Misstep 18: Wearing your Password

Employee wears name tag with barcode visible

This photograph looks like a typical retail checkout counter, albeit blurry and pixelated. I stopped in here recently and realized that the employees were all wearing name tags that also had a bar code visible (it appeared to be PDF417-formatted).

Uses for Bar Codes in Retail

Besides for the occasional terrible gas station that relies on scanning IDs, most retail establishments will rely on the good ‘ol Gilbarco key system (managers have different keys than cashiers, so they can override purchases and voids), or they may have mag-stripe or bar code-based systems that allow employees to scan a badge to quickly authorize a price override or similar.

The Misstep

Wearing any sort of authentication that has visual features (such as a bar code), is the same as wearing a name tag with your PIN or password below it. A simple photograph makes duplication trivial. Furthermore, wearing a bar code introduces parity, making a clone much more likely to function since the data is verifiable.

This is similar to also wearing your keys on a neck lanyard, since doing so makes copying the bitting easy.

The Solution?

Place these authentication values somewhere else. Don’t put them on the back of the name tag, because that can move around and become visible. Multifactor can work here too. If an employee scans or swipes an authentication piece, require them to also enter a PIN/password. This ensures lost or forged badges cannot be used to trick your PoS system.

About Author

Robert Lerner

Leave a Reply

Your email address will not be published. Required fields are marked *