Security, Economics, and Lost Conference Badges
Conference badges are an interesting security token. They can be very valuable—a full conference registration at the RSA Conference this week in San Jose, for example, costs $1,985—but their value decays rapidly with time. By tomorrow afternoon, they’ll be worthless.
Counterfeiting badges is one security concern, but an even bigger concern is people losing their badge or having their badge stolen. It’s way cheaper to find or steal someone else’s badge than it is to buy your own. People could do this sort of thing on purpose, pretending to lose their badge and giving it to someone else.
A few years ago, the RSA Conference charged people $100 for a replacement badge, which is far cheaper than a second membership. So the fraud remained. (At least, I assume it did. I don’t know anything about how prevalent this kind of fraud was at RSA.)
Last year, the RSA Conference tried to further limit these types of fraud by putting people’s photographs on their badges. Clever idea, but difficult to implement.
For this to work, though, guards need to match photographs with faces. This means that either 1) you need a lot more guards at entrance points, or 2) the lines will move a lot slower. Actually, far more likely is 3) no one will check the photographs.
And it was an expensive solution for the RSA Conference. They needed the equipment to put the photos on the badges. Registration was much slower. And pro-privacy people objected to the conference keeping their photographs on file.
This year, the RSA Conference solved the problem through economics:
If you lose your badge and/or badge holder, you will be required to purchase a new one for a fee of $1,895.00.
Look how clever this is. Instead of trying to solve this particular badge fraud problem through security, they simply moved the problem from the conference to the attendee. The badges still have that $1,895 value, but now if it’s stolen and used by someone else, it’s the attendee who’s out the money. As far as the RSA Conference is concerned, the security risk is an externality.
Note that from an outside perspective, this isn’t the most efficient way to deal with the security problem. It’s likely that the cost to the RSA Conference for centralized security is less than the aggregate cost of all the individual security measures. But the RSA Conference gets to make the trade-off, so they chose a solution that was cheaper for them.
Of course, it would have been nice if the conference provided a slightly more secure attachment point for the badge holder than a thin strip of plastic. But why should they? It’s not their problem anymore.
Clive Robinson • February 16, 2006 7:43 AM
This is the kind of thing the UK banks used to do.
They give you an unreliable token (a credit card etc) and you had to swallow any false transactions.
Eventually Governments passed legislation to stop it, So the banks tried a new tack (Chip-n-Pin) which avoided the legislation (ie no signiture involved).
I can’t see legislation being passed for Conferance badges or just about any other token system. But even if they did the companies would just move the goal posts.
I guess all organisations will try to minimise their costs and liabilities for “Share Holder Value”…