hit a dollar store? Use a stencil to copy an existing barcode
– schroeder♦
Nov 28 at 13:43
5
5
Unfortunately, many phone cameras can "see" infrared.
– MGOwen
Nov 29 at 6:33
Unfortunately, many phone cameras can "see" infrared.
– MGOwen
Nov 29 at 6:33
|
show 7 more comments
up vote
28
down vote
While a simple red cellophane does little to hide the barcode, you could apply multiple colors to hide the barcode from human eye. If the barcode scanner only uses a single wavelength (such as red), it will see the colors differently than a human or a color camera.
This would be more difficult to photograph and print successfully, because cameras and printers will blur the colors more easily than they would blur a black and white image. Further, you could experiment with making the foreground and background some kind of random pattern, so that it is not obvious that it is a barcode at all.
For example, you replace black with blue and green, and white with red and orange:
To a red-light barcode scanner, this should appear like a normal black and white barcode. But I expect it would be more difficult to copy successfully.
Theoretical background: The human eye is most sensitive to brightness variations, and less sensitive to color variations. Most of our equipment, such as cameras, printers and image formats reflect this, and methods such as Chroma subsampling and Bayer filter are in common use. But a scanner at a single wavelength is completely insensitive to brightness variations in other colors, and very sensitive to color variations that affect the amount of red in the color.
Thus the pattern should be designed so that it has a lot of brightness variation to make copying difficult, while keeping the brightness seen by scanner the same. One way to do this in image editors is to separate red/green/blue channels and only edit the green and blue channels.
4
Looks like some kind of tartan. But still, if you can scan it, you can also make a photograph of it, can't you?
– Trilarion
Nov 28 at 13:54
3
@Trilarion Yeah, but it's more work to do so successfully. At least color vs. bw printer, or some photoshopping. And I expect it could blur more easily in camera or JPEG compression, though of course with care you can still do it.
– jpa
Nov 28 at 13:56
4
Great practical solution! The thread model is currently someone getting a quick "blurry" photograph from the original card and printing this photograph with a consumer-grade printer onto simple paper. - The color differences from the original to this one coupled with some blurriness will probably lead to copies being ineffective at scanners and very easily identifiable by human security.
– Falco
Nov 29 at 13:45
4
I think this answer is theoretically correct, but in practical reality won't work: There's enough of a safety margin on labels that you get a good read (say) 9-out-of-10-times. To be so borderline-illegible that a good photo is made to reliably fail (that's what you're proposing) seems a recipe for frustration --- for chaos and long queues and social engineering opportunities to enter your venue. Coincidentally today I got offered a (non-sensitive) product I asked after, when my ID proved illegible; the vendor said "You were here on Saturday, right? I remember you" when I absolutely hadn't.
– user3445853
Nov 29 at 21:45
Unless you had a scanner setup to be sensitive to precise customized ink variants, photographing this and printing on a run of the mill consumer color printer will duplicate this just fine. Human eye response is not relevant.
– user10216038
Nov 30 at 22:59
|
show 1 more comment
up vote
28
down vote
While a simple red cellophane does little to hide the barcode, you could apply multiple colors to hide the barcode from human eye. If the barcode scanner only uses a single wavelength (such as red), it will see the colors differently than a human or a color camera.
This would be more difficult to photograph and print successfully, because cameras and printers will blur the colors more easily than they would blur a black and white image. Further, you could experiment with making the foreground and background some kind of random pattern, so that it is not obvious that it is a barcode at all.
For example, you replace black with blue and green, and white with red and orange:
To a red-light barcode scanner, this should appear like a normal black and white barcode. But I expect it would be more difficult to copy successfully.
Theoretical background: The human eye is most sensitive to brightness variations, and less sensitive to color variations. Most of our equipment, such as cameras, printers and image formats reflect this, and methods such as Chroma subsampling and Bayer filter are in common use. But a scanner at a single wavelength is completely insensitive to brightness variations in other colors, and very sensitive to color variations that affect the amount of red in the color.
Thus the pattern should be designed so that it has a lot of brightness variation to make copying difficult, while keeping the brightness seen by scanner the same. One way to do this in image editors is to separate red/green/blue channels and only edit the green and blue channels.
4
Looks like some kind of tartan. But still, if you can scan it, you can also make a photograph of it, can't you?
– Trilarion
Nov 28 at 13:54
3
@Trilarion Yeah, but it's more work to do so successfully. At least color vs. bw printer, or some photoshopping. And I expect it could blur more easily in camera or JPEG compression, though of course with care you can still do it.
– jpa
Nov 28 at 13:56
4
Great practical solution! The thread model is currently someone getting a quick "blurry" photograph from the original card and printing this photograph with a consumer-grade printer onto simple paper. - The color differences from the original to this one coupled with some blurriness will probably lead to copies being ineffective at scanners and very easily identifiable by human security.
– Falco
Nov 29 at 13:45
4
I think this answer is theoretically correct, but in practical reality won't work: There's enough of a safety margin on labels that you get a good read (say) 9-out-of-10-times. To be so borderline-illegible that a good photo is made to reliably fail (that's what you're proposing) seems a recipe for frustration --- for chaos and long queues and social engineering opportunities to enter your venue. Coincidentally today I got offered a (non-sensitive) product I asked after, when my ID proved illegible; the vendor said "You were here on Saturday, right? I remember you" when I absolutely hadn't.
– user3445853
Nov 29 at 21:45
Unless you had a scanner setup to be sensitive to precise customized ink variants, photographing this and printing on a run of the mill consumer color printer will duplicate this just fine. Human eye response is not relevant.
– user10216038
Nov 30 at 22:59
|
show 1 more comment
up vote
28
down vote
up vote
28
down vote
While a simple red cellophane does little to hide the barcode, you could apply multiple colors to hide the barcode from human eye. If the barcode scanner only uses a single wavelength (such as red), it will see the colors differently than a human or a color camera.
This would be more difficult to photograph and print successfully, because cameras and printers will blur the colors more easily than they would blur a black and white image. Further, you could experiment with making the foreground and background some kind of random pattern, so that it is not obvious that it is a barcode at all.
For example, you replace black with blue and green, and white with red and orange:
To a red-light barcode scanner, this should appear like a normal black and white barcode. But I expect it would be more difficult to copy successfully.
Theoretical background: The human eye is most sensitive to brightness variations, and less sensitive to color variations. Most of our equipment, such as cameras, printers and image formats reflect this, and methods such as Chroma subsampling and Bayer filter are in common use. But a scanner at a single wavelength is completely insensitive to brightness variations in other colors, and very sensitive to color variations that affect the amount of red in the color.
Thus the pattern should be designed so that it has a lot of brightness variation to make copying difficult, while keeping the brightness seen by scanner the same. One way to do this in image editors is to separate red/green/blue channels and only edit the green and blue channels.
While a simple red cellophane does little to hide the barcode, you could apply multiple colors to hide the barcode from human eye. If the barcode scanner only uses a single wavelength (such as red), it will see the colors differently than a human or a color camera.
This would be more difficult to photograph and print successfully, because cameras and printers will blur the colors more easily than they would blur a black and white image. Further, you could experiment with making the foreground and background some kind of random pattern, so that it is not obvious that it is a barcode at all.
For example, you replace black with blue and green, and white with red and orange:
To a red-light barcode scanner, this should appear like a normal black and white barcode. But I expect it would be more difficult to copy successfully.
Theoretical background: The human eye is most sensitive to brightness variations, and less sensitive to color variations. Most of our equipment, such as cameras, printers and image formats reflect this, and methods such as Chroma subsampling and Bayer filter are in common use. But a scanner at a single wavelength is completely insensitive to brightness variations in other colors, and very sensitive to color variations that affect the amount of red in the color.
Thus the pattern should be designed so that it has a lot of brightness variation to make copying difficult, while keeping the brightness seen by scanner the same. One way to do this in image editors is to separate red/green/blue channels and only edit the green and blue channels.
edited Nov 28 at 14:19
answered Nov 28 at 13:41
jpa
60348
60348
4
Looks like some kind of tartan. But still, if you can scan it, you can also make a photograph of it, can't you?
– Trilarion
Nov 28 at 13:54
3
@Trilarion Yeah, but it's more work to do so successfully. At least color vs. bw printer, or some photoshopping. And I expect it could blur more easily in camera or JPEG compression, though of course with care you can still do it.
– jpa
Nov 28 at 13:56
4
Great practical solution! The thread model is currently someone getting a quick "blurry" photograph from the original card and printing this photograph with a consumer-grade printer onto simple paper. - The color differences from the original to this one coupled with some blurriness will probably lead to copies being ineffective at scanners and very easily identifiable by human security.
– Falco
Nov 29 at 13:45
4
I think this answer is theoretically correct, but in practical reality won't work: There's enough of a safety margin on labels that you get a good read (say) 9-out-of-10-times. To be so borderline-illegible that a good photo is made to reliably fail (that's what you're proposing) seems a recipe for frustration --- for chaos and long queues and social engineering opportunities to enter your venue. Coincidentally today I got offered a (non-sensitive) product I asked after, when my ID proved illegible; the vendor said "You were here on Saturday, right? I remember you" when I absolutely hadn't.
– user3445853
Nov 29 at 21:45
Unless you had a scanner setup to be sensitive to precise customized ink variants, photographing this and printing on a run of the mill consumer color printer will duplicate this just fine. Human eye response is not relevant.
– user10216038
Nov 30 at 22:59
|
show 1 more comment
4
Looks like some kind of tartan. But still, if you can scan it, you can also make a photograph of it, can't you?
– Trilarion
Nov 28 at 13:54
3
@Trilarion Yeah, but it's more work to do so successfully. At least color vs. bw printer, or some photoshopping. And I expect it could blur more easily in camera or JPEG compression, though of course with care you can still do it.
– jpa
Nov 28 at 13:56
4
Great practical solution! The thread model is currently someone getting a quick "blurry" photograph from the original card and printing this photograph with a consumer-grade printer onto simple paper. - The color differences from the original to this one coupled with some blurriness will probably lead to copies being ineffective at scanners and very easily identifiable by human security.
– Falco
Nov 29 at 13:45
4
I think this answer is theoretically correct, but in practical reality won't work: There's enough of a safety margin on labels that you get a good read (say) 9-out-of-10-times. To be so borderline-illegible that a good photo is made to reliably fail (that's what you're proposing) seems a recipe for frustration --- for chaos and long queues and social engineering opportunities to enter your venue. Coincidentally today I got offered a (non-sensitive) product I asked after, when my ID proved illegible; the vendor said "You were here on Saturday, right? I remember you" when I absolutely hadn't.
– user3445853
Nov 29 at 21:45
Unless you had a scanner setup to be sensitive to precise customized ink variants, photographing this and printing on a run of the mill consumer color printer will duplicate this just fine. Human eye response is not relevant.
– user10216038
Nov 30 at 22:59
4
4
Looks like some kind of tartan. But still, if you can scan it, you can also make a photograph of it, can't you?
– Trilarion
Nov 28 at 13:54
Looks like some kind of tartan. But still, if you can scan it, you can also make a photograph of it, can't you?
– Trilarion
Nov 28 at 13:54
3
3
@Trilarion Yeah, but it's more work to do so successfully. At least color vs. bw printer, or some photoshopping. And I expect it could blur more easily in camera or JPEG compression, though of course with care you can still do it.
– jpa
Nov 28 at 13:56
@Trilarion Yeah, but it's more work to do so successfully. At least color vs. bw printer, or some photoshopping. And I expect it could blur more easily in camera or JPEG compression, though of course with care you can still do it.
– jpa
Nov 28 at 13:56
4
4
Great practical solution! The thread model is currently someone getting a quick "blurry" photograph from the original card and printing this photograph with a consumer-grade printer onto simple paper. - The color differences from the original to this one coupled with some blurriness will probably lead to copies being ineffective at scanners and very easily identifiable by human security.
– Falco
Nov 29 at 13:45
Great practical solution! The thread model is currently someone getting a quick "blurry" photograph from the original card and printing this photograph with a consumer-grade printer onto simple paper. - The color differences from the original to this one coupled with some blurriness will probably lead to copies being ineffective at scanners and very easily identifiable by human security.
– Falco
Nov 29 at 13:45
4
4
I think this answer is theoretically correct, but in practical reality won't work: There's enough of a safety margin on labels that you get a good read (say) 9-out-of-10-times. To be so borderline-illegible that a good photo is made to reliably fail (that's what you're proposing) seems a recipe for frustration --- for chaos and long queues and social engineering opportunities to enter your venue. Coincidentally today I got offered a (non-sensitive) product I asked after, when my ID proved illegible; the vendor said "You were here on Saturday, right? I remember you" when I absolutely hadn't.
– user3445853
Nov 29 at 21:45
I think this answer is theoretically correct, but in practical reality won't work: There's enough of a safety margin on labels that you get a good read (say) 9-out-of-10-times. To be so borderline-illegible that a good photo is made to reliably fail (that's what you're proposing) seems a recipe for frustration --- for chaos and long queues and social engineering opportunities to enter your venue. Coincidentally today I got offered a (non-sensitive) product I asked after, when my ID proved illegible; the vendor said "You were here on Saturday, right? I remember you" when I absolutely hadn't.
– user3445853
Nov 29 at 21:45
Unless you had a scanner setup to be sensitive to precise customized ink variants, photographing this and printing on a run of the mill consumer color printer will duplicate this just fine. Human eye response is not relevant.
– user10216038
Nov 30 at 22:59
Unless you had a scanner setup to be sensitive to precise customized ink variants, photographing this and printing on a run of the mill consumer color printer will duplicate this just fine. Human eye response is not relevant.
– user10216038
Nov 30 at 22:59
|
show 1 more comment
up vote
23
down vote
The cheapest solution for your situation in this case is utilising the human security guard to do photo check. Use the barcode tag to quickly lookup the user's record from the participant database, the database should store participant's photo and the guard should check that the participant that presented themselves match the photo on the database.
