Physical Attacks: Tailgating, Shoulder Surfing, Card Cloning | AP Cybersecurity

AP Cybersecurity Topics › Physical Attacks

Unit 2 • Topic 2.2 • Physical Vulnerabilities and Attacks

Physical Security Attacks: Tailgating, Shoulder Surfing & More

Many attacks skip digital defenses entirely by exploiting physical access. Topic 2.2 covers tailgating, shoulder surfing, dumpster diving, and card cloning, plus why physical access to a device is so dangerous.

The physical attacks
Why physical access is dangerous
Real-world example
Key terms
Match it up
Check for Understanding
FAQ

4named physical attacks (EK 2.2.A)

Bypassskips digital controls

Accessphysical access = high risk

Three of the named physical attacks; dumpster diving completes the set.

The physical attacks

Tailgating is following an authorized person through a secure door without your own credentials. Shoulder surfing is watching someone enter a password or PIN. Dumpster diving is searching discarded materials for useful information. Card cloning copies an access card to impersonate a legitimate holder.

Adversaries often combine these with social engineering, for example holding a box so someone holds the door (tailgating plus a believable pretext).

Scenario

A person carrying coffee in both hands smiles and an employee badges them through the door. What attack is this?

Reveal answer

Tailgating, aided by social engineering. The attacker used a believable reason (full hands) so an authorized employee opened the secure door for them.

Exam tip

Map the method to the attack: following through a door = tailgating, watching entry = shoulder surfing, searching trash = dumpster diving, copying a badge = card cloning.

Why physical access is dangerous

Physical access to a device can let an attacker bypass software controls entirely: they can disrupt power, plug in malicious hardware, or remove a drive. The framework rates many physical vulnerabilities as high risk for this reason.

This is why later topics add physical controls and detection: digital defenses alone do not stop someone standing at the machine.

Scenario

Why is an unlocked, unattended server room a high physical risk?

Reveal answer

Physical access lets an attacker tamper with hardware, copy drives, or cut power, bypassing digital controls entirely. The asset and the access together make it high risk.

Real-world example

Red teams walk right in

Professional penetration testers routinely gain building access simply by carrying boxes and following staff through secure doors. A friendly pretext often beats a badge reader, which is why tailgating is taken seriously.

Physical access can bypass digital defenses entirely.

Key Terms

Tailgating	Following an authorized person through a secure door.
Shoulder surfing	Watching someone enter a password or PIN.
Dumpster diving	Searching discarded materials for information.
Card cloning	Copying an access card to impersonate a holder.

Match It Up

Tap a term, then tap its definition. Correct pairs lock in green.

Term

Definition

All matched. Nice work.

Common Mistakes

Confusing tailgating and shoulder surfing

Tailgating is following through a door; shoulder surfing is watching someone enter credentials.

Underrating dumpster diving

Discarded documents and devices can leak credentials and sensitive data.

Thinking digital defenses cover physical access

Physical access can bypass software controls entirely.

Ignoring social engineering in physical attacks

Tailgating usually relies on a believable pretext, not force.

Check for Understanding

Predict your answer before you tap. Click a choice to check it and read why.

Question 1

Following an authorized employee through a secure door without your own badge is:

B. Slipping through a secure door behind an authorized person is tailgating.

Question 2 Predict first

Watching someone type their PIN at an ATM is:

A. Observing someone enter credentials is shoulder surfing.

Question 3

Which are physical attacks named in the framework? I. Dumpster diving. II. Card cloning. III. SQL injection.

A. Dumpster diving and card cloning are physical attacks. SQL injection is an application attack, so III does not belong.

Question 4 Predict first

Copying an employee's access badge to enter a building is:

B. Duplicating an access card to impersonate a legitimate holder is card cloning.

Question 5

Why is physical access to a device considered high risk?

D. With physical access an attacker can tamper with hardware or storage, bypassing digital defenses.

Question 6

Searching a company's discarded trash for useful information is:

C. Going through discarded materials for information is dumpster diving.

Frequently Asked Questions

Tailgating (following through a door), shoulder surfing (watching credential entry), dumpster diving (searching trash), and card cloning (copying an access card).

Tailgating is entering a secure area by following an authorized person through the door without your own credentials, usually aided by a believable pretext.

Physical access can bypass software controls entirely, letting an attacker tamper with hardware, copy drives, or cut power, which is why many physical risks are rated high.

← PreviousDefense in Depth Next →Protecting Physical Spaces

Keep studying

All Topics Unit 2 Study Guide Practice Questions

Get in Touch

Whether you're a student, parent, or teacher — I'd love to hear from you.

Typically responds within 24 hours

✓

Message Sent!

Thanks for reaching out. I'll get back to you within 24 hours.

Name *

Email *

I am a... (optional)

Which course? (optional)

Phone (optional)

How did you find us? (optional)

🏫 Welcome, fellow educator!

I offer curriculum resources, practice materials, and study guides designed for AP CS teachers. Let me know what you're looking for — whether it's classroom materials, a guest speaker, or Teachers Pay Teachers resources.

Message (optional — leave blank if just subscribing)

✉

[email protected]

📚

Courses

AP CSA, CSP, & Cybersecurity

⏱

Response Time

Within 24 hours

Prefer email? Reach me directly at [email protected]