This chapter covers tailgating and piggybacking, two social engineering attacks that exploit physical access controls. These attacks are part of the 'Threats, Vulnerabilities, and Mitigations' domain (Objective 2.2) of the SY0-701 exam. Understanding how these attacks work and the defenses against them is critical for security professionals, as they represent a common path for unauthorized entry into secure facilities. This chapter will define each attack, explain their mechanisms, compare them, and detail prevention strategies including security awareness, access control systems, and policies.
Jump to a section
Imagine a concert venue with a single employee-only entrance. A security guard checks each person's backstage pass before allowing entry. An attacker (the tailgater) waits until a legitimate employee swipes their pass and enters, then quickly slips in behind them before the door closes. The guard, focused on the legitimate employee, does not notice the intruder. This is tailgating: gaining unauthorized entry by closely following an authorized person without using credentials. In contrast, piggybacking involves the authorized person knowingly allowing the attacker to enter, perhaps because the attacker claims to have forgotten their pass or asks for a favor. The guard may see both people but only verifies one pass. In the digital world, this translates to physical security breaches where an attacker exploits trust or inattention to bypass access controls. The key difference is consent: tailgating is covert, piggybacking involves deception with the authorized person's unwitting or coerced cooperation.
What Are Tailgating and Piggybacking?
Tailgating and piggybacking are social engineering attacks that target physical security controls, specifically at entry points like doors, turnstiles, or gates. Both involve an attacker gaining unauthorized access to a restricted area by following an authorized person. The key distinction lies in the authorized person's awareness and consent.
Tailgating (also called 'piggybacking' in some sources, but SY0-701 differentiates them): The attacker follows closely behind an authorized individual without their knowledge or consent. The authorized person may not even notice the attacker. The attacker exploits the natural courtesy of holding a door open, or the momentum of the door closing slowly, to slip in.
Piggybacking: The attacker gains access with the knowledge and consent of the authorized person, often through deception. For example, the attacker may claim to have forgotten their badge, ask the authorized person to hold the door, or pretend to be a delivery person. The authorized person knowingly allows entry, often due to social pressure or a desire to be helpful.
Both attacks bypass authentication mechanisms (badge readers, PIN pads, biometrics) because the authorized person has already authenticated. The attacker rides on the coattails of that authentication.
How They Work Mechanically
Tailgating Process: 1. Reconnaissance: The attacker observes the target facility, identifying entry points, traffic patterns, and employee behavior. They note times when doors are propped open or when employees are distracted. 2. Approach: The attacker positions themselves near the entry point, often holding an object (phone, coffee, bag) to appear occupied. They wait for an authorized employee to approach and authenticate. 3. Entry: As the employee swipes their badge or enters a PIN and opens the door, the attacker moves quickly to enter immediately behind them. The door may close slowly, allowing the attacker to catch it before it locks. 4. Avoidance of Detection: The attacker blends in by wearing a lanyard (often without a badge), carrying a clipboard, or acting like they belong. They may engage the employee in conversation to distract them.
Piggybacking Process: 1. Setup: The attacker approaches the entry point at the same time as an authorized employee. They may invent a reason to need entry: "I forgot my badge," "I'm a new contractor and my account isn't active yet," or "I'm just here for a meeting." 2. Social Engineering: The attacker uses politeness, urgency, or authority (e.g., wearing a fake uniform) to pressure the employee into granting access. The employee, not wanting to be rude or suspecting a security threat, holds the door. 3. Entry: The employee authenticates and allows the attacker to enter alongside them. The attacker may thank them and proceed into the facility. 4. Exploitation: Once inside, the attacker can carry out malicious activities: theft, espionage, planting malware via USB drops, or accessing sensitive areas.
Key Components and Variants
- Access Control Systems: Tailgating and piggybacking target the weakest link: human behavior. Even the most sophisticated biometric or card-based system is ineffective if employees do not enforce security. - Variants: - Shoulder Surfing: Observing someone entering a PIN or password, often used in combination with tailgating. - Door Propping: An attacker may prop a door open to allow later entry, which is a form of piggybacking if an employee does it unknowingly. - Reverse Tailgating: An attacker exits a secure area and allows an unauthorized person to enter through the same door before it closes. - Standards: Physical security standards like ISO/IEC 27001 and NIST SP 800-53 address tailgating through access control policies, visitor management, and security awareness training.
How Attackers Exploit and Defenders Deploy
Attackers' Perspective: - Attackers choose tailgating/piggybacking because it is low-tech and exploits human nature. They often target busy periods (lunch, shift changes) when doors are frequently opened. - They may use props: a fake badge, a clipboard, a uniform (e.g., janitorial, delivery). - They may collaborate with insiders (piggybacking with consent) or exploit employees who are overly helpful.