The barcode in this case should not really be considered part of the security, it's just a quick way to lookup database records, so it doesn't matter if it gets copied. The real security comes from the photo matching. Obviously, you can't really enforce security on self scan spots in this case, which is the main weakness.
4
Photo check is not required. Just verify that a badge is legitimate. The vulnerability becomes the ability to source and print a badge that will pass inspection, which raises the bar significantly.
– schroeder♦
Nov 28 at 11:55
2
"Oh, the event has already started? I reeeeally need to get in! Here's my legit barcode. You can skip the photo check, okay? Okay! Bye!!"
– Tom K.
Nov 28 at 13:23
@schroeder Depends on if "sharing" badges is considered a problem. (Or, if this is a heist novel, knocking someone out for 8+ hours and "borrowing" theirs.)
– user3067860
Nov 28 at 14:45
add a comment |
up vote
23
down vote
The cheapest solution for your situation in this case is utilising the human security guard to do photo check. Use the barcode tag to quickly lookup the user's record from the participant database, the database should store participant's photo and the guard should check that the participant that presented themselves match the photo on the database.
The barcode in this case should not really be considered part of the security, it's just a quick way to lookup database records, so it doesn't matter if it gets copied. The real security comes from the photo matching. Obviously, you can't really enforce security on self scan spots in this case, which is the main weakness.
4
Photo check is not required. Just verify that a badge is legitimate. The vulnerability becomes the ability to source and print a badge that will pass inspection, which raises the bar significantly.
– schroeder♦
Nov 28 at 11:55
2
"Oh, the event has already started? I reeeeally need to get in! Here's my legit barcode. You can skip the photo check, okay? Okay! Bye!!"
– Tom K.
Nov 28 at 13:23
@schroeder Depends on if "sharing" badges is considered a problem. (Or, if this is a heist novel, knocking someone out for 8+ hours and "borrowing" theirs.)
– user3067860
Nov 28 at 14:45
add a comment |
up vote
23
down vote
up vote
23
down vote
The cheapest solution for your situation in this case is utilising the human security guard to do photo check. Use the barcode tag to quickly lookup the user's record from the participant database, the database should store participant's photo and the guard should check that the participant that presented themselves match the photo on the database.
The barcode in this case should not really be considered part of the security, it's just a quick way to lookup database records, so it doesn't matter if it gets copied. The real security comes from the photo matching. Obviously, you can't really enforce security on self scan spots in this case, which is the main weakness.
The cheapest solution for your situation in this case is utilising the human security guard to do photo check. Use the barcode tag to quickly lookup the user's record from the participant database, the database should store participant's photo and the guard should check that the participant that presented themselves match the photo on the database.
The barcode in this case should not really be considered part of the security, it's just a quick way to lookup database records, so it doesn't matter if it gets copied. The real security comes from the photo matching. Obviously, you can't really enforce security on self scan spots in this case, which is the main weakness.
answered Nov 28 at 10:58
Lie Ryan
21.8k24674
21.8k24674
4
Photo check is not required. Just verify that a badge is legitimate. The vulnerability becomes the ability to source and print a badge that will pass inspection, which raises the bar significantly.
– schroeder♦
Nov 28 at 11:55
2
"Oh, the event has already started? I reeeeally need to get in! Here's my legit barcode. You can skip the photo check, okay? Okay! Bye!!"
– Tom K.
Nov 28 at 13:23
@schroeder Depends on if "sharing" badges is considered a problem. (Or, if this is a heist novel, knocking someone out for 8+ hours and "borrowing" theirs.)
– user3067860
Nov 28 at 14:45
add a comment |
4
Photo check is not required. Just verify that a badge is legitimate. The vulnerability becomes the ability to source and print a badge that will pass inspection, which raises the bar significantly.
– schroeder♦
Nov 28 at 11:55
2
"Oh, the event has already started? I reeeeally need to get in! Here's my legit barcode. You can skip the photo check, okay? Okay! Bye!!"
– Tom K.
Nov 28 at 13:23
@schroeder Depends on if "sharing" badges is considered a problem. (Or, if this is a heist novel, knocking someone out for 8+ hours and "borrowing" theirs.)
– user3067860
Nov 28 at 14:45
4
4
Photo check is not required. Just verify that a badge is legitimate. The vulnerability becomes the ability to source and print a badge that will pass inspection, which raises the bar significantly.
– schroeder♦
Nov 28 at 11:55
Photo check is not required. Just verify that a badge is legitimate. The vulnerability becomes the ability to source and print a badge that will pass inspection, which raises the bar significantly.
– schroeder♦
Nov 28 at 11:55
2
2
"Oh, the event has already started? I reeeeally need to get in! Here's my legit barcode. You can skip the photo check, okay? Okay! Bye!!"
– Tom K.
Nov 28 at 13:23
"Oh, the event has already started? I reeeeally need to get in! Here's my legit barcode. You can skip the photo check, okay? Okay! Bye!!"
– Tom K.
Nov 28 at 13:23
@schroeder Depends on if "sharing" badges is considered a problem. (Or, if this is a heist novel, knocking someone out for 8+ hours and "borrowing" theirs.)
– user3067860
Nov 28 at 14:45
@schroeder Depends on if "sharing" badges is considered a problem. (Or, if this is a heist novel, knocking someone out for 8+ hours and "borrowing" theirs.)
– user3067860
Nov 28 at 14:45
add a comment |
up vote
17
down vote
You can’t, because as long as both a human and a barcode scanner needs to be able to see the whole thing, so can a camera and copier.
A barcode is no different than printing a string of text, except a machine can read it faster. Security-wise it adds no protection.
This issue might not be part of the threat model — have you checked that?
8
Indeed. The organisers will have to decide which is more of a threat to their tight budget: spending more on useful ID cards, or risking someone photographing a card, reprinting it, entering the event and then drinking all the champagne themselves (is this likely?)
– Lightness Races in Orbit
Nov 28 at 10:42
16
@forest I think you misunderstood me. It's a common way to perform an attack, yes. But will it be likely for someone to attack this event in this way for the purpose of ... doing what? What would be their goal? What resources are at risk? Is it a champagne reception? If so, can they even really possibly drink enough to harm you to the extent that it's economical to spend a ton of money on NFC hard passes? Of course you don't want uninviteds at your party but you have to apply balance when deciding what to spend on mitigation.
– Lightness Races in Orbit
Nov 28 at 10:45
3
.. OP says they can't afford secure passes so the [IMO low] risk in this case is probably worth it from that perspective. Any possible financial losses are not likely to cost as much as the technology that they can't afford.
– Lightness Races in Orbit
Nov 28 at 10:47
1
@Konchog Indeed!
– Lightness Races in Orbit
Nov 28 at 12:16
12
@Konchog People who want to protect high-value things without spending money on it always remind me of the old saying "If you've got a $5 head buy a $5 helmet" :D
– motosubatsu
Nov 28 at 12:36
|
show 2 more comments
up vote
17
down vote
You can’t, because as long as both a human and a barcode scanner needs to be able to see the whole thing, so can a camera and copier.
A barcode is no different than printing a string of text, except a machine can read it faster. Security-wise it adds no protection.
This issue might not be part of the threat model — have you checked that?
8
Indeed. The organisers will have to decide which is more of a threat to their tight budget: spending more on useful ID cards, or risking someone photographing a card, reprinting it, entering the event and then drinking all the champagne themselves (is this likely?)
– Lightness Races in Orbit
Nov 28 at 10:42
16
@forest I think you misunderstood me. It's a common way to perform an attack, yes. But will it be likely for someone to attack this event in this way for the purpose of ... doing what? What would be their goal? What resources are at risk? Is it a champagne reception? If so, can they even really possibly drink enough to harm you to the extent that it's economical to spend a ton of money on NFC hard passes? Of course you don't want uninviteds at your party but you have to apply balance when deciding what to spend on mitigation.
– Lightness Races in Orbit
Nov 28 at 10:45
3
.. OP says they can't afford secure passes so the [IMO low] risk in this case is probably worth it from that perspective. Any possible financial losses are not likely to cost as much as the technology that they can't afford.
– Lightness Races in Orbit
Nov 28 at 10:47
1
@Konchog Indeed!
– Lightness Races in Orbit
Nov 28 at 12:16
12
@Konchog People who want to protect high-value things without spending money on it always remind me of the old saying "If you've got a $5 head buy a $5 helmet" :D
– motosubatsu
Nov 28 at 12:36
|
show 2 more comments
up vote
17
down vote
up vote
17
down vote
You can’t, because as long as both a human and a barcode scanner needs to be able to see the whole thing, so can a camera and copier.
A barcode is no different than printing a string of text, except a machine can read it faster. Security-wise it adds no protection.
This issue might not be part of the threat model — have you checked that?
You can’t, because as long as both a human and a barcode scanner needs to be able to see the whole thing, so can a camera and copier.
A barcode is no different than printing a string of text, except a machine can read it faster. Security-wise it adds no protection.
This issue might not be part of the threat model — have you checked that?
answered Nov 28 at 9:42
John Keates
62236
62236
8
Indeed. The organisers will have to decide which is more of a threat to their tight budget: spending more on useful ID cards, or risking someone photographing a card, reprinting it, entering the event and then drinking all the champagne themselves (is this likely?)
– Lightness Races in Orbit
Nov 28 at 10:42
16
@forest I think you misunderstood me. It's a common way to perform an attack, yes. But will it be likely for someone to attack this event in this way for the purpose of ... doing what? What would be their goal? What resources are at risk? Is it a champagne reception? If so, can they even really possibly drink enough to harm you to the extent that it's economical to spend a ton of money on NFC hard passes? Of course you don't want uninviteds at your party but you have to apply balance when deciding what to spend on mitigation.
– Lightness Races in Orbit
Nov 28 at 10:45
3
.. OP says they can't afford secure passes so the [IMO low] risk in this case is probably worth it from that perspective. Any possible financial losses are not likely to cost as much as the technology that they can't afford.
– Lightness Races in Orbit
Nov 28 at 10:47
1
@Konchog Indeed!
– Lightness Races in Orbit
Nov 28 at 12:16
12
@Konchog People who want to protect high-value things without spending money on it always remind me of the old saying "If you've got a $5 head buy a $5 helmet" :D
– motosubatsu
Nov 28 at 12:36
|
show 2 more comments
8
Indeed. The organisers will have to decide which is more of a threat to their tight budget: spending more on useful ID cards, or risking someone photographing a card, reprinting it, entering the event and then drinking all the champagne themselves (is this likely?)
– Lightness Races in Orbit
Nov 28 at 10:42
16
@forest I think you misunderstood me. It's a common way to perform an attack, yes. But will it be likely for someone to attack this event in this way for the purpose of ... doing what? What would be their goal? What resources are at risk? Is it a champagne reception? If so, can they even really possibly drink enough to harm you to the extent that it's economical to spend a ton of money on NFC hard passes? Of course you don't want uninviteds at your party but you have to apply balance when deciding what to spend on mitigation.
– Lightness Races in Orbit
Nov 28 at 10:45
3
.. OP says they can't afford secure passes so the [IMO low] risk in this case is probably worth it from that perspective. Any possible financial losses are not likely to cost as much as the technology that they can't afford.
– Lightness Races in Orbit
Nov 28 at 10:47
1
@Konchog Indeed!
– Lightness Races in Orbit
Nov 28 at 12:16
12
@Konchog People who want to protect high-value things without spending money on it always remind me of the old saying "If you've got a $5 head buy a $5 helmet" :D
– motosubatsu
Nov 28 at 12:36
8
8
Indeed. The organisers will have to decide which is more of a threat to their tight budget: spending more on useful ID cards, or risking someone photographing a card, reprinting it, entering the event and then drinking all the champagne themselves (is this likely?)
– Lightness Races in Orbit
Nov 28 at 10:42
Indeed. The organisers will have to decide which is more of a threat to their tight budget: spending more on useful ID cards, or risking someone photographing a card, reprinting it, entering the event and then drinking all the champagne themselves (is this likely?)
– Lightness Races in Orbit
Nov 28 at 10:42
16
16
@forest I think you misunderstood me. It's a common way to perform an attack, yes. But will it be likely for someone to attack this event in this way for the purpose of ... doing what? What would be their goal? What resources are at risk? Is it a champagne reception? If so, can they even really possibly drink enough to harm you to the extent that it's economical to spend a ton of money on NFC hard passes? Of course you don't want uninviteds at your party but you have to apply balance when deciding what to spend on mitigation.
– Lightness Races in Orbit
Nov 28 at 10:45
@forest I think you misunderstood me. It's a common way to perform an attack, yes. But will it be likely for someone to attack this event in this way for the purpose of ... doing what? What would be their goal? What resources are at risk? Is it a champagne reception? If so, can they even really possibly drink enough to harm you to the extent that it's economical to spend a ton of money on NFC hard passes? Of course you don't want uninviteds at your party but you have to apply balance when deciding what to spend on mitigation.
– Lightness Races in Orbit
Nov 28 at 10:45
3
3
.. OP says they can't afford secure passes so the [IMO low] risk in this case is probably worth it from that perspective. Any possible financial losses are not likely to cost as much as the technology that they can't afford.
– Lightness Races in Orbit
Nov 28 at 10:47
.. OP says they can't afford secure passes so the [IMO low] risk in this case is probably worth it from that perspective. Any possible financial losses are not likely to cost as much as the technology that they can't afford.
– Lightness Races in Orbit
Nov 28 at 10:47
1
1
@Konchog Indeed!
– Lightness Races in Orbit
Nov 28 at 12:16
@Konchog Indeed!
