Contactless Cards and Readers Primer

Dec. 15, 2016
Use this guide to help your customers investigate their technology options

More and more, companies that formally used only keys are now asking about keyless or electronic access control (EAC). Whether called badges, tokens or cards, they limit access to a facility to only those who possess one of these credentials. Countless companies take this a step further. In many cases, office workers can access their work areas but not areas such as food service – while the exact opposite holds true for food service staff. Often, too, the security system is programmed to limit access only during specific time intervals, such as a few hours before and after a scheduled event. This is especially important for those venues that provide access credentials to vendors and/or delivery personnel.

When your customers start researching this world of keyless access, a whole series of terms pop up, including passive cards, active cards, proximity, smart cards, long range readers, Wiegand and so on. It is your job as an integrator to demystify them – here’s a quick cheat sheet to help guide them through the technology choices:

Passive vs. Active Cards

Passive cards, the most popular, are powered by radio frequency (RF) signals from the reader. They do not have a battery of their own and they have a limited range of typically about four inches and must be held closely to the reader – hence the term “proximity.” They can have a read range up to 20 inches, with the larger the reader, the longer the range. Readers mounted on walls are typically rectangular or square, while other readers will fit on a mullion. The passive card and reader communicate by an RF process called resonant energy coupling.

Active cards are powered by an internal lithium battery. As a result, they can produce a much longer read range measured in feet and yards, from 4 inches to 15 feet. The longer read ranges can create a problem where several readers and cards could end up conversing with each other, creating a sort of communication mayhem.

No matter which type you choose for a project, be sure to pick the card that works best for the application, and make sure to use the right type of reader for the card.

125 KHz Proximity Cards and Readers

The 125 KHz proximity card and Wiegand standards currently constitute the majority of the card-based keyless access. There are three main reasons why proximity cards and readers are still today’s most widely used access control technology.

1. There is no contact between cards and the reader, eliminating the wear-and-tear factor.

2. Proximity readers can be made very durable or even hidden into the wall to make them relatively vandal-resistant. Some are even bullet resistant.

3. For nearly 20 years, they have provided the most cost-efficient front end for an access control system; thus creating a massive installed base.

Proximity card readers communicate to the rest of the access control systems in various protocols, such as the Wiegand protocol, a de facto wiring standard which arose from the popularity of Wiegand effect card readers in the 1980s. Another popular protocol is the ABA Track II interface, a holdover from magnetic stripe card technology. Again, be sure to use the interface that the rest of the system uses.

When selecting a proximity card and reader for your customers, there are several things to check. First of all, make sure they comply with one or both of the two main interface protocols so that the cards and readers will interface with a wide range of electronic access control systems. Also, order readers that support several proximity card and tag technologies/brands.

Check to see if the reader electronics are secured with tamper- and weather-resistant epoxy potting. This is important, as the readers are often outdoors or in wet or dusty environments unsuitable for electronics. Look for a lifetime warranty.

Some customers will ask for multi-factor verification – a system that adds more than just a card to activate the door lock. The most popular is the card/keypad reader.

13.56 MHz Smart Cards and Readers

As proximity became the predominant credential technology over the last decades, contactless smart cards will augment proximity over the next three to five years. At often a comparable cost to proximity card systems, smart card systems may be more secure and can be used for applications beyond access control, such as tool checkouts, the company cafeteria and so on.

All the leading smart card providers conform to ISO standards. ISO 14443 cards operate from zero to four inches, while ISO 15693 cards may provide longer ranges. There are also proprietary, non-standards-based smart card technologies that could bind a customer to a single supplier.

The next term to look for is “MIFARE DESFire EV1” – which has become the contactless digital RFID technology benchmark for smart cards. MIFARE is the gateway to a series of security levels. Ask your manufacturer for a quick run-through so you pick the right level of security for your customer. As with proximity cards, you will also want to ensure that the readers comply with the Wiegand communication standard.

The OSDP Standard

The Open Supervised Device Protocol (OSDP) is a communication standard adopted by the Security Industry Association (SIA) that enables security equipment from one company – such as card and biometric readers – to interface easily with control panels and equipment from another manufacturer; thus fostering interoperability.

OSDP also adds sophistication and security benefits through features such as bi-directional communication and read/write capabilities. A two-way channel paves the way for forward-looking security applications such as the handling of advanced smart card technology, PKI and mobile device access. Not only does it provide a concise set of commonly used commands and responses, it eliminates guesswork, since encryption and authentication is predefined.

Interoperability can be achieved regardless of system architecture. For example, the specification can handle smart cards by constantly monitoring wiring to protect against attack threats and serves as a solution for high-end encryption such as required in federal applications. The specification for handling LEDs, text, buzzers and other feedback mechanisms provides a rich, user-centric access control environment.