Defenders' Perspective: - Security Awareness Training: Employees must be trained to challenge anyone they do not recognize, to not hold doors for strangers, and to report tailgating attempts. This is the most critical defense. - Physical Controls: - Mantraps: A small room with two interlocking doors. Only one door can open at a time. The person must authenticate in the room before the second door opens. This prevents tailgating because only one person can enter per authentication. - Turnstiles and Speed Gates: Mechanical barriers that allow only one person per authentication. They physically prevent multiple people from passing through simultaneously. - Security Cameras and Alarms: Cameras at entry points can record tailgating attempts. Alarms can be triggered if a door is held open too long or if two people pass through a single authentication. - Badge Readers with Anti-Passback: Prevent a badge from being used twice in quick succession (e.g., to allow two people through). This is common in high-security areas. - Visitor Management Systems: Require visitors to sign in, wear visible badges, and be escorted. This reduces the risk of piggybacking by strangers. - Policies: Clear policies on tailgating, including consequences for violations, and procedures for reporting suspicious behavior.
Real Command/Tool Examples
While tailgating is physical, security tools can detect and respond to it: - Video Management Systems (VMS): Software like Milestone or Hikvision can be configured to analyze video for people counting. If the count of people entering exceeds the number of badge swipes, an alert is generated. - Access Control Systems (ACS): Systems like Lenel or Software House can enforce anti-passback rules. For example, if a badge is used to enter a door but not to exit, the system can deny re-entry. - SIEM Integration: Logs from ACS can be sent to a SIEM (e.g., Splunk, ArcSight) to correlate physical access anomalies with other security events.
Example ACS Log Entry (tailgating event):
2025-03-15 08:45:23 | Door 2B | Access Granted | User: John.Doe | Badge: 12345
2025-03-15 08:45:25 | Door 2B | Forced Open Alarm | No badge swipe detectedThis log shows that a door was forced open immediately after a legitimate access, indicating a possible tailgating attempt.
Security Awareness Training Example: - Role-playing scenarios where employees practice challenging a tailgater. - Posters and emails reinforcing the policy: "Don't hold the door for strangers." - Regular phishing-style tests where an actor attempts to tailgate and employees are evaluated on their response.
Reconnaissance and Target Selection
The attacker identifies a target facility with physical access controls such as badge readers or turnstiles. They observe entry points, employee traffic patterns, and peak hours. They note which doors are often propped open or have slow-closing mechanisms. They also look for employees who seem distracted or overly helpful. This step may involve physical surveillance or even social media research to identify employees' routines.
Approach and Positioning
The attacker positions themselves near the entry point, often holding an item (phone, coffee, bag) to appear occupied and non-threatening. They wait for an authorized employee to approach the door. The attacker times their movement so that they arrive at the door just as the employee is authenticating. They may also engage the employee in conversation to create a distraction or build rapport.
Gaining Entry via Tailgating or Piggybacking
For tailgating, the attacker slips through the door immediately behind the employee without the employee's knowledge. They may use a hand or foot to prevent the door from closing. For piggybacking, the attacker asks the employee to hold the door, often with a fabricated excuse like forgetting their badge. The employee, not wanting to be rude, complies. The attacker enters the restricted area without authenticating.
Blending In and Moving Within the Facility
Once inside, the attacker acts as if they belong. They may wear a lanyard (possibly fake), carry a clipboard, or walk with purpose. They avoid eye contact with security personnel. They may follow employees to find target areas such as server rooms, executive offices, or data centers. The attacker may also prop open secondary doors to facilitate escape or further entry.
Executing the Malicious Objective and Exfiltration
The attacker carries out their primary goal: stealing equipment, planting a listening device, installing malware via a USB drop, or copying sensitive documents. After completing the objective, they exit through a less secure route, such as an emergency exit (which may trigger an alarm) or by blending in with a departing crowd. They may also use a different tailgating victim to exit.
Scenario 1: Data Center Breach via Tailgating
A penetration tester is hired to assess the physical security of a corporate data center. The facility uses a badge reader at the main entrance. The tester observes that during lunch hours, employees often hold the door for each other. The tester approaches the door at 12:30 PM, carrying a pizza box. An employee swipes their badge and opens the door; the tester says, "Thanks, I'm with the delivery," and walks in behind the employee. The employee does not challenge them. Once inside, the tester accesses an unlocked server room and plants a USB device that simulates malware. The tester later reports the vulnerability.
