ITM is an open framework - Submit your contributions now.

Insider Threat Matrix™

  • ID: PR027.004
  • Created: 07th May 2025
  • Updated: 07th May 2025
  • Contributor: The ITM Team

Cloning or Forging ID Cards for Physical Access

The subject obtains, clones, fabricates, or otherwise manipulates physical access credentials—such as RFID cards, NFC badges, magnetic stripes, or printed ID cards—to gain unauthorized access to secure areas. This behavior typically occurs during early-stage preparation for insider activity and enables covert physical entry without triggering standard identity-based access controls.

 

Badge cloning can be performed using low-cost, widely available tools that can read and emulate access credentials. Forged ID cards are often visually convincing and used to bypass casual visual verification by staff or security personnel.

 

Example Scenarios:

  • A subject uses a Flipper Zero device to clone the 125kHz RFID signal of a coworker's legacy access badge and uses it after hours to enter the data center undetected.
  • A forged ID badge created with a common card printer and online templates is worn by a co-conspirator to impersonate an IT contractor and access a locked communications room.
  • The subject photographs a single-use QR visitor code from a printed pass and shares it with an external party, who uses it to enter the premises before expiration.
  • A magnetic stripe card is skimmed using a USB swipe reader and rewritten onto a blank hotel-style access card.

Prevention

ID Name Description
PV023Access Reviews

Routine reviews of user accounts and their associated privileges and permissions should be conducted to identify overly-permissive accounts, or accounts that are no longer required to be active.

PV039Employee Mental Health & Support Program

Offering mental health support and conflict resolution programs to
help employees identify and report manipulative behavior in the
workplace

PV042Employee Vulnerability Support Program

A structured program, including a helpline or other reporting mechanism, designed to assist employees who feel vulnerable, whether due to personal issues, coercion, or extortion. This process allows employees to confidentially raise concerns with trusted teams, such as Human Resources or other qualified professionals. In some cases, it may be appropriate to discreetly share this information with trusted individuals within the Insider Risk Management Program to help prevent and detect insider threats while also providing necessary support to the employee.

PV012End-User Security Awareness Training

Mandatory security awareness training for employees can help them to recognize a range of cyber attacks that they can play a part in preventing or detecting. This can include topics such as phishing, social engineering, and data classification, amongst others.

PV053Government-Issued ID Verification

An individual may be required to present and verify valid government-issued identification prior to their association with the organization. This process serves as a foundational identity assurance mechanism, ensuring that the subject is who they claim to be and enabling further vetting procedures to be accurately applied.

 

Verification of official identification—such as passports, national ID cards, or driver’s licenses—supports compliance with legal, regulatory, and internal requirements related to employment eligibility, right-to-work verification, security clearance eligibility, and access provisioning. It also helps establish a verifiable link between the individual and other background screening measures, including criminal record checks, reference verification, and credential validation.

 

In the context of insider threat prevention, government-issued ID verification helps prevent identity fraud and the onboarding of individuals using false or stolen identities to gain unauthorized access to sensitive roles, environments, or data. This is particularly critical in sectors handling classified information, critical infrastructure, or financial assets, where subjects may otherwise attempt to obscure prior conduct or affiliations.

 

Organizations may perform this verification in-house using secure document validation systems or biometric identity matching, or they may rely on trusted third-party identity verification providers offering digital identity assurance services. As part of a multi-layered personnel screening framework, this control helps reduce the risk of malicious insiders gaining a foothold under false pretenses.

PV038Insider Threat Awareness Training

Training should equip employees to recognize manipulation tactics, such as social engineering and extortion, that are used to coerce actions and behaviors harmful to the individual and/or the organization. The training should also encourage and guide participants on how to safely report any instances of coercion.

PV009Prohibition of Devices On-site

Certain infringements can be prevented by prohibiting certain devices from being brought on-site.

Detection

ID Name Description
DT033Closed-Circuit Television

CCTV can be used to observe activity within or around a site. This control can help to detect preparation or infringement activities and record it to a video file.

DT103Photographic Identification Comparison

During the recruitment or onboarding process, the individual’s appearance in in-person or online interviews should be compared with their government-issued photographic identification, which must match the details provided by the applicant before the interview. This helps detect potential fraudulent discrepancies and reduces the risk of one person attending the interview while another carries out the work for the organization.