– Lightness Races in Orbit
Nov 28 at 12:16
12
12
@Konchog People who want to protect high-value things without spending money on it always remind me of the old saying "If you've got a $5 head buy a $5 helmet" :D
– motosubatsu
Nov 28 at 12:36
@Konchog People who want to protect high-value things without spending money on it always remind me of the old saying "If you've got a $5 head buy a $5 helmet" :D
– motosubatsu
Nov 28 at 12:36
|
show 2 more comments
up vote
15
down vote
Is NFC really too expensive? I found a 50-pack of MiFARE NFC stickers for $13.20, making them < $0.27 per attendee; if you plan on 500 attendees, that's $132 which really isn't that much in the scheme of a catered event of that scale. If you can manage to swing $0.89 per attendee, you can actually get inkjet-printable MiFARE cards, saving the step of printing and separately applying a sticker (though you'd have to have a flat-paper-path printer that the cards could be fed through).
Since NFC can't be photographed, it can't be easily duplicated, but tags are easily read by any smartphone and a variety of other devices, and are often less finicky. For example, if the badge is in a plastic holder, a barcode scanner might pick up too much reflected ambient light to be able to read the barcode, and the person would have to tilt it this way and that (pausing a bit each time to give the scanner time to focus), hoping to reduce the glare enough for the scanner to read the code; with NFC, just pressing the card against the reader and maybe wiggling it around a bit until you hit the sweet spot. By the 10th or 15th scan, the security person should have a pretty good clue where the sweet spot is and be able to scan almost instantaneously from there on out.
EDIT1: Even basic, cheap non-cryptographic NFC tags programmed with simple ID numbers are more difficult to duplicate -- you need to either have close proximity access to a tag (generally less than a foot). This makes them significantly more difficult to clone than a barcode that can be captured by a decent camera from several feet away or across the room or further with a good DSLR and zoom lens. Optimum read range on NFC chips is based on the loop antenna radius of the chip: the radius divided by ~1.414. On a 2"x3.5" NFC card the radius can't be more than 1 inch (2.54cm) since the loop's antenna can't be more than 2 inches in diameter, giving us an "optimum" read range of just under 2cm (less than an inch). Even with a powerful reader, I seriously doubt you're going to be able to read the tags at distances greater than a foot.
EDIT2: As @Falco pointed out in the comments below, if you print a barcode on the badge too, a potential ne'er-do-well might not even realize there's an NFC tag and attempt to just clone the barcode... but of course their counterfeit badge wouldn't scan with NFC, exposing it as a fake.
2
"it can't be easily duplicated, but tags are easily read" - That doesn't make sense. If you can read it, you can duplicate it.
– AndrolGenhald
Nov 28 at 22:08
11
@AndrolGenhald: not necessarily, higher security NFC Smartcards uses cryptography to sign a challenge-response protocol. These type of tags are essentially impossible to duplicate without breaking the physical enclosure of the original tag, and the physical enclosure are often rigged to destroy the signing key if it's tampered with. These types of tags aren't as cheap as the static passive tags though.
– Lie Ryan
Nov 28 at 23:07
1
@LieRyan I suppose "tags are easily read" is a bit ambiguous, I wouldn't call authenticating with a smartcard "reading" it, as you're sending it data to sign and checking the response, but I guess you could still call it that. Smartcards are likely too expensive for OP though, which is probably why they specifically rule out NFC.
– AndrolGenhald
Nov 29 at 0:30
3
NFC stickers are not expensive - and NFC scanners are getting far more affordable. However, when this was last tried out it did not work so well - there were problems with the scanners at that time (which may well have been an upsteam issue). Also, there were problems with getting NFC embedded cards printed on time, and then matching each NFC identity with the system identity without pre-printing identity details. The client may revisit NFC at some point - but we are told that they are staying with EAN13 scanners for the time being..
– Konchog
Nov 29 at 7:25
3
At a one shot event obscurity can be used as a valid strategy to increase security. Printing Barcodes on the NFC-Tagged cards will lead many potential threats to try and copy the barcodes before realizing NFC-Equipment might be necessary.
– Falco
Nov 29 at 13:49
|
show 3 more comments
up vote
15
down vote
Is NFC really too expensive? I found a 50-pack of MiFARE NFC stickers for $13.20, making them < $0.27 per attendee; if you plan on 500 attendees, that's $132 which really isn't that much in the scheme of a catered event of that scale. If you can manage to swing $0.89 per attendee, you can actually get inkjet-printable MiFARE cards, saving the step of printing and separately applying a sticker (though you'd have to have a flat-paper-path printer that the cards could be fed through).
Since NFC can't be photographed, it can't be easily duplicated, but tags are easily read by any smartphone and a variety of other devices, and are often less finicky. For example, if the badge is in a plastic holder, a barcode scanner might pick up too much reflected ambient light to be able to read the barcode, and the person would have to tilt it this way and that (pausing a bit each time to give the scanner time to focus), hoping to reduce the glare enough for the scanner to read the code; with NFC, just pressing the card against the reader and maybe wiggling it around a bit until you hit the sweet spot. By the 10th or 15th scan, the security person should have a pretty good clue where the sweet spot is and be able to scan almost instantaneously from there on out.
EDIT1: Even basic, cheap non-cryptographic NFC tags programmed with simple ID numbers are more difficult to duplicate -- you need to either have close proximity access to a tag (generally less than a foot). This makes them significantly more difficult to clone than a barcode that can be captured by a decent camera from several feet away or across the room or further with a good DSLR and zoom lens. Optimum read range on NFC chips is based on the loop antenna radius of the chip: the radius divided by ~1.414. On a 2"x3.5" NFC card the radius can't be more than 1 inch (2.54cm) since the loop's antenna can't be more than 2 inches in diameter, giving us an "optimum" read range of just under 2cm (less than an inch). Even with a powerful reader, I seriously doubt you're going to be able to read the tags at distances greater than a foot.
EDIT2: As @Falco pointed out in the comments below, if you print a barcode on the badge too, a potential ne'er-do-well might not even realize there's an NFC tag and attempt to just clone the barcode... but of course their counterfeit badge wouldn't scan with NFC, exposing it as a fake.
2
"it can't be easily duplicated, but tags are easily read" - That doesn't make sense. If you can read it, you can duplicate it.
– AndrolGenhald
Nov 28 at 22:08
11
@AndrolGenhald: not necessarily, higher security NFC Smartcards uses cryptography to sign a challenge-response protocol. These type of tags are essentially impossible to duplicate without breaking the physical enclosure of the original tag, and the physical enclosure are often rigged to destroy the signing key if it's tampered with. These types of tags aren't as cheap as the static passive tags though.
– Lie Ryan
Nov 28 at 23:07
1
@LieRyan I suppose "tags are easily read" is a bit ambiguous, I wouldn't call authenticating with a smartcard "reading" it, as you're sending it data to sign and checking the response, but I guess you could still call it that. Smartcards are likely too expensive for OP though, which is probably why they specifically rule out NFC.
– AndrolGenhald
Nov 29 at 0:30
3
NFC stickers are not expensive - and NFC scanners are getting far more affordable. However, when this was last tried out it did not work so well - there were problems with the scanners at that time (which may well have been an upsteam issue). Also, there were problems with getting NFC embedded cards printed on time, and then matching each NFC identity with the system identity without pre-printing identity details. The client may revisit NFC at some point - but we are told that they are staying with EAN13 scanners for the time being..
– Konchog
Nov 29 at 7:25
3
At a one shot event obscurity can be used as a valid strategy to increase security. Printing Barcodes on the NFC-Tagged cards will lead many potential threats to try and copy the barcodes before realizing NFC-Equipment might be necessary.
– Falco
Nov 29 at 13:49
|
show 3 more comments
up vote
15
down vote
up vote
15
down vote
Is NFC really too expensive? I found a 50-pack of MiFARE NFC stickers for $13.20, making them < $0.27 per attendee; if you plan on 500 attendees, that's $132 which really isn't that much in the scheme of a catered event of that scale. If you can manage to swing $0.89 per attendee, you can actually get inkjet-printable MiFARE cards, saving the step of printing and separately applying a sticker (though you'd have to have a flat-paper-path printer that the cards could be fed through).
Since NFC can't be photographed, it can't be easily duplicated, but tags are easily read by any smartphone and a variety of other devices, and are often less finicky. For example, if the badge is in a plastic holder, a barcode scanner might pick up too much reflected ambient light to be able to read the barcode, and the person would have to tilt it this way and that (pausing a bit each time to give the scanner time to focus), hoping to reduce the glare enough for the scanner to read the code; with NFC, just pressing the card against the reader and maybe wiggling it around a bit until you hit the sweet spot. By the 10th or 15th scan, the security person should have a pretty good clue where the sweet spot is and be able to scan almost instantaneously from there on out.
EDIT1: Even basic, cheap non-cryptographic NFC tags programmed with simple ID numbers are more difficult to duplicate -- you need to either have close proximity access to a tag (generally less than a foot). This makes them significantly more difficult to clone than a barcode that can be captured by a decent camera from several feet away or across the room or further with a good DSLR and zoom lens. Optimum read range on NFC chips is based on the loop antenna radius of the chip: the radius divided by ~1.414. On a 2"x3.5" NFC card the radius can't be more than 1 inch (2.54cm) since the loop's antenna can't be more than 2 inches in diameter, giving us an "optimum" read range of just under 2cm (less than an inch). Even with a powerful reader, I seriously doubt you're going to be able to read the tags at distances greater than a foot.
EDIT2: As @Falco pointed out in the comments below, if you print a barcode on the badge too, a potential ne'er-do-well might not even realize there's an NFC tag and attempt to just clone the barcode... but of course their counterfeit badge wouldn't scan with NFC, exposing it as a fake.
Is NFC really too expensive? I found a 50-pack of MiFARE NFC stickers for $13.20, making them < $0.27 per attendee; if you plan on 500 attendees, that's $132 which really isn't that much in the scheme of a catered event of that scale. If you can manage to swing $0.89 per attendee, you can actually get inkjet-printable MiFARE cards, saving the step of printing and separately applying a sticker (though you'd have to have a flat-paper-path printer that the cards could be fed through).
Since NFC can't be photographed, it can't be easily duplicated, but tags are easily read by any smartphone and a variety of other devices, and are often less finicky. For example, if the badge is in a plastic holder, a barcode scanner might pick up too much reflected ambient light to be able to read the barcode, and the person would have to tilt it this way and that (pausing a bit each time to give the scanner time to focus), hoping to reduce the glare enough for the scanner to read the code; with NFC, just pressing the card against the reader and maybe wiggling it around a bit until you hit the sweet spot. By the 10th or 15th scan, the security person should have a pretty good clue where the sweet spot is and be able to scan almost instantaneously from there on out.
EDIT1: Even basic, cheap non-cryptographic NFC tags programmed with simple ID numbers are more difficult to duplicate -- you need to either have close proximity access to a tag (generally less than a foot). This makes them significantly more difficult to clone than a barcode that can be captured by a decent camera from several feet away or across the room or further with a good DSLR and zoom lens. Optimum read range on NFC chips is based on the loop antenna radius of the chip: the radius divided by ~1.414. On a 2"x3.5" NFC card the radius can't be more than 1 inch (2.54cm) since the loop's antenna can't be more than 2 inches in diameter, giving us an "optimum" read range of just under 2cm (less than an inch). Even with a powerful reader, I seriously doubt you're going to be able to read the tags at distances greater than a foot.
EDIT2: As @Falco pointed out in the comments below, if you print a barcode on the badge too, a potential ne'er-do-well might not even realize there's an NFC tag and attempt to just clone the barcode... but of course their counterfeit badge wouldn't scan with NFC, exposing it as a fake.
edited Nov 29 at 17:41
answered Nov 28 at 21:31
Doktor J
28826
28826
2
"it can't be easily duplicated, but tags are easily read" - That doesn't make sense. If you can read it, you can duplicate it.
– AndrolGenhald
Nov 28 at 22:08
11
@AndrolGenhald: not necessarily, higher security NFC Smartcards uses cryptography to sign a challenge-response protocol. These type of tags are essentially impossible to duplicate without breaking the physical enclosure of the original tag, and the physical enclosure are often rigged to destroy the signing key if it's tampered with. These types of tags aren't as cheap as the static passive tags though.
– Lie Ryan
Nov 28 at 23:07
1
@LieRyan I suppose "tags are easily read" is a bit ambiguous, I wouldn't call authenticating with a smartcard "reading" it, as you're sending it data to sign and checking the response, but I guess you could still call it that. Smartcards are likely too expensive for OP though, which is probably why they specifically rule out NFC.
– AndrolGenhald
Nov 29 at 0:30
3
NFC stickers are not expensive - and NFC scanners are getting far more affordable. However, when this was last tried out it did not work so well - there were problems with the scanners at that time (which may well have been an upsteam issue). Also, there were problems with getting NFC embedded cards printed on time, and then matching each NFC identity with the system identity without pre-printing identity details. The client may revisit NFC at some point - but we are told that they are staying with EAN13 scanners for the time being..
– Konchog
Nov 29 at 7:25
3
At a one shot event obscurity can be used as a valid strategy to increase security. Printing Barcodes on the NFC-Tagged cards will lead many potential threats to try and copy the barcodes before realizing NFC-Equipment might be necessary.
– Falco
Nov 29 at 13:49
|
show 3 more comments
2
"it can't be easily duplicated, but tags are easily read" - That doesn't make sense. If you can read it, you can duplicate it.
– AndrolGenhald
Nov 28 at 22:08
11
@AndrolGenhald: not necessarily, higher security NFC Smartcards uses cryptography to sign a challenge-response protocol. These type of tags are essentially impossible to duplicate without breaking the physical enclosure of the original tag, and the physical enclosure are often rigged to destroy the signing key if it's tampered with. These types of tags aren't as cheap as the static passive tags though.
