Most people will be familiar with security system swipe cards for doorway access control. Almost every commercial premise in New Zealand utilises some form of card or PIN access control, whether it be a simple swipe card system, or something a little more sophisticated such as card and PIN number, or biometric access control, which is where a person’s physical characteristics, such as an iris or fingerprint are used to check and authorise access. Access control can be a combination of all these things.
While most people refer to security door cards as ‘swipe cards’, they are more properly termed ‘proximity cards’ and can take the physical form of a card, about the size of a standard credit card, or can be in the form of key fobs, or proximity tags. ICT have a range of proximity wristbands, for use with their ICT Protege access control and intrusion detection system. Wrist watches too, are now becoming a popular and convenient means of carrying authentication information.
The term ‘badging the card’ refers to the act of presenting the swipe card to the swipe card reader. There are many different ways in which to badge the card, depending on how the reader has been set up, and the technology of the card used. For instance, some cards can be read at close distances, others further away, from the reader. Some cards may require them to be badged (or presented to the swipe card reader) for a certain amount of time, say two seconds, where others a momentary presentation of less than a second will be sufficient. Older card technology will require the actual swipe of the card through a magnetic reader, in the same way you swipe your EFTPOS card in the shop.
Swipe card technology has developed significantly over the last two decades. There are six basic card types, listed below, ranked from strongest to weakest in terms of security protection:
- DESFire
- ICT Secured Mifare
- Mifare Classic
- 125kHz
- Mifare CSN
- Magnetic Stripe
Even though each of these cards physically looks similar to the others, there are key key differences between them in terms of technology, security protection, and range.
The magnetic stripe swipe cards were the first security cards on the scene. While they provided a basic level of protection and access control, they also had a number of disadvantages, including wear and tear, inconvenience factor (in terms of having to swipe the card, as opposed to present it), and very low security protection. If your business is still using a magnetic stripe card for access control, you need to seriously consider upgrading to a modern system, to ensure the best possible access control protection. Contact Tiger Security for a free, no obligation discussion about the options.
The swipe card technology has been superceded by ‘proximity’ technology, whereby the card is not swiped, but presented in front of the door reader. Readers work by constantly emitting a short range radio field (RF). When a proximity card comes into range of this field, an chip inside the card is powered up and sends a number (the credential), back to the reader. The reader then checks to see if that number is authorised, in order to decide whether or not to grant access.
The following information on the different cards, and their features, is taken from the ICT Protege Certification literature, Module 3, (Protege Hardware Overview).
125kHz card technology
When a 125kHz card is powered up, it immediately begins to transmit its card number. In effect, this is very similar to the way the old mag-stripe readers worked. The problem is that being a proximity system, it is possible to create a device that will ‘power up’ a card from a distance, then read the data that is being transmitted. Once you have this, you can easily reproduce the card, making as many copies as you like. In many cases, you can even create cards in the same series with different numbers.
As a consequence, the 125kHz technology has serious security flaws. This is because the data that is transmitted by the card is not encrypted and is always the same. Data transfer is one way only. The reader is not able to communicate with the card.
The one advantage of 125kHz is that due to the lower power requirements and small amount of data being transmitted, it offers a good read range (of around 10cm or 3.9”) and a short read time, allowing users to present, swipe, or wave their card in the general direction of the reader to get a successful read.
Mifare / 13.56Mhz card technology
The Mifare standard was originally created as a ticketing solution for transport systems, and at the same time addressed the security issues in 125kHz technology by enabling two way communication between the card and reader. This saw the introduction of card encryption and the ability to store data on the card.
Most Mifare technologies store the card number in one of the storage areas on the card, known as sectors. Along with the added security, the additional storage space on the card can be used for a range of applications, such as offline locking systems or the storage of credit for pay as you go systems.
Unlike 125kHz technology, Mifare initiates more of a conversation between the reader and the card. When the card approaches the RF field of the reader, the card and reader begin a secure communication session using shared encryption keys. Once this is established, the card number is transmitted and the communication session is closed off.
This process happens very quickly, however it does take slightly longer than a 125kHz based system and means that generally, a Mifare card cannot be simply swiped or waved at a card reader, but must be presented. The Mifare chip also requires more energy than the 125kHz system, so the card must get further inside the RF energy field to power up, resulting in a slightly reduced read range (of around 7-10cm or 2.7-3.9”). Mifare comes in many forms, each with their own advantages and disadvantages.
Mifare CSN
All Mifare cards come with a built-in CSN or card serial number. This electronic number is presented in much the same way as 125kHz in that it is not encrypted and can be read by a larger range of devices easily purchased on the open market. For instance, many smart phones are able to read this information, making it an even less secure method than most 125kHz systems.
CSN is generally used where there is a requirement to read Mifare cards from a number of different access control systems, or from third party cards such as pay as you go cards. While it offers great flexibility, it is very insecure.
Mifare classic
Mifare Classic was the first version of the Mifare standard. It stores the card number on one of its sectors, then encrypts the communication between the card and reader, theoretically making it impossible, or at least very difficult to copy a card. Unfortunately, a security flaw was discovered in the Mifare Classic standard which meant that with the right knowledge and hardware, a card could still be copied or another card in the series created.
ICT secured Mifare
ICT Secured Mifare is ICT’s implementation of the Mifare Standard. Card data is protected with a diversified authentication key and encrypted with an AES256 algorithm, effectively plugging the known security flaw in the Mifare standard. These cards are not as secure as DESFire but still provide high security against cloning.
This is the ideal solution for most new installations, as it provides a high level of security without a great loss of read range or response time.
DESfire
Ideal for high security sites, Mifare DESfire includes a cryptographic module on the card itself to add an additional layer of Triple DES encryption to the card / reader transaction. This is the highest standard of card security currently available, however it does come with some disadvantages. The additional cryptographic module requires additional energy to operate, meaning it must remain even further inside the RF field resulting in a further reduced read range of 1-2cm or 0.4-0.8”.
A DESFire card must be firmly presented to the reader and held in place until access is granted. Waving or swiping a DESFire card will not result in a successful read.
Conclusion
Many card systems considered robust and state-of-the-art five years ago can be now compromised with a little nouse, and should be upgraded to the ICT Mifare or DESfire format to afford the best protection against unauthorised access and intrusion. Upgrades can be achieved incrementally (and thus the cost spread over time), via multi-format compatible readers, which can be installed on an area-by-area basis. Cards can then be replaced as and when needed. Tiger Security encourages businesses to contact us (or telephone 09 972 1890) for a free appraisal of your swipe card door control systems. Visit our access control section for more information on our access control brands.