Protecting contactless card-based access control systems

Smart cards
Smart credentials go far beyond traditional identification cards. In addition to individual profile information, they can provide users with secure access to everything from offices, parking lots, and computer networks to safe methods of payment in the company cafeteria and checking out machine tools.

The variety of applications that shrewd security administrators can consider for their smart credential implementation include:

• physical credential administration;
• visitor management administration;
• provisioning or access privileges assigned;
• de-provisioning or access privileges revoked;
• segregation of duties;
• parking permit administration;
• property pass administration;
• compliance/governance reporting and auditing;
• system troubleshooting and maintenance;
• alarm correlation and response;
• emergency communication and notification;
• video analytics applications (people counting, behaviour tracking, etc.);
• identification;
• time and attendance;
• logical access;
• supplies check-out verification;
• charge privileges at various locations, including, for example, the cafeteria;
• document printing; and
• biometric template storage.

Access control can also play a part in the building management system. If the access control systems notes someone in a specific part of the building, the air conditioning and lighting can be activated. Once that person leaves, the access control or video system could automatically inform the building management to turn those systems off. This can save money and resources and is a potential green solution that would be helpful in meeting smart building requirements.

In addition to the multiple functions and applications, smart credentials also increase the security of information kept on the card and stored in the facility. Valid ID is a new anti-tamper feature available with contactless smartcard readers, cards, and tags. While being manufactured, readers, cards, and tags are programmed with the Valid ID algorithm, cryptographically ensuring the integrity of sensitive access control data stored on the card or tag. With Valid ID, readers scan through the credential’s access control data searching for data discrepancies, which may occur during the counterfeiting, tampering, or hacking of a contactless smartcard. Valid ID is an additional layer of protection to what is already available in smartcard authentication—operating independently, in addition to, and above the standard level of security. In use, Valid ID allows a smartcard reader to effectively verify the sensitive access control data programmed to a card or tag is not counterfeit.

With smartcards, the organization can also be provided with an added layer of protection in the form of a card validation option. In this enhancement, the cards and readers are programmed with a fraudulent data detection system. The reader will scan through the credential’s data in search of discrepancies in the encrypted data, which normally occurs during credential cloning.

If applications require multiple forms of verification, the smartcard securely stores other credential types such as biometric templates, PIN codes, and photos—utilizing the enhanced storage and encryption of smart technology. Smartcards also provide an extra level of security at the access point, protecting the information behind closed doors or on the secure network.

Equally important, smart credentials afford security administrators more avenues to ensure safe and secure environments. The cards work in concert with access control systems, video surveillance, and mass notification capabilities. With today’s convergence of technology, organizations can integrate existing systems with advanced credential reader technologies to enhance the security of their environments.

Contractors reducing hacking
Contractors can be the frontline defense for protecting a security system. They need to understand the customer’s needs, abilities, and tools, along with the hackers abilities, strike zone, and the preventative methods. There are many things that can reduce the hacking of a card-based access control using the Wiegand system.

1. Install only fully potted (electronics that are completely encased) readers that do not allow access to the reader’s internal electronics from the unsecured side of the building. An immediate upgrading is recommended for readers that fail to meet this standard.
2. Ensure the reader’s mounting screws are always hidden from normal view, making use of security screws whenever possible.
3. Embed contactless readers inside the wall, not simply on the outside, effectively hiding them from view. Or, if this is not possible, and physical tampering remains an issue, consider upgrading the site to readers providing both ballistic and vandal resistance.
4. Make use of reader cable with a continuous overall foil shield tied to a solid earth ground in a single location. This helps block signals induced on the individual conductors making up the cable as well as those signals that may be gained from the reader cable.
5. Deploy readers with a ‘pig tail,’ rather than a connector. Use extended length pig tails to assure connections are not made immediately behind the reader.
6. Run reader cabling through a conduit, securing it from the outside world.
7. Add a tamper feature, commonly available on many of today’s access control readers.
8. Use the ‘card present’ line commonly available on many of today’s access control readers. This signal line lets the access control panel know when the reader is transmitting data.
9. Use access control readers with an output alternative to the industry-standard Wiegand output, provided they are supported by the electronic access control system. Alternatives can include ABA Track II, OSDP, RS485, and TCP/IP.
10. Offer the customer cards that can be printed and used as photo badges, which are less likely to be shared.