Why are RFID Keycards Used and Why are They a Risk?
Before we get into their vulnerabilities, we should probably discuss why we use RFID keycards in the first place. RFID keycards have been in used for decades to secure businesses and facilities around the world. They were widely adopted as a much more practical solution than traditional hardware lock and key solutions.
The RFID keycard has allowed businesses the ability to administer access to many access points without having to replace door hardware for a relatively low cost. With that being said, keycards are a relatively old solution that possess a multitude of vulnerabilities that should be addressed.
What are the Vulnerabilities of RFID Keycards?
Keycards that use RFID are prone to potential security threats that lower their credibility when relied upon for Access Control systems. These security vulnerabilities represent an existential threat to businesses across the world and leave facilities, assets, data and most importantly, people, at risk.
The most important part of this discussion will be to address the different types of commonly used keycards and their potential security risks. The most widely adopted RFID Keycards are:
Low Frequency Proximity Cards: These cards operate at 125 kHz. Also known as Proxcards, this form of credential is the most widely used across legacy access control platforms. Despite being so commonly used across the security industry, Proximity Cards can be easily replicated and are highly vulnerable to fraudulent replication. In recent years many businesses have moved away from this technology but somehow they use of Proxcards are still widespread.
High Frequency Smart Cards: These cards operate at 13.56 MHz. Smart cards are less susceptible to cloning/copying as they have the capability for data encryption. These cards are typically more expensive and can have a clunkier design (making it harder to fit in your wallet).
How to Copy a Keycard & What Do You need to Do It?
Low frequency proximity cards are quite easy to copy and can be done so with inexpensive devices that can be purchased through Amazon for under $20. Low frequency reader/writers such as the one below allow users to copy new cards in a matter of seconds. Given the accessibility of these devices, low frequency cards should be avoided by all.
How to Copy a Keycard - Step by Step:
- Turn on the device
- Hold your card/fob (compatible EM4100) to the device and press the “Read” button.
- If successful the device will make a "beep" sound.
- Next take an empty tag and press “Write” while holding it up to the device,
- The information stored on the original tag or fob will then be copied onto the new device.
Now that you know how easy it is for low frequency Proxcards to be copied, we'll discuss ways in which you can protect your business from externalities such as this.
Alternatives and How to Protect Your Business
There are several alternatives that you can choose from to protect your business. The first and common alternative form of keycard is the High Frequency Smart Card. As mentioned above, these cards are much more secure as they are capable of data encryption and cannot be easily replicated. Aside from security concerns, keycards are still an unnecessary cause of plastic waste that should be a consideration when making selecting access credentials for your security. And while these are a more secure option than Proxcards, they can still be lost or stolen quite easily. So what else?
Mobile access allows you to communicate with a door reader through your mobile with preset credentials that meet the security threshold. The mobile access control system uses phone features such as Bluetooth Low Energy (commonly referred to as 'BLE'), QR-code scanning, or near-field communication ('NFC'). Given most smartphones typically use some form of credential to gain access to the device, the access credential is inherently secured - either by a PIN or facial biometrics (ie - Face ID). Other than the many security benefits of using mobile credentials - Mobile Access also represents a major convenience for users in that most of the world already carries them around with them (and people are generally more prone to losing keycards than their mobile device). Additionally there is no unnecessary plastic waste being produced on plastic keycards that inevitable get thrown away after being lost, damaged or becoming obsolete.
Statistics have shown that the use of mobile credentials has increased by 35% per year. And for good reason. The smartphone is becoming increasingly important to our daily lives - as is the need for frictionless and secure physical security. The number of people who access corporate networks through mobile devices, such as smartphones and tablets, is steadily increasing and with it the need for mobile access capable Access Control systems.
Final Considerations for Access Control and Physical Security
While there are many benefits of mobile access and the adoption of its use in cloud based Access Control systems continues to climb, it is not without its limitations or vulnerabilities. Smartphones and other devices can still be stolen or shared. Furthermore, the PINs that users choose to protect their devices can be compromised or shared. To ensure credentials are not being shared by authorized users with unauthorized users, implementing biometrics into the Access Control solution would prohibit users from being able to share their access credentials. Common options include fingerprint, retina scans and facial biometrics. While adoption and capabilities of fingerprint and retina scans has caught on, a clear front runner for biometrics would be facial biometrics. Implementing facial recognition (1:N) or facial verification (1:1) would ensure that you know exactly who is entering your facilities.