Protecting contactless card-based access control systems

A combination keypad/card reader provides two-factor validation—something the person knows in addition to something the person has.

Product options
Contractors should consider:

  • providing credentials other than those formatted in the open, industry standard 26-bit Wiegand (not only is the 26-bit Wiegand format available for open use, but many of the codes have also been duplicated multiple times);
  • offering a customized format with controls to help govern duplication;
  • avoiding multi-technology readers because credential duplication risks increase;
  • promoting a technology to limit the credentials a reader is compatible with to a very specific population (implementing a high-security handshake or code between the card or tag and reader will help prevent credential duplication and ensure the customer’s readers will only collect data from these specially coded credentials);
  • offering a smartcard solution that employs sophisticated cryptographic security techniques;
  • providing credentials that include anti-tamper technology, such as Valid ID (which indicates when it detects tampering); and
  • giving two-factor readers including contactless and PIN technologies (or offer a third factor—normally a biometric technology).

Another strategy invokes making available credentials with an anti-playback routine such as transmitters instead of cards. This can be accomplished by implementing long range receivers installed in the locked security closet out of harm’s way, with the electronic access control panels. With the receiver in the security closet, there would be no access readers installed at the door. Thus, no Wiegand data lines are ever exposed to the outside of the building. To enter the facility, the system user presses the appropriate button on the log range transmitter to gain access to any exterior entrance at a distance set by the user. The receiver, which is safely installed in the closet, will accept the signal and forward it to the access panel installed in the same closet, to unlock the door. Meanwhile, traditional RFID access control readers could be used inside the facility.

Additional security system components
Such systems can also play a significant role in reducing the likelihood and mitigating the impact of a hack attack. Additional security system components should be considered, including:

  • intrusion deterrents—if the access control system is hacked and grants entry to an incorrect individual, a burglar alarm system should be in place to detect and announce the intrusion;
  • video surveillance—if the access control system is hacked, and entry has been granted to an unauthorized individual, a video system should be in place to detect, record, and announce the intrusion; and
  • guards—if the system is hacked and intruders are let in, guards in the control room (as well as those performing a regular tour) should receive an alert notifying them that someone has physically tampered with the access control system.

Companies must always stay one step in front of the bad guys. Too many organizations believe they have made their facilities totally safe because they have added a proximity or smartcard based access control system. Almost any electronic device can be hacked, including card based systems. However, being aware of the prospects of being hacked, both end-users and their contractors can look for many ways to lower the threat. With the proper tools, any of these assaults can be defended.

Scott-LindleyScott Lindley is a 25-year veteran of the contactless card access control provider industry. Since 2003, he
has been president of Farpointe Data, a DORMA Group company, which is involved with radio frequency identification (RFID) systems, including proximity, smart, and long-range solutions, for access control professionals around the world. Previously, he was director of RFID products at Keri Systems and sales manager, North America, for Motorola Indala.

Control the content you see on! Learn More.
Leave a Comment


Your email address will not be published. Required fields are marked *