Millions of proximity (Prox) access control cards are in use today in myriad applications. Most commonly, proximity cards are used for access to apartment complexes, gated communities, parking areas and door access. Proximity cards are popular because of their low cost, limited maintenance, simplicity of use and the security they offer.
But are they secure?
Over the years, card technology has evolved dramatically as has the ability for third parties and bad actors to fraudulently copy or clone cards. How many apartment managers or business owners are unaware that their tenants or employees may be able to easily duplicate their access card as many times as they want and hand them out to their friends, relatives or strangers? To prevent this from happening, you first need to understand a bit more about the types of proximity cards in use today.
There are two types of proximity cards in common use: 125 kHz cards and 13.56 MHz cards. To the common user of these cards, there is no difference. For the most part, they look alike, they are the same size and they work the same – present the card at the card reader and access is either granted or denied. However, apart from the frequency that is used to transmit the card data, the differences between 125 kHz and 13.56 MHz cards are significant, especially when it comes to security and the ability of a third party to clone or copy a card.
The first proximity cards were based on 125 kHz technology. The advantages of the 125 kHz proximity system is that the low power requirements and the small amount of data being transmitted provide for a good read range and a short read time. When a 125 kHz card comes within range of the reader, the card immediately begins to transmit its card number. Because of this, users can simply wave their card in the general direction of the reader to get a successful read. The disadvantage, however, is the low level of security.
The data transmitted by the card is not encrypted and is always the same and the data transfer is one way – from the card to the reader. There is no communication from the card reader back to the card. This allows 125 KHz cards to be easily copied and the technology to do this has been known for over 20 years. Proximity 125 kHz copy and emulation circuits have been available to the public for many years, and with instructional videos easy to find on YouTube and cloning devices readily available on popular shopping websites for less than $30, it’s possible for anyone to copy 125 kHz cards today. There are even shop fronts and kiosks that offer card cloning services operating in many cities around the world.
While 125 KHz cards are still commonly used, the widely publicized security issues must be given serious consideration when considering a card access control system.
The 13.56 MHz MIFARE standard addresses the security issue with 125 kHz technology. With a MIFARE system, when the card is presented to the card reader, the card and card reader begin a two-way communication session using shared encryption keys. If the encryption keys on the card match the encryption keys on the card reader, the card number is transmitted, and the communication session is closed off.
MIFARE Classic cards were the first version of the MIFARE standard. The communication between the card and the card reader is encrypted, theoretically making it impossible, or at least extremely difficult, to copy a card. However, in 2008, researchers at a university in the Netherlands discovered a security flaw that enabled them to reverse engineer the hardware chip and encryption algorithm used by these cards. They went on to release a scientific paper of their findings and thus exposed the flaw to the world. With the right knowledge and hardware, anyone can copy or create another card in the series.
ICT Secure MIFARE
The integrated control technology (ICT) scheme adds additional security measures to the MIFARE Classic standard by adding an authentication key encrypted with an AES 256 algorithm. This effectively plugged the known security flaw that allowed cards to be created in a series. ICT also provides the ability for an integrator or end user to purchase their own reserved set of encryption keys. This effectively gives the organization its own set of unique site codes and card numbers protected with its unique encryption key. This prevents other cards from ever working on the site.
MIFARE DESFire (Data Encryption Standard Fast Innovative Reliable Secure) is the newest - and most secure - of the MIFARE standards and is currently one of the highest standards for card security available. It includes a cryptographic module on the card that adds an additional layer of encryption to the card and card reader communication, reducing the risk of cloning or creating cards. Certain versions of these cards (EV2, EV3) also support proximity control, which means that the card is able to confirm to the reader that it is actually close to the reader and that it is not a remote data stream from a hacker.
What’s the Best System For Me?
If an extremely high level of security is the primary concern, a system using the MIFARE DESFire standard may be the best option. MIFARE Classic cards still offer a particularly proficient level of security and while 125 KHz systems are low on the security scale, they are still widely in use because of their ease of use and lower cost. Remember that the read range with MIFARE systems will be less than 125 kHz proximity systems and, while 125 KHz proximity cards can be simply waived at the reader, MIFARE cards need to be PRESENTED to the reader, meaning the read time may take a second or two. Users need to be educated in the use of these cards to prevent frustration and to limit calls of non-working cards or card readers.
Many manufacturers offer their own versions of secure cards and card readers based on the MIFARE standards. Many use a unique identifier, or encryption code, to prevent cards from being copied. Be sure to tell your vendor what your primary priority is (security, cost, expanding an existing system, card cloning, ease of use, etc.) so that they can help in your choice of a card system. (MIFARE is a trademark of NXP Semiconductors N.V.)
Richard has been an active member of DASMA (Door and Access Systems Manufacturing Association) since its founding in 1996. He is a past president (2006-2008) and is the Chair of the Gate Operator and Access Control Point Systems division. He also serves on the DASMA Board of Directors. He is a founding member of the IDEA’s Automated Vehicular Gate Systems Coalition Committee, which is responsible for all content for the Certified Automatic Gate Operator Installer, Certified Automatic Gate System Designer and Certified Gate Systems Technician Level 1 study guides. Richard is also a member of the U.L. 325 Standards Technical Panel (STP). Richard is a Certified Automatic Gate System Designer.