A Reality Check on the Cloning of Proximity Cards

Why a controlled setting hack doesn't necessarily weaken prox-based access control

A basic rule of risk assessment in the security world is that the solution should be commensurate with the level of risk. Thus the RSA demonstrator's statement that proximity cards should have "equivalent protections to smart cards" ignores this basic rule. Current users of proximity access control systems may determine that the chance of an access card being cloned is unlikely and can feel secure in that belief.

For those proximity users that would feel more comfortable with an added layer of security, a simple two-factor authentication process may be the answer. Adopting two-factor authentication enhances security and makes the cloning demonstration even more irrelevant, for example, by simply adding readers with keypads at perimeter entrances and requiring the user to supply a PIN to gain access. Going a step further, three factor authentication with biometrics completes the high security access triangle; something you possess (card), something you know (PIN), and something you are (fingerprint, iris scan, etc.).

For those installations where an even higher level of security is required, smart cards may make more sense. Smart cards such as HID Global's iCLASS product line are virtually impossible to copy when used properly. Effective use of smart card technology should include the incorporation of mutual authentication and encryption techniques and the storage of credential data in the secure areas of the card that are protected by cryptographic keys.

A facility's overall security system is composed of a combination of components each of which serves a specific purpose. Individually, no single component can provide everything required to fully secure a facility. Physical security devices and processes respond to three key requirements:

  • Creating obstacles to frustrate trivial attackers and delay serious ones
  • Auditing access control credentials and readers, alarm monitoring, CCTV, security lighting, and security guard patrols to make it likely that attacks will be noticed and to create an audit trail for potential prosecution
  • Developing an adequate security response to repel, catch or frustrate attackers when an attack is detected

Ignoring these requirements demonstrates a willful misunderstanding of how businesses manage risk in today's security conscious environment. Yes, cloning a proximity card is possible. At issue is determining how real the threat is and then taking steps to mitigate that real threat and to provide reasonable security.

About the author: Kathleen M. Carroll is the director of government relations for HID Global, a leading manufacturer of proximity and smart card technologies in the access control industry. Carroll oversees HID Global's RFID privacy initiatives, including pending RFID legislation in the 50 states. She also serves as the Chairperson of the Security Industry Association’s (SIA) RFID Working Group which is working to educate legislators, business leaders and consumers about radio frequency technology applications and benefits in the physical access control marketplace.