Securing Your Proximity Card-Based Access Control System

June 1, 2015
Using existing readers, the biometric card provides an easy, cost-effective biometric upgrade to card reader-based access control systems.

By Scott Lindley, President, Farpointe Data

And Kim Humborstad, CEO, Zwipe

There are three main ways to assault a card-based electronic access control system ‑ skimming, eavesdropping and relay attacks. What's scary about all this is that the equipment to perpetrate the above attacks can be as inexpensive as $200 and is widely available.

Skimming occurs when the attacker uses an unauthorized reader to access information on the unsuspecting victim's RFID card or tag without consent. As a result, the attacker is able to read stored information or modify information by writing to the credential. From that point on, the attacker can control when and where unauthorized entries may occur.

An eavesdropping attack occurs when an attacker recovers the data sent during a transaction between the legitimate reader and card. As a result, the attacker can recover and store the data of interest. From then on, the attacker can use this stored data at will.

Lastly, RFID systems are potentially vulnerable to an attack in situations in which the attacker relays communication between the reader and a tag. A successful relay attack lets an attacker temporarily possess a ‘clone’ of a token, thereby allowing the attacker to gain the associated benefits. Some sophisticated RFID credentials perform mutual authentication and encrypt the subsequent communication. An attacker, however, never needs to know the plain-text data or the key material as long as he can continue relaying the respective messages. It is therefore irrelevant whether the reader authenticates the token cryptographically, or encrypts the data, since the relay attack cannot be prevented by application layer security.

Understanding the Technology

To fully understand how to stop such assaults, we first need to understand how RFID cards and readers work. Proximity readers typically generate an electromagnetic field tuned to 125 kHz, an internationally recognized radio frequency for low power contactless data communications. When a credential enters this field, the credential’s internal RFIC (radio frequency integrated circuit) is activated. The RFIC then transmits its unique data back to the reader as an encoded signal. Typically, the encoding of this signal is comprised of a data algorithm that uses a byte parity error detection scheme.

Here is a quick explanation. A byte is a unit of data that is eight binary digits, or bits, long. A parity bit, or check bit, is a bit added to the end of a string of  binary code (0's and 1's) that indicates whether the number of bits in the string with the value one is even or odd. That's easy enough, but watch out, here comes the next paragraph.

There are two variants of parity bits:  even parity bit and odd parity bit. In the case of even parity, the number of bits whose value is 1 in a given set are counted. If that total is odd, the parity bit value is set to 1, making the total count of 1's in the set an even number. If the count of ones in a given set of bits is already even, the parity bit's value remains 0. In the case of odd parity, the situation is reversed. Instead, if the sum of bits with a value of 1 is odd, the parity bit's value is set to zero. And, if the sum of bits with a value of 1 is even, the parity bit value is set to 1, making the total count of 1's in the set an odd number.

Bottom line - If an odd number of bits (including the parity bit) are transmitted incorrectly, the parity bit will be incorrect, thus indicating that a parity error occurred in the transmission. The data must be discarded entirely and re-transmitted from scratch. In doing so, byte parity error detection helps provides extremely fast, accurate and secure transmissions.

Two-Factor Authentication

Before creating a major alarm, let's remember that such attacks are not frequent. But, to those attacked, this is of no comfort. With that in mind, the security administrator has a range of tools to negate skimming, eavesdropping and relay attacks.

One of the easiest solutions is to create 2-factor validation of the person wanting to enter. Not only must that person have something (the authorized card or tag) but they must also know something (a personal identification number - PIN). For those higher security areas especially, you can select a card reader with an integrated keypad. To enter, the individual presents their card, gets a flash and beep, and then enters their PIN on the keypad. The electronic access control system then prompts a second beep on the reader, and the individual is authorized to enter.

Since the combination reader can be installed in tandem with proximity card-only readers throughout the facility, it becomes very easy to provide higher security via 2-factor validation at areas that need a security boost. Now, instead of using just a proximity card to enter the finished goods storage area, the power room or the corporate manager offices, the person seeking entrance must also punch in the correct PIN to open the door.