What the SOC/Engineer Would See: The access control logs show a single badge swipe at 12:31 PM but video footage reveals two people entering. The SIEM might generate an alert if configured for people counting. The correct response is to review video, identify the unauthorized person, and retrain employees on tailgating prevention. A common mistake is to ignore the alert, assuming it's a false positive from the video analytics.
Scenario 2: Office Building Piggybacking via Social Engineering
An attacker poses as a new employee who has 'forgotten' their badge. They approach an employee at the entrance and say, "I'm new and my badge isn't working. Could you let me in?" The employee, wanting to be helpful, swipes their badge and holds the door. The attacker thanks them and proceeds to the IT department, where they attempt to access a manager's computer left unlocked. The attacker copies sensitive HR files to a USB drive.
What the SOC/Engineer Would See: No alarms or logs indicate unauthorized entry because the attacker piggybacked on a legitimate authentication. The breach is only discovered later when the HR files are leaked. The correct response is to implement a visitor management policy requiring all visitors to sign in and be escorted. A common mistake is to rely solely on access control logs without video verification.
Scenario 3: Tailgating Through a Mantrap Failure
A company installs a mantrap to prevent tailgating. However, employees frequently prop open the outer door while waiting for the inner door to unlock, negating the security. An attacker exploits this by waiting until an employee props the outer door, then enters the mantrap with them. The inner door opens for the employee, and the attacker follows them into the secure area.
What the SOC/Engineer Would See: The mantrap logs show two people entering the mantrap but only one badge swipe. An alarm should have triggered if the system detects two people, but due to misconfiguration, it does not. The correct response is to reconfigure the mantrap to require both doors to be closed and locked before the inner door opens, and to train employees not to prop doors. A common mistake is to assume the mantrap is infallible without testing its logic.
Exactly What SY0-701 Tests on This Objective
Objective 2.2 focuses on 'Social Engineering' techniques, including tailgating and piggybacking. The exam expects you to: - Define and differentiate tailgating vs. piggybacking. The key distinction is consent: tailgating is without the authorized person's knowledge; piggybacking is with their consent (often obtained through deception). - Identify prevention methods: mantraps, turnstiles, security awareness training, access control policies (anti-passback), and visitor management. - Recognize scenarios: You will be given a description of an attack and asked to identify it as tailgating or piggybacking, or to choose the best mitigation.
Common Wrong Answers and Why
Choosing 'shoulder surfing' instead of tailgating: Shoulder surfing is observing someone entering a PIN or password, not following them through a door. Candidates confuse the two because both involve proximity to an authorized person. Trap: If the scenario mentions 'watching someone type a code,' it's shoulder surfing; if it mentions 'following closely behind,' it's tailgating.
Choosing 'phishing' instead of piggybacking: Phishing is a digital social engineering attack via email. Candidates may pick it because both involve deception. Trap: The scenario will clearly describe a physical entry, not an email.
Selecting 'biometric authentication' as a mitigation for tailgating: Biometrics verify identity, but they do not prevent multiple people from entering after a single authentication. Trap: The question asks for the *best* mitigation, which is a mantrap or security awareness training.
Confusing tailgating with 'dumpster diving': Both are physical attacks, but dumpster diving involves searching trash for information, not following someone through a door.
Specific Terms and Values
Mantrap: A small room with two interlocking doors; only one door can open at a time. This is the most effective physical control against tailgating.
Turnstile: A gate that allows one person to pass per authentication.
Anti-passback: A feature that prevents a badge from being used to enter twice without an intermediate exit.
Social engineering: The psychological manipulation of people into divulging confidential information or performing actions.
Common Trick Questions
Trick: A question describes a scenario where an attacker asks an employee to hold the door because they 'forgot their badge.' The answer choices include 'tailgating' and 'piggybacking.' The correct answer is piggybacking because the employee knowingly allowed entry. Many candidates incorrectly choose tailgating because they focus on the attacker's deception rather than the employee's consent.
Trick: A question asks for the 'best defense' against tailgating. Options include 'security guards,' 'CCTV,' 'mantrap,' and 'badge readers.' The best answer is mantrap because it physically prevents multiple entries. CCTV only records, it does not prevent.
Decision Rule for Eliminating Wrong Answers
On scenario questions, first determine if the attack is physical or digital. If physical, ask: Did the authorized person know they were letting the attacker in? If yes → piggybacking; if no → tailgating. Then, for mitigations, look for physical controls like mantrap or turnstile, not just procedural ones like training (though training is also correct in some questions). Eliminate answers that are digital attacks (phishing, vishing) or unrelated physical attacks (dumpster diving, shoulder surfing).
Tailgating: unauthorized entry without the authorized person's knowledge; piggybacking: with their consent through deception.