– Lie Ryan
Nov 28 at 23:07
1
@LieRyan I suppose "tags are easily read" is a bit ambiguous, I wouldn't call authenticating with a smartcard "reading" it, as you're sending it data to sign and checking the response, but I guess you could still call it that. Smartcards are likely too expensive for OP though, which is probably why they specifically rule out NFC.
– AndrolGenhald
Nov 29 at 0:30
3
NFC stickers are not expensive - and NFC scanners are getting far more affordable. However, when this was last tried out it did not work so well - there were problems with the scanners at that time (which may well have been an upsteam issue). Also, there were problems with getting NFC embedded cards printed on time, and then matching each NFC identity with the system identity without pre-printing identity details. The client may revisit NFC at some point - but we are told that they are staying with EAN13 scanners for the time being..
– Konchog
Nov 29 at 7:25
3
At a one shot event obscurity can be used as a valid strategy to increase security. Printing Barcodes on the NFC-Tagged cards will lead many potential threats to try and copy the barcodes before realizing NFC-Equipment might be necessary.
– Falco
Nov 29 at 13:49
2
2
"it can't be easily duplicated, but tags are easily read" - That doesn't make sense. If you can read it, you can duplicate it.
– AndrolGenhald
Nov 28 at 22:08
"it can't be easily duplicated, but tags are easily read" - That doesn't make sense. If you can read it, you can duplicate it.
– AndrolGenhald
Nov 28 at 22:08
11
11
@AndrolGenhald: not necessarily, higher security NFC Smartcards uses cryptography to sign a challenge-response protocol. These type of tags are essentially impossible to duplicate without breaking the physical enclosure of the original tag, and the physical enclosure are often rigged to destroy the signing key if it's tampered with. These types of tags aren't as cheap as the static passive tags though.
– Lie Ryan
Nov 28 at 23:07
@AndrolGenhald: not necessarily, higher security NFC Smartcards uses cryptography to sign a challenge-response protocol. These type of tags are essentially impossible to duplicate without breaking the physical enclosure of the original tag, and the physical enclosure are often rigged to destroy the signing key if it's tampered with. These types of tags aren't as cheap as the static passive tags though.
– Lie Ryan
Nov 28 at 23:07
1
1
@LieRyan I suppose "tags are easily read" is a bit ambiguous, I wouldn't call authenticating with a smartcard "reading" it, as you're sending it data to sign and checking the response, but I guess you could still call it that. Smartcards are likely too expensive for OP though, which is probably why they specifically rule out NFC.
– AndrolGenhald
Nov 29 at 0:30
@LieRyan I suppose "tags are easily read" is a bit ambiguous, I wouldn't call authenticating with a smartcard "reading" it, as you're sending it data to sign and checking the response, but I guess you could still call it that. Smartcards are likely too expensive for OP though, which is probably why they specifically rule out NFC.
– AndrolGenhald
Nov 29 at 0:30
3
3
NFC stickers are not expensive - and NFC scanners are getting far more affordable. However, when this was last tried out it did not work so well - there were problems with the scanners at that time (which may well have been an upsteam issue). Also, there were problems with getting NFC embedded cards printed on time, and then matching each NFC identity with the system identity without pre-printing identity details. The client may revisit NFC at some point - but we are told that they are staying with EAN13 scanners for the time being..
– Konchog
Nov 29 at 7:25
NFC stickers are not expensive - and NFC scanners are getting far more affordable. However, when this was last tried out it did not work so well - there were problems with the scanners at that time (which may well have been an upsteam issue). Also, there were problems with getting NFC embedded cards printed on time, and then matching each NFC identity with the system identity without pre-printing identity details. The client may revisit NFC at some point - but we are told that they are staying with EAN13 scanners for the time being..
– Konchog
Nov 29 at 7:25
3
3
At a one shot event obscurity can be used as a valid strategy to increase security. Printing Barcodes on the NFC-Tagged cards will lead many potential threats to try and copy the barcodes before realizing NFC-Equipment might be necessary.
– Falco
Nov 29 at 13:49
At a one shot event obscurity can be used as a valid strategy to increase security. Printing Barcodes on the NFC-Tagged cards will lead many potential threats to try and copy the barcodes before realizing NFC-Equipment might be necessary.
– Falco
Nov 29 at 13:49
|
show 3 more comments
up vote
11
down vote
Not sure how you are planning to carry the id cards, whether hung directly from the lanyard with a simple hole punched through the card or if in a carrier or plastic wallet hung from the lanyard.
If you use the clear wallet style of carrier you could have something printed, or a sticker applied, on the outside that covers the area of the barcode but leaving the photo and other identifying information visible to human readers, make sure this is on both sides if there in case the card is placed in the carrier reversed. This would mean a 'drive by' photo of someone would not reveal the barcode at all. The card would have to be removed, or moved within the carrier, for scanning the barcode however.
If using a more substantial plastic carrier print the barcode on the reverse of the card ensuring it is obscured from view while in the carrier.
add a comment |
up vote
11
down vote
Not sure how you are planning to carry the id cards, whether hung directly from the lanyard with a simple hole punched through the card or if in a carrier or plastic wallet hung from the lanyard.
If you use the clear wallet style of carrier you could have something printed, or a sticker applied, on the outside that covers the area of the barcode but leaving the photo and other identifying information visible to human readers, make sure this is on both sides if there in case the card is placed in the carrier reversed. This would mean a 'drive by' photo of someone would not reveal the barcode at all. The card would have to be removed, or moved within the carrier, for scanning the barcode however.
If using a more substantial plastic carrier print the barcode on the reverse of the card ensuring it is obscured from view while in the carrier.
add a comment |
up vote
11
down vote
up vote
11
down vote
Not sure how you are planning to carry the id cards, whether hung directly from the lanyard with a simple hole punched through the card or if in a carrier or plastic wallet hung from the lanyard.
If you use the clear wallet style of carrier you could have something printed, or a sticker applied, on the outside that covers the area of the barcode but leaving the photo and other identifying information visible to human readers, make sure this is on both sides if there in case the card is placed in the carrier reversed. This would mean a 'drive by' photo of someone would not reveal the barcode at all. The card would have to be removed, or moved within the carrier, for scanning the barcode however.
If using a more substantial plastic carrier print the barcode on the reverse of the card ensuring it is obscured from view while in the carrier.
Not sure how you are planning to carry the id cards, whether hung directly from the lanyard with a simple hole punched through the card or if in a carrier or plastic wallet hung from the lanyard.
If you use the clear wallet style of carrier you could have something printed, or a sticker applied, on the outside that covers the area of the barcode but leaving the photo and other identifying information visible to human readers, make sure this is on both sides if there in case the card is placed in the carrier reversed. This would mean a 'drive by' photo of someone would not reveal the barcode at all. The card would have to be removed, or moved within the carrier, for scanning the barcode however.
If using a more substantial plastic carrier print the barcode on the reverse of the card ensuring it is obscured from view while in the carrier.
answered Nov 28 at 13:59
GeeTee
1112
1112
add a comment |
add a comment |
up vote
5
down vote
One thing you could do that's been a staple of anti-counterfeiting for millenia is to introduce a deliberate flaw into your barcode that causes it to read, for example, the last two characters "incorrectly." Make it look like an accidental misprint of the card.
You then instruct your scanner/software to ignore the error and pass you the data anyway, leaving out the invalid bits.
Someone forging cards will likely assume that their photograph was imperfect or that they got a smudged card and manually correct the "error".
Your software can then notice that it's being sent the "this card is a forgery" code and alert security.
This is not the best security mechanism as it depends on an attacker both not knowing what you're doing and not just blindly copying the card without checking that it printed correctly.
Pair this with some kind of watermarking. Either a literal watermark if you're using a paper card, or say stamping all the cards with an additional code that only shows up under UV light.
If you stamp on a QR code, building a scanner that consists of a box with a slot in the front containing a camera and a UV lamp would be the work of an afternoon. Pipe it to the QR reader program of your choice. As long as you manage to keep the presence of the watermark a secret it should be nearly impossible for anyone to forge a card.
add a comment |
up vote
5
down vote
One thing you could do that's been a staple of anti-counterfeiting for millenia is to introduce a deliberate flaw into your barcode that causes it to read, for example, the last two characters "incorrectly." Make it look like an accidental misprint of the card.
You then instruct your scanner/software to ignore the error and pass you the data anyway, leaving out the invalid bits.
Someone forging cards will likely assume that their photograph was imperfect or that they got a smudged card and manually correct the "error".
Your software can then notice that it's being sent the "this card is a forgery" code and alert security.
This is not the best security mechanism as it depends on an attacker both not knowing what you're doing and not just blindly copying the card without checking that it printed correctly.
Pair this with some kind of watermarking. Either a literal watermark if you're using a paper card, or say stamping all the cards with an additional code that only shows up under UV light.
If you stamp on a QR code, building a scanner that consists of a box with a slot in the front containing a camera and a UV lamp would be the work of an afternoon. Pipe it to the QR reader program of your choice. As long as you manage to keep the presence of the watermark a secret it should be nearly impossible for anyone to forge a card.
add a comment |
up vote
5
down vote
up vote
5
down vote
One thing you could do that's been a staple of anti-counterfeiting for millenia is to introduce a deliberate flaw into your barcode that causes it to read, for example, the last two characters "incorrectly." Make it look like an accidental misprint of the card.
You then instruct your scanner/software to ignore the error and pass you the data anyway, leaving out the invalid bits.
Someone forging cards will likely assume that their photograph was imperfect or that they got a smudged card and manually correct the "error".
Your software can then notice that it's being sent the "this card is a forgery" code and alert security.
This is not the best security mechanism as it depends on an attacker both not knowing what you're doing and not just blindly copying the card without checking that it printed correctly.
Pair this with some kind of watermarking. Either a literal watermark if you're using a paper card, or say stamping all the cards with an additional code that only shows up under UV light.
If you stamp on a QR code, building a scanner that consists of a box with a slot in the front containing a camera and a UV lamp would be the work of an afternoon. Pipe it to the QR reader program of your choice. As long as you manage to keep the presence of the watermark a secret it should be nearly impossible for anyone to forge a card.
One thing you could do that's been a staple of anti-counterfeiting for millenia is to introduce a deliberate flaw into your barcode that causes it to read, for example, the last two characters "incorrectly." Make it look like an accidental misprint of the card.
You then instruct your scanner/software to ignore the error and pass you the data anyway, leaving out the invalid bits.
Someone forging cards will likely assume that their photograph was imperfect or that they got a smudged card and manually correct the "error".
Your software can then notice that it's being sent the "this card is a forgery" code and alert security.
This is not the best security mechanism as it depends on an attacker both not knowing what you're doing and not just blindly copying the card without checking that it printed correctly.
Pair this with some kind of watermarking. Either a literal watermark if you're using a paper card, or say stamping all the cards with an additional code that only shows up under UV light.
If you stamp on a QR code, building a scanner that consists of a box with a slot in the front containing a camera and a UV lamp would be the work of an afternoon. Pipe it to the QR reader program of your choice. As long as you manage to keep the presence of the watermark a secret it should be nearly impossible for anyone to forge a card.
answered Nov 28 at 19:05
Perkins
1693
1693
add a comment |
add a comment |
up vote
5
down vote
Yes, there is a way to do it*
Use fluorescent materials for the barcode itself, making it so that duplication cannot be done by photograph without ruining the duplicate's "invisibility", which distinguishes fakes. Modern ID cards use this.
*This only works for polycarbonate cards, not PVC. Unfortunately, this may not fit your client's budget.
2
Simple trick to make a document copy-evident: use flourescent highlighter pens on it. Color photocopiers will copy the apparent colour but not the flourescent property, usually causing the copy to look different.
– rackandboneman
Nov 30 at 20:49
add a comment |
up vote
5
down vote
Yes, there is a way to do it*
Use fluorescent materials for the barcode itself, making it so that duplication cannot be done by photograph without ruining the duplicate's "invisibility", which distinguishes fakes. Modern ID cards use this.
*This only works for polycarbonate cards, not PVC. Unfortunately, this may not fit your client's budget.
2
Simple trick to make a document copy-evident: use flourescent highlighter pens on it. Color photocopiers will copy the apparent colour but not the flourescent property, usually causing the copy to look different.
– rackandboneman
Nov 30 at 20:49
add a comment |
up vote
5
down vote
up vote
5
down vote
Yes, there is a way to do it*
Use fluorescent materials for the barcode itself, making it so that duplication cannot be done by photograph without ruining the duplicate's "invisibility", which distinguishes fakes. Modern ID cards use this.
*This only works for polycarbonate cards, not PVC. Unfortunately, this may not fit your client's budget.
Yes, there is a way to do it*
Use fluorescent materials for the barcode itself, making it so that duplication cannot be done by photograph without ruining the duplicate's "invisibility", which distinguishes fakes. Modern ID cards use this.
*This only works for polycarbonate cards, not PVC. Unfortunately, this may not fit your client's budget.
answered Nov 28 at 19:10
Expectator
712
712
2
Simple trick to make a document copy-evident: use flourescent highlighter pens on it. Color photocopiers will copy the apparent colour but not the flourescent property, usually causing the copy to look different.
– rackandboneman
Nov 30 at 20:49
add a comment |
2
Simple trick to make a document copy-evident: use flourescent highlighter pens on it. Color photocopiers will copy the apparent colour but not the flourescent property, usually causing the copy to look different.
– rackandboneman
Nov 30 at 20:49
2
2
Simple trick to make a document copy-evident: use flourescent highlighter pens on it. Color photocopiers will copy the apparent colour but not the flourescent property, usually causing the copy to look different.
– rackandboneman
Nov 30 at 20:49
Simple trick to make a document copy-evident: use flourescent highlighter pens on it. Color photocopiers will copy the apparent colour but not the flourescent property, usually causing the copy to look different.
