Proactive Paths to Thwart Prox Card Threats

Security integrators need to work with clients to stay ahead of proximity card threats.

With cybersecurity increasingly taking center stage, it becomes critical that security integrators stay current with OEM information bulletins regarding reader and credentialing products that have been defeated or cloned without authorization.

Does the ability to clone a proximity card in a controlled setting translate into a real-world possibility of duplicated cards gaining access into other facilities? While the answer may be up for debate, that does not mean the possibility should be ignored. End users frequently expand their enterprise platforms through acquisition, creating an ecosystem of older and newer systems with varying degrees of embedded security . . . and points of vulnerability for would-be hackers.

Many security deployments still support basic magnetic stripe card technologies, despite the obvious risks. Common credit cards are notoriously easy targets for cloners, and yet the economic fabric of commerce relies heavily on their secure use. Integrators should consult with the end user as to what level of physical security is reasonably expected, taking into account ease of use, cost effectiveness and other functions.

Customers Can Help Combat Card Cloning

Cloning of proximity cards began as a simple challenge in the early 2000s, when hackers constructed simple, homemade cloning devices to read the access card – a process requiring that the prox card be placed close to the reader (hence the term “proximity”) in order for a valid data read to occur. In the real world, a perpetrator would have to know exactly where an individual regularly keeps the access card when on their person. For instance, if the card is kept in a jacket pocket, the perpetrator would have to bring the cloning device within inches of the pocket – hardly an ideal scenario for surreptitious reading. Oftentimes employees wear their cards around their necks or clipped to shirts; how would a perpetrator discreetly read one of those badges?

Any organization that understands risk management knows an access control system is only part of the total security solution. To prevent an access card from being read for criminal purposes, businesses should:

  • Monitor cards that have been invalidated for activity by terminated staff
  • Encourage employees to shield their cards from public view when not at work
  • Encourage system administrators to enforce facility codes usage in all platforms
  • Encourage end users to keep track of card numbers and avoid duplication
  • Discourage “tailgating” practices, where one employee uses a card to gain access and others follow entry without using their own cards.

Extra Authentication Layers Enhance Security Efforts

While manufacturers have been waging a constant battle with hackers by revising and upgrading security features embedded within the basic proximity card itself, new and more costly compliance regulations, such as FIPS (Federal Information Processing Standards), have entered the market for deployment. Beginning in the government marketplace and quickly spreading to high-risk infrastructure users, this standard will continue to evolve the basic model by continuously challenging/validating cards from a third-party certificate authority. In this new, secure credential model, customers will have cards checked and verified by a third party, and in doing so end users could potentially see the cost of the basic card increase dramatically.

A fundamental rule of risk assessment in the security world is that the solution should be commensurate with the level of risk. Current users of legacy proximity access control systems may determine the chance of an access card being cloned is unlikely and can feel secure in that belief.

For those proximity users who would feel more comfortable with an added layer of security, migrating to a simple, two-factor authentication process may be the answer in making the cloning prospects even more difficult. An example would be to simply add readers with keypads at perimeter entrances and require the user to supply a PIN to gain access. Going a step further, three-factor authentication with biometrics completes the high-security access triangle – (1) something an individual possesses (card), (2) something they know (PIN), and (3) something unique to the individual (fingerprint, iris scan, etc.).

When an even higher level of security is required, smart cards may be another alternative. Smart cards are virtually impossible to copy when used properly. Effective use of smart card technology should incorporate mutual authentication and encryption techniques, as well as the storage of credential data in the areas of the card that are protected by cryptographic keys.

Physical security devices and processes working in tandem create a layered approach that would be significantly more difficult to hack into or suffer an unauthorized breach. Integrators and their customers should be fully aware of the risks associated with their industry and facility, and should be prepared with high-level authentication technologies and strategies to readily mitigate those threats.

If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our FREE digital newsletters!

About the Author


Bob Stockwell pens Security Sales & Integration’s “IT Intelligence” column, which covers network security. He is Chief Technology Officer for Stanley Security.

Security Is Our Business, Too

For professionals who recommend, buy and install all types of electronic security equipment, a free subscription to Security Sales & Integration is like having a consultant on call. You’ll find an ideal balance of technology and business coverage, with installation tips and techniques for products and updates on how to add sales to your bottom line.

A free subscription to the #1 resource for the residential and commercial security industry will prove to be invaluable. Subscribe today!

Subscribe Today!

Get Our Newsletters