Just watching the news each night is reason enough to explain why security professionals at educational and healthcare facilities worry about the security of their access control systems. If the card system is hacked, there can be major problems. At a university, years of research can be tampered with or lost. At a hospital, HIPPA rules are very stringent and the penalties for having them breached can be severe. There are three main ways to assault a card-based electronic access control system —skimming, eavesdropping and relay attacks. Skimming occurs when the attacker uses an unauthorized reader to access information on the unsuspecting victim’s RFID card or tag without consent. As a result, the attacker is able to read stored information or modify information by writing to the credential. From that point on, the attacker can control when and where unauthorized entries may occur.
A combination keypad/card reader provides 2-factor validation—something the person knows plus something the person has.An eavesdropping attack occurs when an attacker recovers the data sent during a transaction between the legitimate reader and card. As a result, the attacker can recover and store the data of interest. From then on, the attacker can use this stored data at will. Lastly, RFID systems are potentially vulnerable to an attack in situations in which the attacker relays communication between the reader and a tag. A successful relay attack lets an attacker temporarily possess a ‘clone’ of a token, thereby allowing the attacker to gain the associated benefits. Some sophisticated RFID credentials perform mutual authentication and encrypt the subsequent communication. An attacker, however, never needs to know the plain-text data or the key material as long as he can continue relaying the respective messages. It is therefore irrelevant whether the reader authenticates the token cryptographically, or encrypts the data, since the relay attack cannot be prevented by application layer security. What is scary about all this is that the equipment to perpetrate the above attacks can be quite inexpensive and is widely available. However, to fully understand how to stop such assaults, we first need to understand how RFID cards and readers work. The Technology Behind Readers & Cards There are two basic contactless card based technologies— proximity and smart card. Proximity takes advantage of industry acknowledged norms, while smart card readers typically make use of the international standard for such cards, which is designated at ISO/IEC 14443. In operation, proximity readers typically generate an electromagnetic field tuned to 125 kHz, an internationally recognized radio frequency for low power data communications. When a credential enters this field, the credential’s internal RFIC (radio frequency integrated circuit) is activated. The RFIC then transmits its unique data back to the reader as an encoded signal. (Here is a quick explanation. A byte is a unit of data that is eight binary digits, or bits, long. A parity bit, or check bit, is a bit added to the end of a string of binary code (0’s and 1’s) that indicates whether the number of bits in the string with the value one is even or odd.) Simply put, if an odd number of bits (including the parity bit) are transmitted incorrectly, the parity bit will be incorrect, thus indicating that a parity error occurred in the transmission. The data must be discarded entirely and re-transmitted from scratch. In doing so, byte parity error detection helps provides extremely fast, accurate and secure transmissions. Now, let us review smart card technology. In operation, smart card readers typically generate an electromagnetic field tuned to 13.56 MHz. When a credential enters this field, the credential’s internal RFIC (radio frequency integrated circuit) is activated. The RFIC then transmits its unique data back to the reader as an encoded modulated signal. Smartcard readers are typically able to read the sector (access control) data and/or unique card serial number (CSN) from ISO/ICE 14443 compliant smart card credentials. Meeting the ISO standard, the cards are quite often programmed at the manufacturer with the brand’s compatible secure key. During the validation process, the credential’s secure key is challenged by the reader. If the secure keys match, the reader will read the card’s sector data; if the secure keys do not match, the reader may only read the credential’s CSN. How Can We Improve Security? First of all, before creating a major alarm, let us remember that such attacks are not frequent. But, to those attacked, that is of no comfort. With that in mind, the security administrator has a range of tools to negate skimming, eavesdropping and relay attacks. Let us look at increasing the security of proximity cards first. One of the easiest solutions is to create 2-factor validation of the person wanting to enter. Not only must that person have something (the authorized card or tag) but they must also knowsomething (a personal identification number—PIN). For those higher security areas especially, you can select a card reader with an integrated keypad. To enter, the individual presents their card, gets a flash and beep, and then enters their PIN on the keypad. The electronic access control system then prompts a second beep on the reader, and the individual is authorized to enter. Your integrator can also provide a highsecurity handshake, or code, between the card, tag and reader to help prevent credential duplication and ensure that your readers will only collect data from these specially coded credentials. In a sense, it is the electronic security equivalent of a mechanical key management system, in which your organization is the only one that has the key you use. Such keys are only available through your integrator and your integrator never provides another company with the same key. In the electronic access control scenario, no other company will have reader/ card combination that only you get from your integrator. Only your reader will be able to read your card or tag and your reader will read no other card or tag. How about smart card systems? First of all, at often a cost comparable to proximity card systems, smart card systems may be more secure and can be used for applications beyond access control, such as library checkouts, the hospital cafeteria, and so on. Regarding smart cards, the next term you should look for is “MIFARE,” which is based upon NXP Semiconductor’s technology. (Others will look for France’s Inside Technologies. The idea is very much the same, so we will discuss MIFARE.) We could go into a deep technological explanation but suffice it to say MIFARE is the gateway to a series of security levels (a whole article in itself). If you are really interested, ask your manufacturer for a quick run-through so you can pick the right level of MIFARE security for your customer. Typically, to minimize costs, systems integrators will choose a relatively inexpensive smart card such as a MIFARE Classic card and concentrate security efforts in the back office. Additional encryption on the card, transaction counters and other methods known in cryptography are then employed to make cloned cards useless or enable the back office to detect a fraudulent card and put it on a blacklist. Systems that work with online readers only (i.e., readers with a permanent link to the back office) are easier to protect than systems that have offline readers, since real-time checks are not possible and blacklists cannot be updated as frequently with offline systems. Another thing that can be done is the same that was explained earlier regarding proximity cards in which you can be provided a security handshake between the smart card and reader. This adaptation works exactly the same with smart card solutions as it does with proximity systems. You can also ask for a card validation option. In this enhancement, the cards and readers are programmed with a fraudulent data detection system. The reader will scan through the credential’s data in search of discrepancies in the encrypted data, which normally occurs during credential cloning. Such a card validation feature is yet an additional layer of protection. Work with Your Integrator Your electronic security integrator is as concerned with the security of your contactless card access control systems as you are. When planning a new system, it is imperative that you consider all aspects of your organization’s security and safety with your integrator. Ask your integrator what you can do avoid breaches of security.
0 Comments
Leave a Reply. |
OptimationBDWe are the best seller of CCTV Camera in Bangladesh. Optimation a name for security concern, the most specialized system integrator in Bangladesh having the doctrine to reveal the authentic feature of modern security system concept and other accessories to the valued market, providing you the most advanced CCTV camera in Bangladesh. Archives
February 2024
|