Prox Card Vulnerability

HID is the world’s largest provider of access control readers and credentials, so it’s not surprising to hear that they’ve been targeted by a hacker of sorts. The HID Proximity Card, which for many years has been the industry’s access control standard, can be cloned. The same is true for similar cards made by multiple manufacturers.

If you are using 125kHz prox readers and cards or fobs, it’s possible for someone to clone the credential of any valid card holder, thus granting them access to EVERYTHING that card holder has access to! How? Where there’s a will, there’s a way. A simple $20 on-line purchase and just a second near the card and you can create a clone.

When the counterfeit card is presented to card readers on your access control system, the system would attribute a valid card read to the authorized card holder. Essentially, there would be two identical cards out there and your system wouldn’t know the difference. Short of providing an alibi, there would be no way for the legitimate card holder to prove that they did not access the building, room, or area.

How do you quantify the vulnerability for your organization? How likely is that someone would want access to your facility? Or that an employee or vendor might want access to an area, or room within your facility, that they aren’t currently approved for?

Here’s the problem: how would you know if it’s even happened? Most companies rarely look at their system’s “access granted” activity, but these activity reports can shed light on potential security breaches.

Instead of making the assumption that only people who can get in, will get in; review the activity with a critical eye. When an access granted event occurred, is it out of character for this person to enter at that time of day? Is it unusual for the card holder to enter the area at all? Is the card holder on vacation? Did they leave early for the day? How could their card be used when you know they weren’t around?

We’re advising all clients to start planning for a transition to a more secure credential. HID has a number of higher security options available, and there are dual-technology readers and dual-technology credentials to aid in the transition. A word of caution – don’t implement both! Neither on their own are a long-term solution. More on this topic soon!

Watch this YouTube video to see how easy it is for someone to clone a card:

 

Gloria Lubben
Executive Vice President/Director of Sales and Marketing

Gloria joined with Pat Van Haren in 1993 to found SecurAlarm and help forge its vision. Gloria is passionate about working where what we do to enhance security on behalf of our client’s matters. As a graduate of Calvin College, she takes her alma mater’s slogan of service personally: “My heart I offer to you Lord, promptly and sincerely.” Gloria has been active in the industry since 1983; as a consultant and trusted advisor to clients, as a respected competitor of industry related peers, as a teacher and mentor of teammates, and as a Certified Protection Professional since 1993. Today, Gloria leads the company’s Sales Team where she is able to mentor associates and share her years of experience and depth of knowledge in sales and the security industry. Gloria and her family enjoy the great outdoors; fishing, hunting, camping, and exploring different parts of the country!

Leave a Reply