Don't Let Them Hack The Contactless Cards You Sell

Jan. 3, 2017
One of the easiest solutions is to create two-factor validation, such as an authorized proximity card and a PIN. For higher security, consider smart cards.

Hacking has become a threat far bigger than most think. Indeed, the biggest threat to national security these days comes from not from aircraft carriers or infantry divisions, but a simple wireless connection that ultimately leads to the within the contactless card access control system that you just provided.

According to an HID White Paper, "Hackers continue to target the credentials of insiders because they give the attacker access to the facilities and network, enabling them to 'look like they belong,' so they can move around the organization undetected. Recent studies indicate that almost 50 percent of data breaches exploit stolen or weak credentials. Given this stat, it’s easy to see how increasing the strength of the way your users authenticate themselves can help you increase the overall security of your enterprise.”

Overall, the U.S. federal government suffered a staggering 61,000 cyber-security breaches, that it knows of, last year alone. In Germany, hackers struck an unnamed steel mill. They did so by manipulating and disrupting control systems to such a degree that a blast furnace could not be properly shut down, resulting in massive damage.

Odds are that your customer is not as large as the U.S. government or as big of target as a major corporation. It's probably an organization that is not of interest to a professional hacker. That should not give you or your customer rest. The majority of hackers are not somebody that might target you; it's a teenage boy in his basement just trying to get into any system that he can. It's referred to as "opportunistic hacking." And, when he gets in, he likes to change code that will create mayhem. Providing anti-hack card-based access control systems eliminates one of the more popular opportunities that Junior likes to leverage.

Protecting the Card You Sell

When a proximity or smart contactless card gets powered up by getting in "proximity" of a reader, it immediately begins to transmit its fixed binary code number. As a result, it's also possible to use a device that will stealthily power up the card from a distance to read and record its internal data. The attacker can use the card's information to let unauthorized people in.

"Adding to the problem is that Wiegand, the industry standard over-the-air protocol commonly used to communicate credential data from a card to an electronic access reader, is no longer inherently secure due to its original obscure and non-standard nature," reminds Scott Lindley, President of Farpointe Data. "ID harvesting has become a most lucrative hacking activity."

One of the easiest solutions is to create two-factor validation of the person wanting to enter. Not only must that person have something (the authorized card or tag) but they must also know something (a personal identification number - PIN). For those higher security areas especially, you can select a card reader with an integrated keypad. To enter, the individual presents his or her card, gets a flash and beep, and then enters a PIN on the keypad. The electronic access control system then prompts a second beep on the reader, and the individual is authorized to enter.

With some popular cards, you can also provide a high-security handshake, or code, between the card, tag and reader to help prevent credential duplication and ensure that your readers will only collect data from these specially coded credentials. Such cards are only available through you and you never provide another company with the same card. No other company will have that specific reader/card combination. Only their reader will be able to read their card or tag and their reader will read no other card or tag.

"In a sense, it's the electronic security equivalent of a mechanical key management system, in which your organization is the only one that can provide the key your customer uses," adds Lindley.

Smart Cards Provide Increased Security

At often a cost comparable to proximity card systems, smart card systems may be more secure and can be used for applications beyond access control, such as library checkouts, the hospital cafeteria and so on. Today,13.56 MHz smart cards are used to provide increased security compared to 125 KHz proximity cards. One of the first terms you will discover in learning about smart cards is "MIFARE," a technology from NXP Semiconductors. MIFARE enables 2-way communications between the card and the reader.

As the HID White Paper reports, "a secure contactless smart card and reader transaction generally contains a much higher level of security. When a card is presented to the reader, there is a question-and-answer session between the card and reader in order for each to authenticate the other. In very simple terms, the reader asks the card for its secret password, the card then asks the reader its mother’s maiden name and so on.