– rackandboneman
Nov 30 at 20:49
add a comment |
up vote
4
down vote
How about if the first time they're scanned in at the door by a human, the security person (i.e. scanner) checks the photo to make sure it matches the person with the badge. If it matches, the security person puts on one of those inexpensive tyvek wristbands of a specific color. These are often used at amusement parks, ball games, etc. to indicate specific access levels, age qualifications, etc. This would at least prevent unauthorized people from getting into your venue in the first place.
These wristbands are one-time use, and are very difficult to take off and put on someone else without noticing that they've been removed. If you keep secret the "wristband color of the day", or get some specially made with a specific color or colors, then they should be fairly secure from copying. I also believe that these are typically rather inexpensive in bulk.
Though in general, if security is this critically important at this event, then security should have been allocated enough funds up front to support its importance and value.
add a comment |
up vote
4
down vote
How about if the first time they're scanned in at the door by a human, the security person (i.e. scanner) checks the photo to make sure it matches the person with the badge. If it matches, the security person puts on one of those inexpensive tyvek wristbands of a specific color. These are often used at amusement parks, ball games, etc. to indicate specific access levels, age qualifications, etc. This would at least prevent unauthorized people from getting into your venue in the first place.
These wristbands are one-time use, and are very difficult to take off and put on someone else without noticing that they've been removed. If you keep secret the "wristband color of the day", or get some specially made with a specific color or colors, then they should be fairly secure from copying. I also believe that these are typically rather inexpensive in bulk.
Though in general, if security is this critically important at this event, then security should have been allocated enough funds up front to support its importance and value.
add a comment |
up vote
4
down vote
up vote
4
down vote
How about if the first time they're scanned in at the door by a human, the security person (i.e. scanner) checks the photo to make sure it matches the person with the badge. If it matches, the security person puts on one of those inexpensive tyvek wristbands of a specific color. These are often used at amusement parks, ball games, etc. to indicate specific access levels, age qualifications, etc. This would at least prevent unauthorized people from getting into your venue in the first place.
These wristbands are one-time use, and are very difficult to take off and put on someone else without noticing that they've been removed. If you keep secret the "wristband color of the day", or get some specially made with a specific color or colors, then they should be fairly secure from copying. I also believe that these are typically rather inexpensive in bulk.
Though in general, if security is this critically important at this event, then security should have been allocated enough funds up front to support its importance and value.
How about if the first time they're scanned in at the door by a human, the security person (i.e. scanner) checks the photo to make sure it matches the person with the badge. If it matches, the security person puts on one of those inexpensive tyvek wristbands of a specific color. These are often used at amusement parks, ball games, etc. to indicate specific access levels, age qualifications, etc. This would at least prevent unauthorized people from getting into your venue in the first place.
These wristbands are one-time use, and are very difficult to take off and put on someone else without noticing that they've been removed. If you keep secret the "wristband color of the day", or get some specially made with a specific color or colors, then they should be fairly secure from copying. I also believe that these are typically rather inexpensive in bulk.
Though in general, if security is this critically important at this event, then security should have been allocated enough funds up front to support its importance and value.
answered Nov 28 at 15:35
Milwrdfan
1412
1412
add a comment |
add a comment |
up vote
4
down vote
I know I'm late to the game, but here are two suggestions from me:
1) Make the barcode really small, just big enough to be picked up by the a barcode scanner. This makes it difficult (but not impossible) to take useable copies with a camera without making it obvious that you're trying to do it.
2) Split the barcode in two pairs (for instance, just every other bar) and print one half on the ID card, and one half on a transparent overlay -- you would then have to manually align the two halves to make a useful barcode. This makes it more tedious to actually use, but makes it unlikely that the parts will line up while dangling on the lanyard (especially if you make the transparent part with a different balance).
You can of course combine the two approaches.
It's great fun - but I think it's way too complicated for the wearers, and slows down entry/exit points even moreso..
– Konchog
Nov 29 at 8:24
add a comment |
up vote
4
down vote
I know I'm late to the game, but here are two suggestions from me:
1) Make the barcode really small, just big enough to be picked up by the a barcode scanner. This makes it difficult (but not impossible) to take useable copies with a camera without making it obvious that you're trying to do it.
2) Split the barcode in two pairs (for instance, just every other bar) and print one half on the ID card, and one half on a transparent overlay -- you would then have to manually align the two halves to make a useful barcode. This makes it more tedious to actually use, but makes it unlikely that the parts will line up while dangling on the lanyard (especially if you make the transparent part with a different balance).
You can of course combine the two approaches.
It's great fun - but I think it's way too complicated for the wearers, and slows down entry/exit points even moreso..
– Konchog
Nov 29 at 8:24
add a comment |
up vote
4
down vote
up vote
4
down vote
I know I'm late to the game, but here are two suggestions from me:
1) Make the barcode really small, just big enough to be picked up by the a barcode scanner. This makes it difficult (but not impossible) to take useable copies with a camera without making it obvious that you're trying to do it.
2) Split the barcode in two pairs (for instance, just every other bar) and print one half on the ID card, and one half on a transparent overlay -- you would then have to manually align the two halves to make a useful barcode. This makes it more tedious to actually use, but makes it unlikely that the parts will line up while dangling on the lanyard (especially if you make the transparent part with a different balance).
You can of course combine the two approaches.
I know I'm late to the game, but here are two suggestions from me:
1) Make the barcode really small, just big enough to be picked up by the a barcode scanner. This makes it difficult (but not impossible) to take useable copies with a camera without making it obvious that you're trying to do it.
2) Split the barcode in two pairs (for instance, just every other bar) and print one half on the ID card, and one half on a transparent overlay -- you would then have to manually align the two halves to make a useful barcode. This makes it more tedious to actually use, but makes it unlikely that the parts will line up while dangling on the lanyard (especially if you make the transparent part with a different balance).
You can of course combine the two approaches.
answered Nov 29 at 8:20
KlaymenDK
31316
31316
It's great fun - but I think it's way too complicated for the wearers, and slows down entry/exit points even moreso..
– Konchog
Nov 29 at 8:24
add a comment |
It's great fun - but I think it's way too complicated for the wearers, and slows down entry/exit points even moreso..
– Konchog
Nov 29 at 8:24
It's great fun - but I think it's way too complicated for the wearers, and slows down entry/exit points even moreso..
– Konchog
Nov 29 at 8:24
It's great fun - but I think it's way too complicated for the wearers, and slows down entry/exit points even moreso..
– Konchog
Nov 29 at 8:24
add a comment |
up vote
3
down vote
Easy solution: Print the barcode on the lanyard and not on the badge.
Everybody can print out a Photo-ID made out of paper with a barcode. It is rather complicated to print a barcode on a lanyard with your home printing equipment.
If your PhotoID looks something like this:
It is very hard for a guard to tell if this barcode is the real deal or just a printed and glued on version of the barcode. If your event is attended by 300+ people, it gets very tedious to check these things. The bigger the barcode the better. If you are planning to use PhotoID that are made out of paper then it becomes impossible to tell if a printout is real or fake.
If the barcode is on the lanyard it is extremely easy for the guards to tell if this is fake or real. But keep in mind this is by no means a failsafe method. It is really a "we have no more money left" control, and not something you should rely on.
While a cool suggestion, I'm not sure this fixes anything. I can take a snapshot of the barcode and use a slip of paper in the reader. The best control here is to have a human verify the validity of the barcode media. The human would reject a slip of paper in both instances.
– schroeder♦
Nov 28 at 13:29
1
OP stated here that access to a room is always granted by a person who scans the barcode. The person will recognize if the barcode is on the lanyard or on something else.
– Tom K.
Nov 28 at 13:33
1
Right, so I'm not sure how this control adds anything but unnecessary complexity. The paper barcode would be detected in either case.
– schroeder♦
Nov 28 at 13:35
1
I was a bouncer at several high class events. I was underpaid, tired and everyone looked at me like I was dirt. I (and all my colleagues) would have never tested several hundred cards with our fingernails. But we could've probably spotted a "cheater" from 50 meters away. Controls that rely on humans only work when enforced. And this is a control that will not work, because it will not be enforced.
– Tom K.
Nov 28 at 13:52
2
I can't stand lanyards and would use a safety pin or fasten the card to a button or similar. If the lanyard holds the real barcode then its required. Whoops!
– Criggie
Nov 28 at 18:07
|
show 3 more comments
up vote
3
down vote
Easy solution: Print the barcode on the lanyard and not on the badge.
Everybody can print out a Photo-ID made out of paper with a barcode. It is rather complicated to print a barcode on a lanyard with your home printing equipment.
If your PhotoID looks something like this:
It is very hard for a guard to tell if this barcode is the real deal or just a printed and glued on version of the barcode. If your event is attended by 300+ people, it gets very tedious to check these things. The bigger the barcode the better. If you are planning to use PhotoID that are made out of paper then it becomes impossible to tell if a printout is real or fake.
If the barcode is on the lanyard it is extremely easy for the guards to tell if this is fake or real. But keep in mind this is by no means a failsafe method. It is really a "we have no more money left" control, and not something you should rely on.
While a cool suggestion, I'm not sure this fixes anything. I can take a snapshot of the barcode and use a slip of paper in the reader. The best control here is to have a human verify the validity of the barcode media. The human would reject a slip of paper in both instances.
– schroeder♦
Nov 28 at 13:29
1
OP stated here that access to a room is always granted by a person who scans the barcode. The person will recognize if the barcode is on the lanyard or on something else.
– Tom K.
Nov 28 at 13:33
1
Right, so I'm not sure how this control adds anything but unnecessary complexity. The paper barcode would be detected in either case.
– schroeder♦
Nov 28 at 13:35
1
I was a bouncer at several high class events. I was underpaid, tired and everyone looked at me like I was dirt. I (and all my colleagues) would have never tested several hundred cards with our fingernails. But we could've probably spotted a "cheater" from 50 meters away. Controls that rely on humans only work when enforced. And this is a control that will not work, because it will not be enforced.
– Tom K.
Nov 28 at 13:52
2
I can't stand lanyards and would use a safety pin or fasten the card to a button or similar. If the lanyard holds the real barcode then its required. Whoops!
– Criggie
Nov 28 at 18:07
|
show 3 more comments
up vote
3
down vote
up vote
3
down vote
Easy solution: Print the barcode on the lanyard and not on the badge.
Everybody can print out a Photo-ID made out of paper with a barcode. It is rather complicated to print a barcode on a lanyard with your home printing equipment.
If your PhotoID looks something like this:
It is very hard for a guard to tell if this barcode is the real deal or just a printed and glued on version of the barcode. If your event is attended by 300+ people, it gets very tedious to check these things. The bigger the barcode the better. If you are planning to use PhotoID that are made out of paper then it becomes impossible to tell if a printout is real or fake.
If the barcode is on the lanyard it is extremely easy for the guards to tell if this is fake or real. But keep in mind this is by no means a failsafe method. It is really a "we have no more money left" control, and not something you should rely on.
Easy solution: Print the barcode on the lanyard and not on the badge.
Everybody can print out a Photo-ID made out of paper with a barcode. It is rather complicated to print a barcode on a lanyard with your home printing equipment.
If your PhotoID looks something like this:
It is very hard for a guard to tell if this barcode is the real deal or just a printed and glued on version of the barcode. If your event is attended by 300+ people, it gets very tedious to check these things. The bigger the barcode the better. If you are planning to use PhotoID that are made out of paper then it becomes impossible to tell if a printout is real or fake.
If the barcode is on the lanyard it is extremely easy for the guards to tell if this is fake or real. But keep in mind this is by no means a failsafe method. It is really a "we have no more money left" control, and not something you should rely on.
edited Nov 28 at 13:43
answered Nov 28 at 12:47
Tom K.
5,15832047
5,15832047
While a cool suggestion, I'm not sure this fixes anything. I can take a snapshot of the barcode and use a slip of paper in the reader. The best control here is to have a human verify the validity of the barcode media. The human would reject a slip of paper in both instances.
– schroeder♦
Nov 28 at 13:29
1
OP stated here that access to a room is always granted by a person who scans the barcode. The person will recognize if the barcode is on the lanyard or on something else.
– Tom K.
Nov 28 at 13:33
1
Right, so I'm not sure how this control adds anything but unnecessary complexity. The paper barcode would be detected in either case.
– schroeder♦
Nov 28 at 13:35
1
I was a bouncer at several high class events. I was underpaid, tired and everyone looked at me like I was dirt. I (and all my colleagues) would have never tested several hundred cards with our fingernails. But we could've probably spotted a "cheater" from 50 meters away. Controls that rely on humans only work when enforced. And this is a control that will not work, because it will not be enforced.
– Tom K.
Nov 28 at 13:52
2
I can't stand lanyards and would use a safety pin or fasten the card to a button or similar. If the lanyard holds the real barcode then its required. Whoops!
– Criggie
Nov 28 at 18:07
|
show 3 more comments
While a cool suggestion, I'm not sure this fixes anything. I can take a snapshot of the barcode and use a slip of paper in the reader. The best control here is to have a human verify the validity of the barcode media. The human would reject a slip of paper in both instances.
– schroeder♦
Nov 28 at 13:29
1
OP stated here that access to a room is always granted by a person who scans the barcode. The person will recognize if the barcode is on the lanyard or on something else.
– Tom K.
Nov 28 at 13:33
1
Right, so I'm not sure how this control adds anything but unnecessary complexity. The paper barcode would be detected in either case.
– schroeder♦
Nov 28 at 13:35
1
I was a bouncer at several high class events. I was underpaid, tired and everyone looked at me like I was dirt. I (and all my colleagues) would have never tested several hundred cards with our fingernails. But we could've probably spotted a "cheater" from 50 meters away. Controls that rely on humans only work when enforced. And this is a control that will not work, because it will not be enforced.
– Tom K.
Nov 28 at 13:52
2
I can't stand lanyards and would use a safety pin or fasten the card to a button or similar. If the lanyard holds the real barcode then its required. Whoops!
