printer friendly version

Why businesses must consider anti-hacking card readers

Contactless card-based access control systems were developed to better and more easily protect facilities from unauthorised visitors. Of course, then the bad guys figured out how to capture and use card-based information to fool the system and let the unauthorised in by using skimming, eavesdropping or relay attacks.

Skimming occurs when the attacker uses his reader to access information on the victim’s RFID token without consent. An eavesdropping attack occurs when an attacker can recover the data sent during a transaction between a legitimate reader and a token. A successful relay attack lets an attacker temporarily possess a clone of a token, thereby allowing him to gain the associated benefits. Using any of these relatively inexpensive methods will let an unauthorised person in.

Adding to the problem is that Wiegand, the industry standard over-the-air protocol commonly used to communicate credential data from a card to an electronic access reader, is no longer inherently secure due to its original obscure and non-standard nature. Today, no one would accept usernames and passwords being sent in the clear nor should they accept such vulnerable credential data. ID harvesting has become one of the most lucrative hacking activities. In these attacks, a credential's identifier is cloned, or captured, and is then retransmitted via a small electronic device

However, now there is an even bigger problem. To get into information technology (IT) and critical infrastructure operational technology (OT) systems, hackers are looking for the easiest path in, leveraging many different physical assets, including those within the enterprise security system itself. They typically start with hardware, which will give them access to specific computers. Then, those computers will give them access to the target's internal Internet.

Unfortunately, many security manufacturers and installers don’t seem to secure their own security equipment. For instance, IP wireless cameras and card readers in the access control system are favourite targets of hackers. Unsecured, they can become irresistible backdoors.

Protecting IT and OT

Why do we mention both IT and OT systems? It's because almost everyone understands what IT is; but very few relate to OT. IT security lives in the context of networks, servers, storage, apps and data. IT involves a system where hosts are talking to many other hosts and where there are frequent patch cycles – in weeks or sometimes days – in response to expected and known cyber threats. IT security protects data (information).

An attack on the IT system can create very big problems from stealing personal information such as identity numbers or accessing protected information files and other privacy/ID data to transferring funds. If this isn't bad enough, however, the new trend of attacking the OT system can be even worse.

Out back, beyond the white collar offices and data centres and, often miles away are the industrial control systems (ICS) that run organisations' operations. In industries as diverse as oil and gas, power generation and distribution, healthcare (i.e. MRIs), transportation systems, manufacturing and many others, ICSs create automated solutions that increase productivity by connecting sensors, machines and instruments. They control local operations such as opening and closing valves and breakers, collecting data from sensor systems to turn up the heat of furnaces and monitoring the local environment for alarm conditions. When hacked, havoc ensues.

How to protect the card system from hacking

As the major OEM provider of proximity and smart cards and readers to the security industry, Farpointe's customers, electronic access control providers, have been very concerned about hacking threats and have asked Farpointe to provide reliable solutions that are easy to implement.

The first is MAXSecure, which provides a higher-security handshake, or code, between the proximity or smart card, tag and reader to help ensure that readers will only accept information from specially coded credentials. The integrator will never provide another organisation with the same key. As a result, with MAXSecure, no other organisation will have this reader/card combination. Only that single customer's readers will be able to read their cards or tags and their readers will read no other cards or tags.

The second major solution is Valid ID, an anti-tamper feature available with contactless smartcard readers, cards and tags. In use, it can add an additional layer of authentication assurance to NXP’s MIFARE DESFire EV1 smartcard platform, operating independently, in addition to, and above the significant standard level of security that DESFire EV1 delivers. In use, Valid ID will allow a smartcard reader to effectively help verify that the sensitive access control data programmed to a card or tag is not counterfeit.

At manufacture, readers, cards and tags can be programmed with this fraudulent data detection solution. The Valid ID algorithm cryptographically assists in ensuring the integrity of the sensitive access control data stored on the card or tag. With Valid ID, readers scan through the credential's access control data searching for data discrepancies, which may occur during the counterfeiting, tampering or hacking of a contactless smartcard. If tampering is detected, the reader reports it promptly to the access controller, identifying the credential in question.

Don't let them hack via the access system you sell or buy

Hacking has become a threat far bigger than most think. Indeed, the biggest threat to national security these days comes from not from aircraft carriers or infantry divisions, but a computer with a simple Internet connection. According to The Mirror, the UK suffers 100 000 computer hacks a year. In Germany, hackers struck an unnamed steel mill. They did so by manipulating and disrupting control systems to such a degree that a blast furnace could not be properly shut down, resulting in “massive”—though unspecified—damage. Overall, the U.S. federal government suffered a staggering 61 000 cybersecurity breaches, that it knows of, last year alone. Protecting your customers from professional hackers is imperative.

Odds are that your customer is not as large as the U.S. government or as big a target as a major corporation. It's probably an organisation that is not of interest to a professional hacker. That should not give you or your customers rest. The majority of hackers are not somebody that might target you; it's a teenage boy in his basement just trying to get into any system that he can. It's referred to as "opportunistic hacking." And, when he gets in, he likes to change code that will create mayhem. Providing anti-hack card-based access control systems eliminates one of the more popular opportunities that junior likes to leverage.

Share this article:

Further reading: