125 KHz card reader systems have been a cornerstone of access control for decades. Unfortunately, 125 KHz cards can be easily copied and duplicated with readily available off-the-shelf products, potentially making facilitates vulnerable to illegitimate access by bad actors.
Richard Sedivy, DoorKing’s Director of Marketing & Regulatory Affairs recently sat down with Security Technology Executive to discuss how upgrading your card access system can prevent duplication of access cards to your facility.
STE: Why are 125 KHz access cards so easy to duplicate?Sedivy: All proximity card readers work in the same way. The card reader constantly emits an RF signal. When the access card is presented to the reader (or a card duplicator), the RF signal powers up a chip in the card which then transmits the card code to the card reader. There are two vulnerabilities here: 1) the data that is transmitted from the card to the reader is not encrypted and, 2) the data transfer is one-way only, from the card to the card reader. This allows card duplicator devices to easily capture the card code. Once a bad actor has that code, they can then replicate as many cards as they want. Card duplicators have become readily available on the internet, which makes the vulnerability of these types of cards much more significant today than in years past.
STE: If 125 KHz cards are so easy to duplicate, why are they still so popular?
Sedivy: I think there are several reasons why we still see significant amounts of these cards being sold today. First, consumers, property managers, business owners, etc. may not be aware of how easy it is to duplicate this type of card. It’s no different than someone duplicating the key to your front door, and they don’t need an expensive key-cutting machine to do it. It only takes seconds for someone to copy a card code with a card duplicator and then create their own usable access credential (or credentials) using the copied card code. Secondly, these cards do have some advantages, low cost, good read range and a rapid read time. The read range and read time allow the cardholder to simply wave their card near a reader (usually within four inches) for a successful read, a convenience factor really. Thirdly, commonality and low cost. If you’re a property owner or manager, changing your card access system to use more secure devices can be costly depending on how many readers need to be changed and how many new credentials (cards) need to be purchased. In addition to that, there’s the time and labor of updating the access control system software with the new card codes.
STE: How can property managers and business owners prevent their card access systems from being compromised?
Sedivy: Unfortunately, if they are working with older 125 KHz readers and cards, there’s not much that can be done to secure these devices or credentials. The best solution would be to change out the system to 13.56 MHz readers and credentials, also known as MIFARE*. The MIFARE standard was introduced in 1994 and addressed the security vulnerabilities of 125 KHz systems. It did this by introducing two-way communication between the card and the card reader. This made card encryption possible. In the most basic terms, when the card is presented to the card reader, a handshake between the card and card reader is started. If the encryption keys on the card and card reader match, the card number is sent and the session ends. If the encryption keys don’t match, no data is transmitted.
The first version of the MIFARE standard was MIFARE Classic and made duplication of a card impossible – at least in theory. In August 2008, a paper, authored by researchers at a university in the Netherlands, was published. The paper described some of the encryption algorithms used in the Classic chip exposing the algorithms to the world. With the right hardware and this information, Classic cards could now be copied and cloned. But remember, the Classic was the first version of MIFARE and the security vulnerabilities of these types of systems have since been closed. The newest cards now use 128-bit encryption and have additional security modules on the card itself to prevent cloning.
STE: How does the DoorKing ProxPlus card system increase security?
Sedivy:DoorKing’s ProxPlus Secure card reader system is based on the 13.56 MHz MIFARE standard. DoorKing adds a unique encryption key to the cards so that the card can only be read by a ProxPLUS Secure reader. This prevents unauthorized duplication of the access card because the person trying to clone the card has no access to the encryption algorithms or encryption key. Additionally, other forms of MIFARE cards are not compatible with the ProxPlus Secure reader, making this system one of the most secure offerings.
STE: What is the target application for this product?
Sedivy: DoorKing ProxPlus Secure Card Readers are ideal for applications where a higher level of security is desired, or in applications where older 125 KHz card systems have been compromised. For new installations, ProxPlus Secure cards and card readers are the ideal choices to help safeguard the property. For retrofitting older less secure card access systems, the ProxPlus Secure card reader output uses standard Wiegand protocol, making them adaptable to most access system controllers.
STE: Is there a learning curve to using ProxPlus Secure card systems?
Sedivy: There is a short learning curve on using secure credentials when switching from a 125 KHz system to a 13.56 MHz system. Because of the two-way communication and the amount of data that needs to be read, secure cards take longer to read, and they need to be physically closer to the card reader. Users will learn that their credential needs to be presented, or placed on the reader, rather than simply swiping. The enhancements in security simply overcome this minor inconvenience and property owners, property management companies and their tenants will appreciate the ProxPlus Secure card access system knowing that their cards cannot be cloned, helping to prevent unauthorized access to their property by unknown persons.
Click here to learn more about the ProxPlus Secure card reader system from DoorKing.
*MIFARE is a registered trademark of NXP Semiconductors