Piggybacking (security)
Gaining entry by following another person
From Wikipedia, the free encyclopedia
In security, piggybacking, similar to tailgating, refers to when a person tags along with another person who is authorized to gain entry into a restricted area, or pass a certain checkpoint.[1] It can be either electronic or physical.[2] The act may be legal or illegal, authorized or unauthorized, depending on the circumstances. However, the term more often has the connotation of being an illegal or unauthorized act.[1]
To describe the act of an unauthorized person who follows someone to a restricted area without the consent of the authorized person, the term tailgating is also used. "Tailgating" implies no consent (similar to a car tailgating another vehicle on a road), while "piggybacking" usually implies consent of the authorized person, similar to a person giving another person a piggyback on their shoulders.[3]
Piggybacking came to the public's attention particularly in 1999, when a series of weaknesses were exposed in airport security. A study showed that the majority of undercover agents attempting to pass through checkpoints, bring banned items on planes, or board planes without tickets were successful. Piggybacking was revealed as one of the methods that were used in order to enter off-limits areas.[4]
Methods
Electronic piggybacking is a common practice typically facilitated through account sharing, where authorized users share login details with others, allowing individuals to access services or subscriptions without the financial repercussion of purchasing it themselves.[5] Another common form is credit card piggybacking, in which card holders authorize others (particularly one's child), allowing them to use the account's seasoned tradeline to jumpstart, or increase their own credit score.[6] Many companies branding as "credit repair" or "credit rental" firms have appeared since 2007, in which, contracted card holders authorize clients in exchange for service fees, typically without sharing account details or the physical card itself.[7] In cybersecurity, phishing attacks are a form of tailgating, where attackers, masquerading as legitimate services or system administrators, mislead victims into sharing credentials, to gain unauthorized access into accounts or systems.[8]
In physical contexts, piggybacking is commonly enabled through the exploitation of social norms, such as an employee politely holding the door open for an attacker who is holding a large package, and is dressed in a reflective work vest.[9]
Prevention
Many security devices were introduced in an attempt to stop forms of piggybacking, including automatic turnstiles, and speed gates. Such devices rely on magstripes, infrared, or lidar detection systems to discourage unauthorized access.[10]
In 2022, Netflix prohibited account piggybacking in their terms of service after allegedly losing US$1.8 billion in possible revenue annually.[11] Subsequently, companies such as Facebook,[12] Hulu,[13] and Disney+[14] followed suit and banned piggybacking throughout 2023.