"After this occurs (in less than ¼ second) the card and reader have 'mutually authenticated' each other as belonging to one another. Access is either granted or denied by the access panel. During the transaction just described, the information actually transmitted between card and reader is encrypted or sent as a coded message. This is important in the event that someone or some device was illicitly attempting to capture the transmission of data."

"Contactless smart credentials put you in control by delivering smarter solutions," emphasizes Minu Youngkin, integrator marketing manager for Allegion. "Through the use of either MIFARE or MIFARE DESFire EV1 technology, these credentials protect your most sensitive data by utilizing extra layers of security protection. And, of course, smart credentials can be used for many applications beyond access control including transit, cashless vending, and cafeteria point of sale."

According to Youngkin, MIFARE DESFire EV1 offers a high level of smart credential technology. This credential technology utilizes extra layers of security protection – mutual authentication, AES 128-bit diversified key encryption, and message authentication coding (MAC), giving the highest security in the industry to each transaction between the contactless smart credential and reader.

The second major solution is Valid ID, an anti-tamper feature available with contactless smartcard readers, cards and tags. In use it can add an additional layer of authentication assurance to the MIFARE DESFire EV1 smartcard platform, operating independently, in addition to, and above the significant standard level of security that DESFire EV1 delivers. In use, Valid ID will allow a smartcard reader to effectively help verify that the sensitive access control data programmed to a card or tag is not counterfeit.

At manufacture, readers, cards and tags can be programmed with this fraudulent data detection solution. The Valid ID algorithm cryptographically assists in ensuring the integrity of the sensitive access control data stored on the card or tag. With Valid ID, readers scan through the credential's access control data searching for data discrepancies, which may occur during the counterfeiting, tampering or hacking of a contactless smartcard. If tampering is detected, the reader reports it promptly to the access controller, identifying the credential in question.

Change Default Codes When Installing

If you don't change the default code on the reader during installation, it really won't matter what you do with the card. We described this in the September, 2016, issue of Locksmith Ledger ( in the article "Selling, Designing and Installing Security Solutions." It stated, "So, by not changing the default code, the user might as well be giving a user code to everyone. Less than 30 seconds is all it takes to view master, and all other user codes, or even create a new one. Yes, you reply, but what if I don’t have the default installer code? No problem. Too often, these codes can be found online by anyone who knows how to use a simple Google search."

Reader Installation Tips

Farpointe Data's Lindley advises that there are several other things to consider when installing the reader.

  • Install only readers that are fully potted and that do not allow access to the reader’s internal electronics from the unsecured side of the building
  • Make certain the reader's mounting screws are always hidden from normal view and make use of security screws whenever possible.
  • Embed contactless readers inside the wall, not simply on the outside, effectively hiding them from view. If that is not possible and physical tampering remains an issue, consider upgrading the site to readers that provide both ballistic and vandal resistance. 
  • Make use of reader cable with a continuous overall foil shield tied to a solid earth ground in a single location. This helps block signals from being induced onto the individual conductors making up the cable as well as those signals that may be gained from the reader cable.
  • Deploy readers with a pig tail, not a connector. Use extended length pig tails to assure that connections are not made immediately behind the reader.
  • Run reader cabling through a conduit, securing it from the outside world.
  • Add a tamper feature, commonly available on many of today’s access control readers.
  • Use the "card present" line commonly available on many of today’s access control readers. This signal line lets the access control panel know when the reader is transmitting data.
  • Use access control readers with an output alternative to the industry-standard Wiegand output, provided they are supported by the electronic access control system.  Alternatives can include ABA Track II, OSDP, RS485 and TCP/IP.
  • Offer the customer cards that can be printed and used as photo badges, which are much less likely to be shared.

You are the front line defense for protecting your customer's security system. Locksmiths need to understand what the customer's needs are, what the customer can do, what the customer has to work with, what hackers can do, where the hacker is most likely to attack and what can be done to thwart the hacker. In other words, you need to figure out how apply the cliché "a good offense is the best defense."