[Editor's note: At the RSA Conference in San Francisco earlier this month, InfoWorld magazine released a video from tech firm IOActive, where the companies tech staff claimed to have been able to build a prox card cloning device. The video of that claim from the conference is available at this link. What's more, the threat of cloning proximity cards (not smart cards) is something that's been picked up by the consumer broadcast media, including KOMO-TV in Seattle. SecurityInfoWatch.com responded by asking leading card supplier HID Global to respond to the allegations that RFID-based proximity cards could be easily cloned and to discuss the related security measures that should be involved in any electronic access control system. Their op-ed response appears below.]
Yes, some proximity access cards can be cloned as demonstrated at the RSA Conference held recently in San Francisco. The question is: Does the ability to clone a proximity card in a controlled setting translate into a real-world possibility? Whether the answer is yes or no may be open to debate but that does not mean we should ignore the possibility.
What we need to recognize is that perfect security does not exist, but in the real world, we accept reasonable security for our homes, for our workplaces, for our loved ones, and for our data. Using accepted standards of reasonableness, we can examine the proximity card cloning demonstration and question the likelihood of such an event occurring in actuality.
This risk-benefit play is faced by magnetic stripe credit card users on a daily basis, where cardholders assume that the implicit level of security outweighs fear of fraud - credit cards are notoriously easy targets for cloners, and yet the economic fabric of commerce relies on their secure use. And, as with any security solution, we should ask what level of physical security is reasonably needed for a particular facility taking into account such factors as ease of use and cost.
Only then can we determine if a proximity-based security system delivers reasonable security. So let's begin with an analysis of the cloning demonstration at RSA where the demonstrator uses his "homemade" cloning device to read the access card - a process that requires the proximity card be placed close to the reader (hence the term proximity) in order for a valid data read to occur.
In the real world, a perpetrator would have to know exactly where an individual holds the access card. For example, if the card is kept in a breast jacket pocket, the perpetrator would have to bring the cloning device within inches of the pocket - hardly a scenario for surreptitious reading. Or, in many cases, employees wear their cards around their necks. How would a perpetrator surreptitiously read one of those badges without attracting attention? A more likely scenario is an intentional perpetrator using inside knowledge to gain access to secure information.
Any organization that understands risk management understands that an access control system alone does not a security solution make. To prevent an access card from being read for nefarious purposes, HID Global recommends that employers implement policies and procedures that:
- Require immediate reporting of lost or stolen cards
- Prohibit sharing or lending of cards
- Encourage employees to shield their cards from public view when not at work (this makes sense from a privacy perspective as well if a name and picture are printed on the card)
- Encourage reporting of suspicious activity at the facility
- Discourage "tailgating" where one employee uses a card to gain access and others follow without using their own cards.
As mentioned earlier, most enterprises undertake an analysis of their security needs before committing the monies to be spent. Reasonable security suggests that you don't need a $400 security system to protect your 10-year-old automobile but the investment might be worth it if you own a brand new Porsche 911. The same holds true for physical access control solutions.
A basic rule of risk assessment in the security world is that the solution should be commensurate with the level of risk. Thus the RSA demonstrator's statement that proximity cards should have "equivalent protections to smart cards" ignores this basic rule. Current users of proximity access control systems may determine that the chance of an access card being cloned is unlikely and can feel secure in that belief.
For those proximity users that would feel more comfortable with an added layer of security, a simple two-factor authentication process may be the answer. Adopting two-factor authentication enhances security and makes the cloning demonstration even more irrelevant, for example, by simply adding readers with keypads at perimeter entrances and requiring the user to supply a PIN to gain access. Going a step further, three factor authentication with biometrics completes the high security access triangle; something you possess (card), something you know (PIN), and something you are (fingerprint, iris scan, etc.).
For those installations where an even higher level of security is required, smart cards may make more sense. Smart cards such as HID Global's iCLASS product line are virtually impossible to copy when used properly. Effective use of smart card technology should include the incorporation of mutual authentication and encryption techniques and the storage of credential data in the secure areas of the card that are protected by cryptographic keys.
A facility's overall security system is composed of a combination of components each of which serves a specific purpose. Individually, no single component can provide everything required to fully secure a facility. Physical security devices and processes respond to three key requirements:
- Creating obstacles to frustrate trivial attackers and delay serious ones
- Auditing access control credentials and readers, alarm monitoring, CCTV, security lighting, and security guard patrols to make it likely that attacks will be noticed and to create an audit trail for potential prosecution
- Developing an adequate security response to repel, catch or frustrate attackers when an attack is detected
Ignoring these requirements demonstrates a willful misunderstanding of how businesses manage risk in today's security conscious environment. Yes, cloning a proximity card is possible. At issue is determining how real the threat is and then taking steps to mitigate that real threat and to provide reasonable security.
About the author: Kathleen M. Carroll is the director of government relations for HID Global, a leading manufacturer of proximity and smart card technologies in the access control industry. Carroll oversees HID Global's RFID privacy initiatives, including pending RFID legislation in the 50 states. She also serves as the Chairperson of the Security Industry Association’s (SIA) RFID Working Group which is working to educate legislators, business leaders and consumers about radio frequency technology applications and benefits in the physical access control marketplace.