I got call this morning from a friend who was very concerned over a piece that ran on the news last night. It’s about RFID tags and their ability to be cloned with a simple hand-held device. (Here’s a link to the story for those who want to read it.. http://www.myfoxatlanta.com/story/20150365/ga-tech-buzz-cards) ..I admit when I saw this on the news last night I was less than amused. We’ve known about RFID cloning for years now and
we know there are ways to secure these chips, such as data encryption or hashing. We have these chips in everything, including your passports and creditcards and their RFID chips can be very simply read with off the shelf equipment.
My friend was very worried, he used a similar system for access control in and around his business. Was his building safe? Was his inventory secure? Were his people in danger? Did he need to replace his access control system immediately?
Now I didn’t install his access system, nor his alarm system, but he valued my opinion and knew I could explain the problem and knew I would have a good solution. His access control system uses small badges to provide user level access not only to the main entries but also for access control to various rooms and areas inside the building, all access is based on cardholder permissions or group membership. Similar to the system tested by the news reporter, his access control system only cares about the RFID code on the chip and had no other check or balance to prevent cloning or protect the security of the building. This means the same system of card cloning described in the news report would also work against my friend’s access control system.
So what’s the solution? If you think of the access card as a password, the building as a computer and the employee as a user we can use a tip from our network security plans. It’s called two-factor security. This is where you need a username, a password and some other token to access a system. So we know it’s you, we can agree that the password is correct and we can verify that you hold a smartcard or RFID chip that has authorization. Mess up any of the three items and you are not allowed to have access. Simple, yes. Convenient, not so much, Secure, you betcha.
He called his security company and they will be adding a numeric keypad to each of the security access points on the building. He will then assign a pin number for each employee. Now when a user requests access to a secured area they will need to swipe their RFID card, enter their pin and only if it all matches then the door will unlock.
~Geof “bump & run” Franklin