– Criggie
Nov 28 at 18:07
While a cool suggestion, I'm not sure this fixes anything. I can take a snapshot of the barcode and use a slip of paper in the reader. The best control here is to have a human verify the validity of the barcode media. The human would reject a slip of paper in both instances.
– schroeder♦
Nov 28 at 13:29
While a cool suggestion, I'm not sure this fixes anything. I can take a snapshot of the barcode and use a slip of paper in the reader. The best control here is to have a human verify the validity of the barcode media. The human would reject a slip of paper in both instances.
– schroeder♦
Nov 28 at 13:29
1
1
OP stated here that access to a room is always granted by a person who scans the barcode. The person will recognize if the barcode is on the lanyard or on something else.
– Tom K.
Nov 28 at 13:33
OP stated here that access to a room is always granted by a person who scans the barcode. The person will recognize if the barcode is on the lanyard or on something else.
– Tom K.
Nov 28 at 13:33
1
1
Right, so I'm not sure how this control adds anything but unnecessary complexity. The paper barcode would be detected in either case.
– schroeder♦
Nov 28 at 13:35
Right, so I'm not sure how this control adds anything but unnecessary complexity. The paper barcode would be detected in either case.
– schroeder♦
Nov 28 at 13:35
1
1
I was a bouncer at several high class events. I was underpaid, tired and everyone looked at me like I was dirt. I (and all my colleagues) would have never tested several hundred cards with our fingernails. But we could've probably spotted a "cheater" from 50 meters away. Controls that rely on humans only work when enforced. And this is a control that will not work, because it will not be enforced.
– Tom K.
Nov 28 at 13:52
I was a bouncer at several high class events. I was underpaid, tired and everyone looked at me like I was dirt. I (and all my colleagues) would have never tested several hundred cards with our fingernails. But we could've probably spotted a "cheater" from 50 meters away. Controls that rely on humans only work when enforced. And this is a control that will not work, because it will not be enforced.
– Tom K.
Nov 28 at 13:52
2
2
I can't stand lanyards and would use a safety pin or fasten the card to a button or similar. If the lanyard holds the real barcode then its required. Whoops!
– Criggie
Nov 28 at 18:07
I can't stand lanyards and would use a safety pin or fasten the card to a button or similar. If the lanyard holds the real barcode then its required. Whoops!
– Criggie
Nov 28 at 18:07
|
show 3 more comments
up vote
3
down vote
While not a complete solution to the problem, you can make life slightly more difficult by including the EURion Constellation on your cards. This may be used in conjunction with other approaches.
EURion constellation is a pattern of symbols incorporated into a number of banknote designs worldwide since about 1996. ... [It] consists of a pattern of five small yellow, green or orange circles, which is repeated across areas of the banknote at different orientations. The mere presence of five of these circles on a page is sufficient for some colour photocopiers to refuse processing.
Yeah I was thinking of something like this too last night - but it would still mean upgrading the scanners; also, and in fairness, the need (as I see it) isn't really trying to prevent counterfeits, as much as being able to protect identity.
– Konchog
Nov 29 at 7:17
2
@Konchog: No, your scanners don't need to detect the pattern. The hope is that the attacker cannot scan the pattern. You are only scanning barcodes.
– MSalters
Nov 29 at 8:05
@MSalters, ok - right.. But are cameras defeated by EURion? I just took a photo of a €20 note with no problems using an iPhone..
– Konchog
Nov 29 at 8:18
1
@Konchog: I did write "hope" intentionally there. Still, many printers also detect the pattern, so you might have a second line of defense.
– MSalters
Nov 29 at 8:26
add a comment |
up vote
3
down vote
While not a complete solution to the problem, you can make life slightly more difficult by including the EURion Constellation on your cards. This may be used in conjunction with other approaches.
EURion constellation is a pattern of symbols incorporated into a number of banknote designs worldwide since about 1996. ... [It] consists of a pattern of five small yellow, green or orange circles, which is repeated across areas of the banknote at different orientations. The mere presence of five of these circles on a page is sufficient for some colour photocopiers to refuse processing.
Yeah I was thinking of something like this too last night - but it would still mean upgrading the scanners; also, and in fairness, the need (as I see it) isn't really trying to prevent counterfeits, as much as being able to protect identity.
– Konchog
Nov 29 at 7:17
2
@Konchog: No, your scanners don't need to detect the pattern. The hope is that the attacker cannot scan the pattern. You are only scanning barcodes.
– MSalters
Nov 29 at 8:05
@MSalters, ok - right.. But are cameras defeated by EURion? I just took a photo of a €20 note with no problems using an iPhone..
– Konchog
Nov 29 at 8:18
1
@Konchog: I did write "hope" intentionally there. Still, many printers also detect the pattern, so you might have a second line of defense.
– MSalters
Nov 29 at 8:26
add a comment |
up vote
3
down vote
up vote
3
down vote
While not a complete solution to the problem, you can make life slightly more difficult by including the EURion Constellation on your cards. This may be used in conjunction with other approaches.
EURion constellation is a pattern of symbols incorporated into a number of banknote designs worldwide since about 1996. ... [It] consists of a pattern of five small yellow, green or orange circles, which is repeated across areas of the banknote at different orientations. The mere presence of five of these circles on a page is sufficient for some colour photocopiers to refuse processing.
While not a complete solution to the problem, you can make life slightly more difficult by including the EURion Constellation on your cards. This may be used in conjunction with other approaches.
EURion constellation is a pattern of symbols incorporated into a number of banknote designs worldwide since about 1996. ... [It] consists of a pattern of five small yellow, green or orange circles, which is repeated across areas of the banknote at different orientations. The mere presence of five of these circles on a page is sufficient for some colour photocopiers to refuse processing.
answered Nov 29 at 4:36
Tyzoid
1608
1608
Yeah I was thinking of something like this too last night - but it would still mean upgrading the scanners; also, and in fairness, the need (as I see it) isn't really trying to prevent counterfeits, as much as being able to protect identity.
– Konchog
Nov 29 at 7:17
2
@Konchog: No, your scanners don't need to detect the pattern. The hope is that the attacker cannot scan the pattern. You are only scanning barcodes.
– MSalters
Nov 29 at 8:05
@MSalters, ok - right.. But are cameras defeated by EURion? I just took a photo of a €20 note with no problems using an iPhone..
– Konchog
Nov 29 at 8:18
1
@Konchog: I did write "hope" intentionally there. Still, many printers also detect the pattern, so you might have a second line of defense.
– MSalters
Nov 29 at 8:26
add a comment |
Yeah I was thinking of something like this too last night - but it would still mean upgrading the scanners; also, and in fairness, the need (as I see it) isn't really trying to prevent counterfeits, as much as being able to protect identity.
– Konchog
Nov 29 at 7:17
2
@Konchog: No, your scanners don't need to detect the pattern. The hope is that the attacker cannot scan the pattern. You are only scanning barcodes.
– MSalters
Nov 29 at 8:05
@MSalters, ok - right.. But are cameras defeated by EURion? I just took a photo of a €20 note with no problems using an iPhone..
– Konchog
Nov 29 at 8:18
1
@Konchog: I did write "hope" intentionally there. Still, many printers also detect the pattern, so you might have a second line of defense.
– MSalters
Nov 29 at 8:26
Yeah I was thinking of something like this too last night - but it would still mean upgrading the scanners; also, and in fairness, the need (as I see it) isn't really trying to prevent counterfeits, as much as being able to protect identity.
– Konchog
Nov 29 at 7:17
Yeah I was thinking of something like this too last night - but it would still mean upgrading the scanners; also, and in fairness, the need (as I see it) isn't really trying to prevent counterfeits, as much as being able to protect identity.
– Konchog
Nov 29 at 7:17
2
2
@Konchog: No, your scanners don't need to detect the pattern. The hope is that the attacker cannot scan the pattern. You are only scanning barcodes.
– MSalters
Nov 29 at 8:05
@Konchog: No, your scanners don't need to detect the pattern. The hope is that the attacker cannot scan the pattern. You are only scanning barcodes.
– MSalters
Nov 29 at 8:05
@MSalters, ok - right.. But are cameras defeated by EURion? I just took a photo of a €20 note with no problems using an iPhone..
– Konchog
Nov 29 at 8:18
@MSalters, ok - right.. But are cameras defeated by EURion? I just took a photo of a €20 note with no problems using an iPhone..
– Konchog
Nov 29 at 8:18
1
1
@Konchog: I did write "hope" intentionally there. Still, many printers also detect the pattern, so you might have a second line of defense.
– MSalters
Nov 29 at 8:26
@Konchog: I did write "hope" intentionally there. Still, many printers also detect the pattern, so you might have a second line of defense.
– MSalters
Nov 29 at 8:26
add a comment |
up vote
3
down vote
While it might be simple to take a photo of one side, it's much harder to capture both sides in a casual attack. You can do various things to build on that idea, depending on the event.
- Unique barcodes on each side, attendee puts card between two readers
- Barcode on one side, human-verifiable information on the other. Manually compared against account.
Or you could add a second factor. Send the participant a registration SMS when they first scan in, that captures their beacon with the local wifi and then you can do approximation checks every time they scan in the future. If their phone isn't where it should be, block access and send another SMS-link. You could two-factor all the way, but you'd probably want an app to provide a quicker notification.
Or you could just obscure the barcode entirely. Your idea was red cellophane... Why not just a blackout cover? This could be as dirty as a postit or some high-tack tape, or as pretty as a sleeve that only obscures the barcode.
add a comment |
up vote
3
down vote
While it might be simple to take a photo of one side, it's much harder to capture both sides in a casual attack. You can do various things to build on that idea, depending on the event.
- Unique barcodes on each side, attendee puts card between two readers
- Barcode on one side, human-verifiable information on the other. Manually compared against account.
Or you could add a second factor. Send the participant a registration SMS when they first scan in, that captures their beacon with the local wifi and then you can do approximation checks every time they scan in the future. If their phone isn't where it should be, block access and send another SMS-link. You could two-factor all the way, but you'd probably want an app to provide a quicker notification.
Or you could just obscure the barcode entirely. Your idea was red cellophane... Why not just a blackout cover? This could be as dirty as a postit or some high-tack tape, or as pretty as a sleeve that only obscures the barcode.
add a comment |
up vote
3
down vote
up vote
3
down vote
While it might be simple to take a photo of one side, it's much harder to capture both sides in a casual attack. You can do various things to build on that idea, depending on the event.
- Unique barcodes on each side, attendee puts card between two readers
- Barcode on one side, human-verifiable information on the other. Manually compared against account.
Or you could add a second factor. Send the participant a registration SMS when they first scan in, that captures their beacon with the local wifi and then you can do approximation checks every time they scan in the future. If their phone isn't where it should be, block access and send another SMS-link. You could two-factor all the way, but you'd probably want an app to provide a quicker notification.
Or you could just obscure the barcode entirely. Your idea was red cellophane... Why not just a blackout cover? This could be as dirty as a postit or some high-tack tape, or as pretty as a sleeve that only obscures the barcode.
While it might be simple to take a photo of one side, it's much harder to capture both sides in a casual attack. You can do various things to build on that idea, depending on the event.
- Unique barcodes on each side, attendee puts card between two readers
- Barcode on one side, human-verifiable information on the other. Manually compared against account.
Or you could add a second factor. Send the participant a registration SMS when they first scan in, that captures their beacon with the local wifi and then you can do approximation checks every time they scan in the future. If their phone isn't where it should be, block access and send another SMS-link. You could two-factor all the way, but you'd probably want an app to provide a quicker notification.
Or you could just obscure the barcode entirely. Your idea was red cellophane... Why not just a blackout cover? This could be as dirty as a postit or some high-tack tape, or as pretty as a sleeve that only obscures the barcode.
answered Nov 29 at 10:43
Oli
816712
816712
add a comment |
add a comment |
up vote
2
down vote
As stated in other comments, it is unclear what the threats you are facing are. If you are purely worried about people photographing the identification, just do something so that the natural physical state of the pass obscures the barcode. For example, you can distribute the passes folded in half (the lanyard can help keep it in half) and the bar code can be on the inside. When people go to scan them, you can have security 'unfold' the pass to reveal the barcode. Or you can have people wear ID's but carry a bar-coded card in their pockets for entry.
1
Yes, the idea is mentioned above. It may seem unlikely, but it should be clear that I cannot reveal too much about anything on a public forum, and I err on the side of caution here. However, the 'threat' is access to high-value people rather than free champagne.. Not exactly meeting the president - but - you get the picture...
– Konchog
Nov 29 at 7:20
add a comment |
up vote
2
down vote
As stated in other comments, it is unclear what the threats you are facing are. If you are purely worried about people photographing the identification, just do something so that the natural physical state of the pass obscures the barcode. For example, you can distribute the passes folded in half (the lanyard can help keep it in half) and the bar code can be on the inside. When people go to scan them, you can have security 'unfold' the pass to reveal the barcode. Or you can have people wear ID's but carry a bar-coded card in their pockets for entry.
1
Yes, the idea is mentioned above. It may seem unlikely, but it should be clear that I cannot reveal too much about anything on a public forum, and I err on the side of caution here. However, the 'threat' is access to high-value people rather than free champagne.. Not exactly meeting the president - but - you get the picture...
– Konchog
Nov 29 at 7:20
add a comment |
up vote
2
down vote
up vote
2
down vote
As stated in other comments, it is unclear what the threats you are facing are. If you are purely worried about people photographing the identification, just do something so that the natural physical state of the pass obscures the barcode. For example, you can distribute the passes folded in half (the lanyard can help keep it in half) and the bar code can be on the inside. When people go to scan them, you can have security 'unfold' the pass to reveal the barcode. Or you can have people wear ID's but carry a bar-coded card in their pockets for entry.
