Security Card Access – Keep your doors closed
Forensic Focus - September 2010
Would you let a stranger into your company? Would you let them walk around the office unattended? Would you let them help them self to anything they want? The obvious answers are ‘No’. However, you may have let this happen without realising it.
You use your access card to call an elevator. The door opens, there are many people in the elevator and you get in. The elevator is quite full so people are close to one another. You notice a man with a laptop bag strung over his shoulder standing next to you. You reach your floor and go to work.
A week later the building manager and security contact you. There has been an investigation launched and they enquire why you were at work late on Saturday night. They also mention that company property has gone missing around that time. You explain that you were at home with your family. They claim that your access card was used to access the building after hours on Saturday when the property was taken. You tell them you have had your access card all the time and they accuse you of giving it to someone who has accessed the building.
What has happened here?
It’s most likely that your access card has been compromised. Remember the person in the elevator with the laptop bag? He may have had a radio frequency identification card (RFID) reader in his laptop bag. If your access card is clipped to your belt and hangs down in plain view, the culprit could move his laptop bag close to your card and as quick as you can say “fourth floor please”, your access card has been read. The perpetrator now has that information stored on his reading device. There would be no suspicion raised as people are often close together in elevators, particularly when the elevator is full.
When someone has their RFID card scanned, the victim may not know their card has been compromised and it may be weeks, months or years before they know. It usually won’t be identified until a security incident occurs. In some cases the victim may never know.
What is RFID?
RFID technology is increasingly being used to identify people and property. The technology is often embedded in smart cards that are used to access public transportation systems, to open doors in corporate and government buildings and in some countries it’s being implemented into passports.
A live demonstration here in New Zealand showed how an access card can be read and the captured data then written to a blank card all within seconds. These readers can possess an effective scanning range of up to 30 centimetres. They contain onboard memory to store card information for later use, and are small enough to be concealed in laptop bags.
How is RFID card ‘skimming’ being dealt with overseas?
In 2008, California’s Governor Arnold Schwarzenegger signed legislation into law that makes it illegal to surreptitiously read someone else's radio frequency identification card. There are currently no specific laws in New Zealand making secretly reading RFID cards illegal.
Although instances of RFID card skimming are becoming increasingly common overseas, it has also occurred here in New Zealand where an access card was scanned, duplicated and used to gain access to a secure area.
How do I protect my RFID card from being scanned?
The best method is to place your card into a RFID shield. A RFID shield is a protective sleeve that prevents anyone from reading private information stored on your RFID cards.
Other measures are to keep it out of site. If the culprit can’t see your card he won’t know where it is and won’t be able to scan it. Some people have their cards on a lanyard around their neck. It would look suspicious if the culprit lifted his laptop bag and tried to get it close to your chest to read your card.
In times where RFID key access to the work place and secure areas is becoming the norm, people need to be aware of how easy it is to have their ‘electronic key’ copied. We are seeing that the ease of use far outweighs the security of these technologies. Security is ultimately in the ‘card holders’ hands, so remember to be vigilant and keep your access card out of view from the cunning “skimmer”.
For more information on protecting your RFID security cards please contact Jon Pearse.