433 MHz Transmitters and Receivers

The terms “transmitters and receivers” are used in place of “cards and readers.” The receivers support either 2-button or 4-button transmitters from ranges up to 200 feet. Each button outputs transmitter data – the user’s ID number or other data – over separate Wiegand outputs; yet, the receiver installs just like a standard proximity reader for easy integration with popular access control systems.

They are a terrific solution for long-range access control applications such as gates and vehicle barriers, moving aircraft in and out of secure hangars, arming and disarming alarm systems as well as situations calling for emergency duress. Instead of using a card, which could activate more than one device or door at a time, the transmitter holder selects exactly the mechanism to be immediately triggered.

Available in either a two- or four-button configuration and equipped standard with a potted proximity or contactless smart card module, the transmitter can also be used as a traditional, presentation-style access credential.

Contactless Cards and Fobs

The different technologies use somewhat different cards; however, they all tend to work in the same manner. Most proximity manufacturers provide one of three types of cards: standard light, image technology and multi-tech card. The standard light proximity card is a clamshell design; an image technology card is a slightly thicker card appropriate for dye sublimation printing; and the multi-tech card is a proximity card the same size as a credit card that can or not have a magnetic stripe on it.

There are two main types of smart cards. The clamshell contactless smart card is an ISO14443-compliant card with a 1K-byte memory. The ISO contactless smart card is an ISO14443-compliant card with a 1K-byte memory (more memory may be added to both types). Manufactured from glossy PVC, it is appropriate for dye sublimation imaging.

Keyfobs are also available in both proximity and smart card technologies. They are often used in place of cards, being designed to be carried on a key ring.

Preventing Hacking and Duping

Hackers and other have figured out how to capture and use card-based information to fool the system by using skimming, eavesdropping or relay attacks. Skimming occurs when the attacker uses a reader to access information on the victim’s RFID token without consent. An eavesdropping attack occurs when an attacker can recover the data sent during a transaction between a legitimate reader and a token. A successful relay attack lets an attacker temporarily possess a ‘clone’ of a token, thereby enabling the associated benefits.

Adding to the problem is that Wiegand – the industry standard over-the-air protocol commonly used to communicate credential data from a card to an electronic access reader – is no longer inherently secure due to its original obscure and non-standard nature. ID harvesting – where a credential’s identifier is cloned or captured and then retransmitted via a small electronic device – has become one of the most lucrative hacking activities.

Manufacturers have responded with security options. The first is to provide a higher-security handshake, or code, between the card or tag and reader to help ensure that readers will only accept information from specially coded credentials. The integrator will never provide a second organization with the same code. As a result, only that single company’s readers will be able to read their cards or tags.

The second major solution is Valid ID – an anti-tamper feature available with contactless smart card readers, cards and tags that adds an additional layer of authentication assurance to the MIFARE DESFire EV1 smart card platform. Valid ID lets a smartcard reader help verify that the sensitive access control data programmed to the card or tag is not counterfeit. At manufacture, readers, cards and tags are programmed with this fraudulent data detection solution.

The Valid ID algorithm cryptographically assists in ensuring the integrity of the sensitive access control data stored on the card or tag. If tampering is detected, the reader reports it promptly to the access controller, identifying the credential in question.

Vandal-Proofing the Reader & Going Green

Vandal-resistant and bullet-resistant contactless card readers are becoming big hits at schools, universities, correctional institutions, housing authorities, factories, hospitals and other locales where RFID proximity and smart card readers can take a beating. Protection is greatly enhanced because the electronics are sealed in weather-and tamper-resistant epoxy potting for both indoor and outdoor operations, providing an IP67 rating which ensures the electronics are protected from water, steam, detergents, dust, sand, tools and other elements which could be used to impede data collection. In addition, vandal-resistant readers are manufactured from thick polycarbonate material and feature tamperproof screws. An anti-tamper mode is also available, providing supervision of both the reader and its cabling.

Bullet-resistant proximity card readers can provide the highest level of vandal resistance by featuring a virtually indestructible exterior. These readers are milled from a solid block of stainless steel and reinforced with a bullet-resistant insert that is compliant with UL752 performance level standards of ballistic protection.

Additionally, some vendors provide eco-friendly readers with a technology that cuts energy costs and is an easy addition to any company’s green initiative. In emergency power situations, proximity readers using the low-energy option can reduce average current draw by as much as 50 percent, providing significantly longer up-times with their back-up batteries; while also providing long-term energy savings.

Scott Lindley is President of Farpointe Data Inc., a DORMA Group Company. To request more info about Farpointe, visit www.securityinfowatch.com/10215927.