As stated in other comments, it is unclear what the threats you are facing are. If you are purely worried about people photographing the identification, just do something so that the natural physical state of the pass obscures the barcode. For example, you can distribute the passes folded in half (the lanyard can help keep it in half) and the bar code can be on the inside. When people go to scan them, you can have security 'unfold' the pass to reveal the barcode. Or you can have people wear ID's but carry a bar-coded card in their pockets for entry.
answered Nov 28 at 20:46
BobtheMagicMoose
1212
1212
1
Yes, the idea is mentioned above. It may seem unlikely, but it should be clear that I cannot reveal too much about anything on a public forum, and I err on the side of caution here. However, the 'threat' is access to high-value people rather than free champagne.. Not exactly meeting the president - but - you get the picture...
– Konchog
Nov 29 at 7:20
add a comment |
1
Yes, the idea is mentioned above. It may seem unlikely, but it should be clear that I cannot reveal too much about anything on a public forum, and I err on the side of caution here. However, the 'threat' is access to high-value people rather than free champagne.. Not exactly meeting the president - but - you get the picture...
– Konchog
Nov 29 at 7:20
1
1
Yes, the idea is mentioned above. It may seem unlikely, but it should be clear that I cannot reveal too much about anything on a public forum, and I err on the side of caution here. However, the 'threat' is access to high-value people rather than free champagne.. Not exactly meeting the president - but - you get the picture...
– Konchog
Nov 29 at 7:20
Yes, the idea is mentioned above. It may seem unlikely, but it should be clear that I cannot reveal too much about anything on a public forum, and I err on the side of caution here. However, the 'threat' is access to high-value people rather than free champagne.. Not exactly meeting the president - but - you get the picture...
– Konchog
Nov 29 at 7:20
add a comment |
up vote
2
down vote
Theoretically you can print in something polarised.
Then view it with polarised light or through a polarised filter.
Not necessarily cheap though.
Presumably you can choose linear or circularly polarised in order to avoid any filter that might typically be in a common camera.
add a comment |
up vote
2
down vote
Theoretically you can print in something polarised.
Then view it with polarised light or through a polarised filter.
Not necessarily cheap though.
Presumably you can choose linear or circularly polarised in order to avoid any filter that might typically be in a common camera.
add a comment |
up vote
2
down vote
up vote
2
down vote
Theoretically you can print in something polarised.
Then view it with polarised light or through a polarised filter.
Not necessarily cheap though.
Presumably you can choose linear or circularly polarised in order to avoid any filter that might typically be in a common camera.
Theoretically you can print in something polarised.
Then view it with polarised light or through a polarised filter.
Not necessarily cheap though.
Presumably you can choose linear or circularly polarised in order to avoid any filter that might typically be in a common camera.
answered Nov 29 at 1:34
Smegger
211
211
add a comment |
add a comment |
up vote
2
down vote
Strictly speaking, there isn't. If the scanner can read it, it can be recorded and reproduced. But that doesn't tell the whole story.
Although cameras and screens/printers these days are pretty universal, they can't capture and reproduce every single color. There are actually colors that the human eye can see, but which are difficult to capture on camera, display on screen or print on paper:
Some simple examples include fluorescent colors, actual fluorescence triggered by a certain color light emitted by the scanner (for instance, green plants glow orange under UV light), non-visible colors like UV or infrared. You could also go the reverse way and include features that are visible normally but invisible to your scanner, for instance perhaps part of the barcode is sandwiched between sheets of paper and which becomes properly transparent only under your scanner. Many banknotes incorporate such security measure based on transparency, special dyes and paper, glowing/hologrammed elements and so on.
This doesn't mean your card is unphotographable, since obviously your scanner can detect it - an adversary could build a similar device and record your card. But it does mean that readily available consumer cameras won't be able to, so the adversary will have to obtain specialized equipment (which may not even be legal to purchase) or even build their own device. Similarly, reproducing will also be a challenge. If you use a color outside the CMYK space they can't print it, and if outside RGB their phone screen won't show it. Again, they can obtain or make specialized screens/papers that can do it (after all, whoever made your legitimate ID cards was able to) but it will be harder. Not to mention it will be easier for law enforcement to find them, because not many people would have such specialized equipment with no good reason.
Really the ideal solution here is to just use RFID chips with encryption. Few people have the technical skills to reproduce those, and even if they do, they won't be able to easily find out the encryption key in the chip. As a lower cost option, magnetic cards should be cheaper, those can be easily cloned but it requires equipment. The time tested physical access control solution is of course a plain key (also not so simple to copy). Or you could just forget it all and go with memorized passwords.
If you really have to use the scanners, I would either look into fluorescent ink, or printing on some material that doesn't look right except for a specific wavelength (which the scanner would presumably provide. But it's hard to be more precise without knowing what your scanner is.
add a comment |
up vote
2
down vote
Strictly speaking, there isn't. If the scanner can read it, it can be recorded and reproduced. But that doesn't tell the whole story.
Although cameras and screens/printers these days are pretty universal, they can't capture and reproduce every single color. There are actually colors that the human eye can see, but which are difficult to capture on camera, display on screen or print on paper:
Some simple examples include fluorescent colors, actual fluorescence triggered by a certain color light emitted by the scanner (for instance, green plants glow orange under UV light), non-visible colors like UV or infrared. You could also go the reverse way and include features that are visible normally but invisible to your scanner, for instance perhaps part of the barcode is sandwiched between sheets of paper and which becomes properly transparent only under your scanner. Many banknotes incorporate such security measure based on transparency, special dyes and paper, glowing/hologrammed elements and so on.
This doesn't mean your card is unphotographable, since obviously your scanner can detect it - an adversary could build a similar device and record your card. But it does mean that readily available consumer cameras won't be able to, so the adversary will have to obtain specialized equipment (which may not even be legal to purchase) or even build their own device. Similarly, reproducing will also be a challenge. If you use a color outside the CMYK space they can't print it, and if outside RGB their phone screen won't show it. Again, they can obtain or make specialized screens/papers that can do it (after all, whoever made your legitimate ID cards was able to) but it will be harder. Not to mention it will be easier for law enforcement to find them, because not many people would have such specialized equipment with no good reason.
Really the ideal solution here is to just use RFID chips with encryption. Few people have the technical skills to reproduce those, and even if they do, they won't be able to easily find out the encryption key in the chip. As a lower cost option, magnetic cards should be cheaper, those can be easily cloned but it requires equipment. The time tested physical access control solution is of course a plain key (also not so simple to copy). Or you could just forget it all and go with memorized passwords.
If you really have to use the scanners, I would either look into fluorescent ink, or printing on some material that doesn't look right except for a specific wavelength (which the scanner would presumably provide. But it's hard to be more precise without knowing what your scanner is.
add a comment |
up vote
2
down vote
up vote
2
down vote
Strictly speaking, there isn't. If the scanner can read it, it can be recorded and reproduced. But that doesn't tell the whole story.
Although cameras and screens/printers these days are pretty universal, they can't capture and reproduce every single color. There are actually colors that the human eye can see, but which are difficult to capture on camera, display on screen or print on paper:
Some simple examples include fluorescent colors, actual fluorescence triggered by a certain color light emitted by the scanner (for instance, green plants glow orange under UV light), non-visible colors like UV or infrared. You could also go the reverse way and include features that are visible normally but invisible to your scanner, for instance perhaps part of the barcode is sandwiched between sheets of paper and which becomes properly transparent only under your scanner. Many banknotes incorporate such security measure based on transparency, special dyes and paper, glowing/hologrammed elements and so on.
This doesn't mean your card is unphotographable, since obviously your scanner can detect it - an adversary could build a similar device and record your card. But it does mean that readily available consumer cameras won't be able to, so the adversary will have to obtain specialized equipment (which may not even be legal to purchase) or even build their own device. Similarly, reproducing will also be a challenge. If you use a color outside the CMYK space they can't print it, and if outside RGB their phone screen won't show it. Again, they can obtain or make specialized screens/papers that can do it (after all, whoever made your legitimate ID cards was able to) but it will be harder. Not to mention it will be easier for law enforcement to find them, because not many people would have such specialized equipment with no good reason.
Really the ideal solution here is to just use RFID chips with encryption. Few people have the technical skills to reproduce those, and even if they do, they won't be able to easily find out the encryption key in the chip. As a lower cost option, magnetic cards should be cheaper, those can be easily cloned but it requires equipment. The time tested physical access control solution is of course a plain key (also not so simple to copy). Or you could just forget it all and go with memorized passwords.
If you really have to use the scanners, I would either look into fluorescent ink, or printing on some material that doesn't look right except for a specific wavelength (which the scanner would presumably provide. But it's hard to be more precise without knowing what your scanner is.
Strictly speaking, there isn't. If the scanner can read it, it can be recorded and reproduced. But that doesn't tell the whole story.
Although cameras and screens/printers these days are pretty universal, they can't capture and reproduce every single color. There are actually colors that the human eye can see, but which are difficult to capture on camera, display on screen or print on paper:
Some simple examples include fluorescent colors, actual fluorescence triggered by a certain color light emitted by the scanner (for instance, green plants glow orange under UV light), non-visible colors like UV or infrared. You could also go the reverse way and include features that are visible normally but invisible to your scanner, for instance perhaps part of the barcode is sandwiched between sheets of paper and which becomes properly transparent only under your scanner. Many banknotes incorporate such security measure based on transparency, special dyes and paper, glowing/hologrammed elements and so on.
This doesn't mean your card is unphotographable, since obviously your scanner can detect it - an adversary could build a similar device and record your card. But it does mean that readily available consumer cameras won't be able to, so the adversary will have to obtain specialized equipment (which may not even be legal to purchase) or even build their own device. Similarly, reproducing will also be a challenge. If you use a color outside the CMYK space they can't print it, and if outside RGB their phone screen won't show it. Again, they can obtain or make specialized screens/papers that can do it (after all, whoever made your legitimate ID cards was able to) but it will be harder. Not to mention it will be easier for law enforcement to find them, because not many people would have such specialized equipment with no good reason.
Really the ideal solution here is to just use RFID chips with encryption. Few people have the technical skills to reproduce those, and even if they do, they won't be able to easily find out the encryption key in the chip. As a lower cost option, magnetic cards should be cheaper, those can be easily cloned but it requires equipment. The time tested physical access control solution is of course a plain key (also not so simple to copy). Or you could just forget it all and go with memorized passwords.
If you really have to use the scanners, I would either look into fluorescent ink, or printing on some material that doesn't look right except for a specific wavelength (which the scanner would presumably provide. But it's hard to be more precise without knowing what your scanner is.
edited Nov 29 at 23:19
answered Nov 29 at 23:05
Artimithe55
385
385
add a comment |
add a comment |
up vote
1
down vote
If you can ensure all barcodes are printed at the exact same spot, you could modify the slot of the barcode reader to position the ID exactly with something covering the borders. So if someone tries to print a photo but it is slightly off-center, the barcode wont be read.
However I would suggest that the reception do not have such thing, and just the ones with sensitive data. This way a "cheater" gets in thinking it worked, then he is stuck inside when trying to pass thru restricted areas. Depending on the person, it would be risky to go out and try to get it fixed and reveal their intention. If he gets blocked before entering the "common area", they might have a chance to fix that and try again with another person.
5
Scanners are not that precise. Photoshop is not that imprecise.
– schroeder♦
Nov 28 at 13:31
1
"Stuck inside" sounds like a potential fire code violation
– infixed
Nov 30 at 17:19
add a comment |
up vote
1
down vote
If you can ensure all barcodes are printed at the exact same spot, you could modify the slot of the barcode reader to position the ID exactly with something covering the borders. So if someone tries to print a photo but it is slightly off-center, the barcode wont be read.
However I would suggest that the reception do not have such thing, and just the ones with sensitive data. This way a "cheater" gets in thinking it worked, then he is stuck inside when trying to pass thru restricted areas. Depending on the person, it would be risky to go out and try to get it fixed and reveal their intention. If he gets blocked before entering the "common area", they might have a chance to fix that and try again with another person.
5
Scanners are not that precise. Photoshop is not that imprecise.
– schroeder♦
Nov 28 at 13:31
1
"Stuck inside" sounds like a potential fire code violation
– infixed
Nov 30 at 17:19
add a comment |
up vote
1
down vote
up vote
1
down vote
If you can ensure all barcodes are printed at the exact same spot, you could modify the slot of the barcode reader to position the ID exactly with something covering the borders. So if someone tries to print a photo but it is slightly off-center, the barcode wont be read.
However I would suggest that the reception do not have such thing, and just the ones with sensitive data. This way a "cheater" gets in thinking it worked, then he is stuck inside when trying to pass thru restricted areas. Depending on the person, it would be risky to go out and try to get it fixed and reveal their intention. If he gets blocked before entering the "common area", they might have a chance to fix that and try again with another person.
If you can ensure all barcodes are printed at the exact same spot, you could modify the slot of the barcode reader to position the ID exactly with something covering the borders. So if someone tries to print a photo but it is slightly off-center, the barcode wont be read.
However I would suggest that the reception do not have such thing, and just the ones with sensitive data. This way a "cheater" gets in thinking it worked, then he is stuck inside when trying to pass thru restricted areas. Depending on the person, it would be risky to go out and try to get it fixed and reveal their intention. If he gets blocked before entering the "common area", they might have a chance to fix that and try again with another person.
answered Nov 28 at 13:17
Moacir
1192
1192
5
Scanners are not that precise. Photoshop is not that imprecise.
– schroeder♦
Nov 28 at 13:31
1
"Stuck inside" sounds like a potential fire code violation
– infixed
Nov 30 at 17:19
add a comment |
5
Scanners are not that precise. Photoshop is not that imprecise.
– schroeder♦
Nov 28 at 13:31
1
"Stuck inside" sounds like a potential fire code violation
– infixed
Nov 30 at 17:19
5
5
Scanners are not that precise. Photoshop is not that imprecise.
– schroeder♦
Nov 28 at 13:31
Scanners are not that precise. Photoshop is not that imprecise.
