There has been a fair amount of publicity recently about the possibility of credit and debit cards being cloned. This has been intensified by the rise of ‘Contactless’ cards which let the user spend up to £30 a time without even needing to enter security credentials!
Whilst this is an understandable concern, did you know that some secure access control cards can be cloned as well? This is akin to having your house/office/car keys copied!
In the first part of this blog we examine the issues and potential dangers, whilst in part two we will concentrate on what you can do to combat these.
The History of Cloning
Whilst the public awareness of access control card cloning is growing, there have been concerns over it in the security community for a number of years. Initially, one of the earlier versions of the popular MIFARE smart card was hacked by some students in the Netherlands.
Unfortunately, the old adage: ‘Idle hands do the devil’s work’ proved to be true when these bright but bored students managed to gain access to a supercomputer and hack the encryption algorithms of the MIFARE Classic card!
In response to this security breach, MIFARE Plus and DESFire (with 128-bit encryption technology) were incorporated to ensure these security gaps were plugged. Unfortunately, however, if a security system exists, somebody will want to crack it and attention has now turned towards proximity cards as well.
If you look at access control and identity authentication systems around the world, the predominant system used is 125 kHz EM proximity card technology. Worryingly, there is lots of hacking information and offers of cloning or card spoofing devices available on the Internet.
The principle is that the criminal buys a blank card, steals a legitimate card from an authorised user and then uses this technology to take the card details. They then download the authentication details to the fake card for criminal use.
Naturally, this means that the criminal team or individual needs to get hold of an authorised card. Therefore, whilst organisations need to be aware of cloning, they also need to be very aware of how their own teams use their security cards.
Access cards are valuable! They are very much like your keys and they shouldn’t just be left lying around for anyone to use or take. It’s very easy for someone to steal a card and use it for nefarious activities.
In fact, the user may never know. If you are in a meeting and leave the card on your desk, someone could easily copy the details and return it, so you would be none the wiser! It’s essential that organisations remind their staff of their obligation to protect access cards from misuse.
In part two of this blog, we look at how the upcoming GDPR legislation makes it more critical for integrators and users to address access control vulnerabilities to tackle these potential threats.