301.519.9237 exdirector@nesaus.org

4.22.20 – SIW –

Why organizations should be looking to migrate to more secure access technologies in light of cloning vulnerabilities

The warnings have been posted for years; proximity cards, for decades an access control standard, may have outlived their value to organization with security concerns. Yet, proximity cards (or prox cards for short) are still in use at many locations. Some organizations figure now is the time to make a change.

Prox cards, available from many manufacturers, can be cloned in a matter of minutes by using an inexpensive device easily available on the internet. There are even YouTube videos showing how simple it is to clone a prox card. What may be even more concerning is that more recent basic smart card technologies, despite their added data encryption, can also be cloned. It’s a more difficult process, but still well within the skillset of an adept hacker.

This leaves the security of thousands of organizations using prox at risk. Fortunately, there’s an alternative – DESFire EV2 cards – readily available from multiple sources that offer a higher level of encryption that continues to leave hackers frustrated.

Let’s take a look at the vulnerabilities of some proximity cards.

A hacker’s nearby cloning device can activate a prox card much like a reader. This could take place while a card-carrying employee is having lunch or shopping after work. Once activated, the card transmits its easily captured unencrypted payload. This enables a hacker to create a clone, providing access to every entry approved for that employee without any outward indications that this has occurred. There will be two identical cards, but a system won’t recognize the difference. Imagine having your data rooms, human resources office, laboratories and more, all readily accessible to unauthorized persons.

Lately, card duplication has become a mass-market experience. Recently introduced kiosks, found in many supermarkets, pharmacies and other retail stores, were initially intended for duplicating traditional mechanical lock keys. However, they also now scan data from low-frequency 125 kKHZ prox cards to create duplicates that are mailed to a customer’s home.  This activity can allow lost cards to remain in the wild without security teams being made aware by the offending employee, or virtually unlimited numbers of people could be given cards to gain unauthorized facility access.

Prox cards no longer have a security advantage over the magstripe technology they replaced. Magstripe cards also transmit data in the clear, but a hacker needs brief possession of a card to run it through a reader to gain the card’s payload.

investment. Available cards offer up to 8K capacity, enough to partition data ranging from biometrics, point-of-sale transactions and transportation. These applications can be encoded all at once or over time without sharing secret keys with other applications.

The price and simplicity of older card technologies keep them in widespread use, but evolving security challenges warrant migration to DESFire EV2 cards. It’s always better to make a decision like this voluntarily prior to a costly security breach.

Visit SIW Site for more information


About the Author:

Greg Berry is vice president, mobile credentials for LenelS2, a part of Carrier, a  global provider of HVAC, refrigeration, fire, security and building automation technologies.