3.18.25 – SP&T- By Roger Miller
Access credential cloning has been in existence for a number of years in Canada.
Access credential cloning has been in existence for a number of years in Canada.
The early days of access control meant everyone was carrying a physical key to their workplace. Many keys were generic and could be copied at the local hardware store, while the more robust key control systems would have keys that were stamped “DO NOT DUPLICATE.”
For those who held keys that were stamped Do Not Duplicate, there were usually opportunities to have an unscrupulous friend or hardware store employee that would overlook the secure designation to make you a copy of the key. So this issue isn’t exactly new. The bottom line is that credentials of any type require management.
Currently, there is at least one franchise type of cloning service operating within established storefront businesses such as small independent grocery or convenience stores.
The process is simple: you enter the business with your credential and they will provide you an exact clone of a similar credential for a fee ranging from $40 to $70 depending on the specifics of the transaction.
The cloned credential is an exact replica of the credential you provide, with the same access privileges. When the clone is used, it will show as the original issued credential in your access control software. For this discussion, credential can mean a card, FOB, or other RFID device including garage door openers and car key FOBs.
The quantifiable risk of cloning for each organization will vary. It is important to keep in mind that the cloned copy is an exact replica of a credential that has been legitimately issued to an authorized individual, therefore, they are authorized to have access to the designated doors or access points. The new credential will not grant any additional access, and any access gained by a cloned credential will still be tracked in your system to the person who was issued the original credential.
If the original holder of the credential (employee/contractor/resident) has lost or loaned their credential and it has been cloned then returned by a third party, there will be no way to determine if the original or a cloned copy is used through your card activity history. Any data will always show as the original. It is entirely possible that clones exist on your system without your knowledge.
There are a number of options available to reduce the risk of cloned cards being used on your system. These options may require hardware or software upgrades, depending on your current system. There are new readers and FOBs/cards available that cannot, at this time, be easily cloned. End users should discuss this with their service provider to determine what options exist for their system. If you are the service provider, there is an opportunity for you to be proactive and bring this issue to your customer, with solutions.
As always, the proper administration of your access control system will be your best option to reduce the risk of a cloned credential being used. There must be a defined process for issuing credentials, suspending access or reporting and replacing lost or missing credentials. For example, if the original of a cloned credential is cancelled then the cloned copy will be also be cancelled. With most access systems you can initiate an alert if someone attempts to use a cancelled or suspended credential. Any credentials that have been issued but not used for a predetermined time (30-60-90 days) should be auto suspended, a feature available within most access control software.
If you store photographs of individuals who have been issued credentials, your system can show you who is using the credential. If the photo doesn’t match with the user that could be a warning to security or management that there is a clone or other unauthorized use. This should initiate an investigation.
A more robust solution to prevent cloning is two-factor authentication. This will require the usual credential as well as a second authentication method that could be a keypad, biometric or other method of individual verification. This level of authentication will mitigate the risk of a cloned credential being used by an unauthorized person in most cases.
Like everything we do as security providers, we need to be aware of the risks and do our best to help our customers mitigate them.
Roger Miller is the president of Northeastern Protection Service Inc. (www.protectionpartner.ca)