– schroeder♦
Nov 28 at 13:31
1
1
"Stuck inside" sounds like a potential fire code violation
– infixed
Nov 30 at 17:19
"Stuck inside" sounds like a potential fire code violation
– infixed
Nov 30 at 17:19
add a comment |
up vote
0
down vote
I think you are too much focussed on copying the barcode. The correct way to do this is to issue an unique ID to each and every visiting person and keeping track of that ID, checking it in to (and possibly out of) the different venues. If an ID already is inside a venue then entry would be prohibited.
There still is the possibility that a visitor gains entry with a copied barcode before the rightful ID owner. But in such a case the rightful owner could prove that he is the rightful owner of the ID by means of some type of receipt. You could then invalidate that ID in the computer, thus locking out the copied ID form further attendances.
But is this worth the effort? What harm is done by a few unrightful visitors? The best security measure might be just to tell people there is a security measure to prevent fraud. "Please note that we will keep track of issued IDs and should we find that somebody has gained unrightful entry we will have our security guards take care of him until the police arrives" or similar might just do it... :-)
3
This creates a denial of service for the person who paid to enter the event if the illegitimate person enters first. While the receipt is a nice idea, it becomes a crucial part of their authorisation, which is what the ID is supposed to be
– schroeder♦
Nov 29 at 14:06
add a comment |
up vote
0
down vote
I think you are too much focussed on copying the barcode. The correct way to do this is to issue an unique ID to each and every visiting person and keeping track of that ID, checking it in to (and possibly out of) the different venues. If an ID already is inside a venue then entry would be prohibited.
There still is the possibility that a visitor gains entry with a copied barcode before the rightful ID owner. But in such a case the rightful owner could prove that he is the rightful owner of the ID by means of some type of receipt. You could then invalidate that ID in the computer, thus locking out the copied ID form further attendances.
But is this worth the effort? What harm is done by a few unrightful visitors? The best security measure might be just to tell people there is a security measure to prevent fraud. "Please note that we will keep track of issued IDs and should we find that somebody has gained unrightful entry we will have our security guards take care of him until the police arrives" or similar might just do it... :-)
3
This creates a denial of service for the person who paid to enter the event if the illegitimate person enters first. While the receipt is a nice idea, it becomes a crucial part of their authorisation, which is what the ID is supposed to be
– schroeder♦
Nov 29 at 14:06
add a comment |
up vote
0
down vote
up vote
0
down vote
I think you are too much focussed on copying the barcode. The correct way to do this is to issue an unique ID to each and every visiting person and keeping track of that ID, checking it in to (and possibly out of) the different venues. If an ID already is inside a venue then entry would be prohibited.
There still is the possibility that a visitor gains entry with a copied barcode before the rightful ID owner. But in such a case the rightful owner could prove that he is the rightful owner of the ID by means of some type of receipt. You could then invalidate that ID in the computer, thus locking out the copied ID form further attendances.
But is this worth the effort? What harm is done by a few unrightful visitors? The best security measure might be just to tell people there is a security measure to prevent fraud. "Please note that we will keep track of issued IDs and should we find that somebody has gained unrightful entry we will have our security guards take care of him until the police arrives" or similar might just do it... :-)
I think you are too much focussed on copying the barcode. The correct way to do this is to issue an unique ID to each and every visiting person and keeping track of that ID, checking it in to (and possibly out of) the different venues. If an ID already is inside a venue then entry would be prohibited.
There still is the possibility that a visitor gains entry with a copied barcode before the rightful ID owner. But in such a case the rightful owner could prove that he is the rightful owner of the ID by means of some type of receipt. You could then invalidate that ID in the computer, thus locking out the copied ID form further attendances.
But is this worth the effort? What harm is done by a few unrightful visitors? The best security measure might be just to tell people there is a security measure to prevent fraud. "Please note that we will keep track of issued IDs and should we find that somebody has gained unrightful entry we will have our security guards take care of him until the police arrives" or similar might just do it... :-)
answered Nov 29 at 12:33
Roland Giersig
1
1
3
This creates a denial of service for the person who paid to enter the event if the illegitimate person enters first. While the receipt is a nice idea, it becomes a crucial part of their authorisation, which is what the ID is supposed to be
– schroeder♦
Nov 29 at 14:06
add a comment |
3
This creates a denial of service for the person who paid to enter the event if the illegitimate person enters first. While the receipt is a nice idea, it becomes a crucial part of their authorisation, which is what the ID is supposed to be
– schroeder♦
Nov 29 at 14:06
3
3
This creates a denial of service for the person who paid to enter the event if the illegitimate person enters first. While the receipt is a nice idea, it becomes a crucial part of their authorisation, which is what the ID is supposed to be
– schroeder♦
Nov 29 at 14:06
This creates a denial of service for the person who paid to enter the event if the illegitimate person enters first. While the receipt is a nice idea, it becomes a crucial part of their authorisation, which is what the ID is supposed to be
– schroeder♦
Nov 29 at 14:06
add a comment |
up vote
0
down vote
If protecting the guard-supervised access points is enough, how about two-factor authentication on the cheap? Along with the ID card, hand out a plastic token, casino chip, rubber ducky or other trinket that cannot be obtained quickly by would-be gatecrashers.
It should have a hole or other way to attach to the lanyard, otherwise you'll have people losing or "losing" it right and left.
add a comment |
up vote
0
down vote
If protecting the guard-supervised access points is enough, how about two-factor authentication on the cheap? Along with the ID card, hand out a plastic token, casino chip, rubber ducky or other trinket that cannot be obtained quickly by would-be gatecrashers.
It should have a hole or other way to attach to the lanyard, otherwise you'll have people losing or "losing" it right and left.
add a comment |
up vote
0
down vote
up vote
0
down vote
If protecting the guard-supervised access points is enough, how about two-factor authentication on the cheap? Along with the ID card, hand out a plastic token, casino chip, rubber ducky or other trinket that cannot be obtained quickly by would-be gatecrashers.
It should have a hole or other way to attach to the lanyard, otherwise you'll have people losing or "losing" it right and left.
If protecting the guard-supervised access points is enough, how about two-factor authentication on the cheap? Along with the ID card, hand out a plastic token, casino chip, rubber ducky or other trinket that cannot be obtained quickly by would-be gatecrashers.
It should have a hole or other way to attach to the lanyard, otherwise you'll have people losing or "losing" it right and left.
answered Nov 30 at 13:29
alexis
32114
32114
add a comment |
add a comment |
up vote
0
down vote
It actually is not THAT easy to photograph without at least the wearer noticing it if the barcode is sufficiently small (think about the height of 8pt or 6pt lettering...)
Let's assume we are talking handheld mobile phone cameras here, no high-end (dual lens) phones, clip-on teleconverters, professional/enthusiast grade cameras, optical zooms, RAW processing, or tripods involved. Someone affording all that bother can probably afford to pay your tickets.
Let's assume a 12MP phone camera, yielding an effective resolution of 2000 pixels on the longest side of the photo. Not 4000, there will be either aliasing or antialising in your way once you try to faithfully reproduce structures smaller than 2 pixels.
In many cases, you can again halve the effective resolution available for exact reproduction due to the image being automatically postprocessed by the phone firmware to correct for lens defects, especially in off-center parts of the image. Pixels get bumped off their raster to do that....
Let's assume a standard phone camera lens, which will be a 24mm or 28mm equivalent wide angle with no optical zoom, so increasing magnification will not give you extra resolution.
If your barcode would need 100 pixels resolution to work, that would mean someone would have to photograph it in a way that it fills 1/20th of the frame, and would have to do so without introducing perspective distortion, shake, other errors...
A 1cm long tiny barcode would merely fill 1/100th of the frame width snapped with an 28mm equivalent lens from a distance of 1 meter.... or 1/50th if somebody came up to someone at half a meter distance, probably getting told off for encroaching.
add a comment |
up vote
0
down vote
It actually is not THAT easy to photograph without at least the wearer noticing it if the barcode is sufficiently small (think about the height of 8pt or 6pt lettering...)
Let's assume we are talking handheld mobile phone cameras here, no high-end (dual lens) phones, clip-on teleconverters, professional/enthusiast grade cameras, optical zooms, RAW processing, or tripods involved. Someone affording all that bother can probably afford to pay your tickets.
Let's assume a 12MP phone camera, yielding an effective resolution of 2000 pixels on the longest side of the photo. Not 4000, there will be either aliasing or antialising in your way once you try to faithfully reproduce structures smaller than 2 pixels.
In many cases, you can again halve the effective resolution available for exact reproduction due to the image being automatically postprocessed by the phone firmware to correct for lens defects, especially in off-center parts of the image. Pixels get bumped off their raster to do that....
Let's assume a standard phone camera lens, which will be a 24mm or 28mm equivalent wide angle with no optical zoom, so increasing magnification will not give you extra resolution.
If your barcode would need 100 pixels resolution to work, that would mean someone would have to photograph it in a way that it fills 1/20th of the frame, and would have to do so without introducing perspective distortion, shake, other errors...
A 1cm long tiny barcode would merely fill 1/100th of the frame width snapped with an 28mm equivalent lens from a distance of 1 meter.... or 1/50th if somebody came up to someone at half a meter distance, probably getting told off for encroaching.
add a comment |
up vote
0
down vote
up vote
0
down vote
It actually is not THAT easy to photograph without at least the wearer noticing it if the barcode is sufficiently small (think about the height of 8pt or 6pt lettering...)
Let's assume we are talking handheld mobile phone cameras here, no high-end (dual lens) phones, clip-on teleconverters, professional/enthusiast grade cameras, optical zooms, RAW processing, or tripods involved. Someone affording all that bother can probably afford to pay your tickets.
Let's assume a 12MP phone camera, yielding an effective resolution of 2000 pixels on the longest side of the photo. Not 4000, there will be either aliasing or antialising in your way once you try to faithfully reproduce structures smaller than 2 pixels.
In many cases, you can again halve the effective resolution available for exact reproduction due to the image being automatically postprocessed by the phone firmware to correct for lens defects, especially in off-center parts of the image. Pixels get bumped off their raster to do that....
Let's assume a standard phone camera lens, which will be a 24mm or 28mm equivalent wide angle with no optical zoom, so increasing magnification will not give you extra resolution.
If your barcode would need 100 pixels resolution to work, that would mean someone would have to photograph it in a way that it fills 1/20th of the frame, and would have to do so without introducing perspective distortion, shake, other errors...
A 1cm long tiny barcode would merely fill 1/100th of the frame width snapped with an 28mm equivalent lens from a distance of 1 meter.... or 1/50th if somebody came up to someone at half a meter distance, probably getting told off for encroaching.
It actually is not THAT easy to photograph without at least the wearer noticing it if the barcode is sufficiently small (think about the height of 8pt or 6pt lettering...)
Let's assume we are talking handheld mobile phone cameras here, no high-end (dual lens) phones, clip-on teleconverters, professional/enthusiast grade cameras, optical zooms, RAW processing, or tripods involved. Someone affording all that bother can probably afford to pay your tickets.
Let's assume a 12MP phone camera, yielding an effective resolution of 2000 pixels on the longest side of the photo. Not 4000, there will be either aliasing or antialising in your way once you try to faithfully reproduce structures smaller than 2 pixels.
In many cases, you can again halve the effective resolution available for exact reproduction due to the image being automatically postprocessed by the phone firmware to correct for lens defects, especially in off-center parts of the image. Pixels get bumped off their raster to do that....
Let's assume a standard phone camera lens, which will be a 24mm or 28mm equivalent wide angle with no optical zoom, so increasing magnification will not give you extra resolution.
If your barcode would need 100 pixels resolution to work, that would mean someone would have to photograph it in a way that it fills 1/20th of the frame, and would have to do so without introducing perspective distortion, shake, other errors...
A 1cm long tiny barcode would merely fill 1/100th of the frame width snapped with an 28mm equivalent lens from a distance of 1 meter.... or 1/50th if somebody came up to someone at half a meter distance, probably getting told off for encroaching.
answered Nov 30 at 21:18
rackandboneman
73137
73137
add a comment |
add a comment |
protected by schroeder♦ Nov 29 at 15:13
Thank you for your interest in this question.
Because it has attracted low-quality or spam answers that had to be removed, posting an answer now requires 10 reputation on this site (the association bonus does not count).
Would you like to answer one of these unanswered questions instead?
32
I think you are looking at the wrong layer for a solution. Why not use a 2nd factor? Or provide additional authentication token with the badge that is not observable? Like adding a sticker to the back of the card (scan the barcode, then check for the sticker)
– schroeder♦
Nov 28 at 9:31
23
Just putting the barcode on the back of the card might be good enough solution. Also consider, is there a particularly high incentive for people to fake the cards? Does it cause the event a lot of trouble if there are one or two cheaters?
– jpa
Nov 28 at 12:38
40
This question misses too much information, i.e. a better definition of your threat model. In addition to the other comnment questions: Is event access also checked with the barcode, i.e. at your outside perimeter? Are people going to leave and re-enter that perimeter? How are the codes going to be distributed to the users - what are the chances of them falling into the wrong hands before the legitimate users present him/herself at the event?
– Jan Doggen
Nov 28 at 13:46
14
You should checkout DEFCON 16: Toying with Barcodes. Barcode give very little security. And authentication is not the only problem. Your scanners can be configured via barcodes so someone can fabricate some barcodes to "break" your scanners.
– Bakuriu
Nov 28 at 19:05
12
I agree with @JanDoggen. We need a threat model. If you have ultra-high risk associated with a single mishap, and no budget to actually implement the security procedures, then you need a very sharp focused threat model to focus your efforts. As an example: are the self-verification "what table am I at" as sensitive as the "enter this room" verifications? I assume not, and that helps you focus your dollars on the parts of the threat model which really matter to your client.
– Cort Ammon
Nov 28 at 20:37