Mantrap is the most effective physical control against tailgating; it uses two interlocking doors.
Turnstiles and speed gates enforce one-person-per-authentication.
Anti-passback prevents a badge from being used twice consecutively without an exit.
Security awareness training is essential but must be combined with physical controls.
SY0-701 expects you to differentiate tailgating vs. piggybacking in scenario questions.
Common wrong answer: confusing tailgating with shoulder surfing (watching someone type a PIN).
These come up on the exam all the time. Here's how to tell them apart.
Tailgating
Authorized person is unaware of the attacker's entry
Attacker follows closely behind without consent
Often occurs when door closes slowly or is held open by inertia
Relies on speed and stealth
Mitigated by mantraps, turnstiles, and anti-passback
Piggybacking
Authorized person knowingly allows entry
Attacker uses deception to gain consent (e.g., 'I forgot my badge')
Often involves social engineering (politeness, urgency, authority)
Relies on manipulation of human psychology
Mitigated by security awareness training, visitor management, and policies
Mistake
Tailgating and piggybacking are the same thing.
Correct
They differ in the authorized person's awareness and consent. Tailgating occurs without the authorized person's knowledge; piggybacking involves the authorized person knowingly allowing entry, often due to social engineering.
Mistake
A strong password or biometric system prevents tailgating.
Correct
Authentication systems verify identity but do not prevent multiple people from entering after a single authentication. Tailgating bypasses authentication by riding on a legitimate user's credentials.
Mistake
Security awareness training alone is sufficient to stop tailgating.
Correct
While training is critical, it is not 100% effective due to human error. Physical controls like mantraps and turnstiles provide a layered defense that works even if an employee forgets to challenge a tailgater.
Mistake
Tailgating only happens at main entrances.
Correct
Tailgating can occur at any secured door, including side entrances, loading docks, and emergency exits. Attackers often target less-trafficked doors where employees may be less vigilant.
Mistake
CCTV cameras prevent tailgating.
Correct
CCTV is a detective control, not a preventive one. It records incidents for later review but does not stop an attacker from entering. Prevention requires physical barriers or active intervention.
Tailgating is when an unauthorized person follows an authorized person into a restricted area without the authorized person's knowledge or consent. Piggybacking occurs when the authorized person knowingly allows the unauthorized person to enter, often because the attacker uses social engineering (e.g., claiming to have forgotten their badge). The exam tests this distinction. For example, if an attacker says 'Can you hold the door? I forgot my badge' and the employee lets them in, that's piggybacking. If the attacker simply slips in behind the employee unnoticed, that's tailgating.
A mantrap is the most effective physical control. It consists of a small room with two interlocking doors. Only one door can be opened at a time. The person must authenticate inside the room before the second door unlocks. This ensures that only one person can enter per authentication, making tailgating virtually impossible. Other controls include turnstiles, speed gates, and anti-passback features on badge readers.
Partially. Access control logs record badge swipes and door events. A tailgating event may appear as a 'forced open' alarm if the door is held open too long or if two people pass through a single swipe. However, if the door closes normally, the logs may not show an anomaly. Video surveillance is often needed to confirm tailgating. Advanced systems with people counting can generate alerts when the number of people entering exceeds the number of swipes.
Piggybacking exploits human psychology—employees' desire to be helpful or avoid confrontation. Training teaches employees to politely refuse to hold doors for strangers, to verify identity, and to report suspicious behavior. It also covers policies like requiring visitors to sign in and be escorted. Without training, even the best physical controls can be bypassed by a persuasive attacker.
Anti-passback is an access control feature that prevents a badge from being used to re-enter a secured area without first exiting. For example, if an employee uses their badge to enter a building, they cannot use the same badge to allow someone else in by swiping twice. The system requires an exit swipe before another entry is allowed. This prevents an attacker from using a stolen badge or from piggybacking by having the employee swipe twice.
Yes, tailgating is a form of social engineering because it exploits human behavior and trust. The attacker relies on the authorized person's inattention, courtesy, or desire to avoid conflict. While piggybacking is more explicitly social engineering (using deception to gain consent), tailgating also involves manipulating the social norm of holding doors open. Both are covered under social engineering in the SY0-701 objectives.
Do not enter the secure area. Politely ask the person to show their badge or verify their identity with security. If they cannot, report them to security immediately. If you have already entered, do not confront them; instead, report the incident to security as soon as possible. In a corporate environment, follow your organization's tailgating policy, which typically includes challenging unknown individuals and reporting incidents.
You've just covered Tailgating and Piggybacking — now see how well it sticks with free SY0-701 practice questions. Full explanations included, no account needed.
Done with this chapter?