You can also economically achieve even higher 2-factor authentication with a biometric card. In the perfect world of large budgets, facilities would have a biometric reader at every door that would need higher security. Of course, that would mean ripping out the present card readers and budgeting money for new biometric readers plus make the investment of integrating that the biometric hardware into the present access control system.

What if the biometric was put directly on the card? The proximity or smart card credential with on-card fingerprint reading would provide all the assets of the proximity or smart card and eliminate its most glaring deficiencies ‑ not knowing who is holding it as well as eliminate the problems of sniffing.

The precept is simple. An on-card fingerprint scanner with 3D capacitive technology resides on the contactless card which has universal compatibility with all ISO 14443 readers (the standard contactless card reader) from the leading brands, including Farpointe, HID and Allegion. The biometric card is DESFIRE EV1 and MIFARE Classic compatible, as well as 125-kHz proximity, meaning it works with proximity card readers as well as smart card readers. Without having to change out an organization’s existing readers, the biometric card provides an easy, cost effective way for security managers to provide a biometric upgrade to access control systems using card readers.

A biometric card reads the user’s fingerprint in less than a second. Eliminating the problems of solely deploying proximity or smart cards, the wirelessly powered biometric card lets users authenticate themselves directly on the card through something they are, a fingerprint or thumbprint. Only then will the electronic access control system activate the lock.

Importantly, the biometric card is more secure than other ID and authentication solutions on the market today. The fingerprint data is captured by the on-card fingerprint scanner and is stored only inside the card. No exchange of data is conducted with external systems. This provides secure template management since the fingerprint never leaves the card. It also eliminates user concerns with privacy issues. The card is unique to the user and only the authorized card holder can activate card communication with the reader. When a positive match occurs, the biometric card activates communication with the reader in the same way as other 13.56-MHz ISO 14443-compliant contactless smart cards.

Biometric cards can be issued to key staff and personnel providing the enhanced security benefits of 2-factor biometric authentication without any changes to their existing access control system, including the control panels, software or readers. Administrators simply add the biometric card into their system in the same way they incorporate their present proximity cards, all the while extending the life and return on investment of their installed proximity card systems.

With biometric cards provided only to those who enter the data room, the tarmac and other high security venues, a simple pass of a proximity card will not work. Authorized persons can only gain entrance with their finger on the biometric sensor of a biometric card, and still using the same proximity card reader that has always been at that door for when it allowed people with standard proximity doors to get in.

Specially Coded Proximity Cards

You can also provide a high-security handshake, or code, between the card, tag and reader to help prevent credential duplication and ensure that your customer's readers will only collect data from these specially coded credentials. This is different from a custom Wiegand format.  In a sense, it's the electronic security equivalent of a mechanical key management system, in which this single organization is the only one that has the key they can use. Such keys are only available through you, the locksmith, and you never provide another company with the same key. That last sentence is important so let's rephrase it. Your customer can only buy those proximity cards and readers from you. Nobody else is allowed to sell those specially coded cards or readers.

To stress the uniqueness of this solution in the electronic access control scenario, no other company will have the reader/card combination that only you supplied your customer. Only their reader that they buy from you alone will be able to read their card or tag that they can buy from you alone and their reader will read no other card or tag.  This gives you the power to deliver a solution that is truly unique and the ability to eliminate the risk of duplicate credentials.

If your customer has a concern about the security of their proximity card system, this is the perfect opportunity for you to increase the revenue of individual sales. All of these options put extra money in your pocket. However, they also increase the return-on-investment for your customer.

These upgrades protect their expenditure in their system. By increasing the security, they can continue to use their installed card-based system longer. They won't need to tear it out for biometrics or some other option.


Photographs and Captions

P-640 - A combination keypad/card reader provides 2-factor validation - something the person knows plus something the person has.

Biometric Card at Card Reader - A biometric card uses the installed card reader to unlock the door.

Biometric Access Card - A biometric card features the biometric sensor directly on the card. No other biometric equipment is needed.