Unlike “skimmers,” cloning devices can copy secure information without even touching access cards, even through protective wallets and badge holders
A recent test conducted by Hoosier Security showed that any 125Khz electronic access card could be susceptible to cloning, even if it uses proprietary data encoding or carbon fiber blocking sleeves, without touching a cloning device.
Consumers have long been made aware of thieves skimming credit card information from ATM machines and other credit card readers. Yet not as much attention has been paid to the security of tens of thousands of businesses that use low-frequency credential cards to grant access to buildings and data centers across the United States.
After reading industry reports about the vulnerability of these low-frequency access cards, Armando Perez, president and general manager for Hoosier Security, decided to test it himself.
“I went online and bought a 125Khz card reader to confirm that our security cards were not able to be cloned. I was wrong,” said Perez.
Perez explained previous card readers often had difficulty getting a “good read” on a card unless it came in direct contact with the reader. Now cloning units can access information from one inch to five feet away. Even badge holders and protective wallets specifically designed to block low-frequency radio waves couldn’t block the unit Perez bought for just $30 online.
“You no longer have to be duped into physically handing someone your card. They can simply be standing next to you and copy it through your wallet or from your hanging keychain,” he said.
While higher frequency access cards have started gaining traction, more than half of electronic access control systems use cards at the lower frequency. Perez estimates there are millions of access cards created legally that are being used to gain admission everywhere from gyms and hotel rooms to businesses and sensitive data control centers.
In its recent survey, Brivo, a security company in Maryland, found that 62% of respondents with electronic access control systems were still using these standard key fobs and access cards.
To make matters worse, the cloning devices make exact replicas of the cards. That means business owners can’t tell which card is the real one and which is the duplicate. When the imposter card is used, it registers to the assigned user in the access system.
Three Better Options to Protect Your Business
What should businesses do to protect themselves, their buildings, and their data? Perez offers three solutions:
- Change your security system to a higher-frequency format. Many options have encryption built into the card, making it harder to clone. This solution can be expensive because you’ll have to pay for new readers and new cards. It also isn’t foolproof: If the encryption scheme is cracked, these tags can also be cloned.
- Another option is to adopt a mobile credential system that allows users to gain access through an app—or even a “tap” or “twist and go” gesture—with their mobile phones. Be sure to know how the back-end servers and data stores are configured for security if you go this route.
- A better option is to use two-factor authentication, also known as a card and pin system. This requires the card bearer to have his or her card and remember a pin number to gain access. This is one of the most secure options available and is more cost-efficient. This option also meets most government requirements.
“I learned first-hand that vendors have no issues selling and shipping inexpensive card readers and blank access cards to anyone, no questions asked,” Perez said. “I want others to know the risks.”
About Hoosier Security
Hoosier Security is a nationally certified MBE that provides custom electronic security solutions for residential, industrial, and commercial properties in Indiana across the nation, including alarm systems, security camera systems, asset tracking, access systems, digital surveillance, and fully integrated systems. Hoosier Technical Services, the wholesale installation arm of Hoosier Security, specializes in system design and installation of previously design systems on a contract basis. To find out more, visit hoosiersecurity.com.