BLOG: The truth about card cloning

What is card cloning?

Card cloning is the act of duplicating the information stored on an access control RFID card for the purposes of copying it to another card. Billions of RFID (radio frequency identification) cards are used all around the world in every industry. Whether you’re entering an office, leisure centre, residential block, or construction site, the chances are you’ve used one at some point.

What are the risks of card cloning?

Swipe cards are a type of credential. Credentials are used to validate the identity and access rights of people trying to gain entry into a building or area. If a person’s credential has been copied and used by someone else, your security is compromised. In the least severe case, you will lose the reliability of your reporting as you won’t know who is using which credential. In the worst case scenario, an intruder could access your secure zones for all kinds of malicious purposes.

How are cards cloned?

There are a huge range of different cards and credentials available today. None can offer 100% guaranteed security, but there are more and less risky options. The credentials most susceptible to the risk of cloning are those utilising legacy technology without encryption.

In 1975, radio frequency identification was invented and 125kHz proximity cards were introduced. These remain a hugely popular choice globally, thanks to their convenience and low cost. In a 2020 report, HID Global found that 51% of surveyed companies use 125kHz proximity credentials in their organisation¹. However, proximity cards are the most vulnerable to attack.

Proximity cards carry a string of binary code on a small chip embedded inside the card. When presented to the reader, the card transmits the code via radio waves at the frequency of 125kHz. If the code is recognised by the reader, the door will be unlocked, allowing the user to enter.

However, as the data is transmitted without any encryption to hide the message, it is at risk of cloning. The transmission can be easily intercepted, and the code saved and copied onto a new card. RFID copiers can be purchased online for as little as £15.00! It is therefore important for facilities managers to weigh up the low cost of proximity credentials with the potential cost of a security breach due to card cloning.

Are higher frequency cards safer than proximity?

The most common next step up from 125kHz proximity credentials is 13.56MHz MIFARE® Classic. This is a type of smart card. Developed to combat the vulnerabilities of proximity cards, smart cards can carry a range of different information at once. They also transmit their data at a much higher frequency than proximity cards – more than ten times higher!

The crucial difference in smart cards was the advent of authentication. This means that not all of the information saved on the card is publicly available. When the card is presented to the reader, the sensitive data on it is not transmitted until the card is authenticated. The authentication process checks that the presented card is part of the system and not from an external attacker. Once authenticated, the ID code is transmitted as usual and the user is granted entry.

The addition of authentication makes MIFARE Classic credentials more difficult to clone, but not impossible. A potential hacker just needs to identify the correct passkey that is used for authentication. Many companies simply never change this key from the one provided by the manufacturer. There are even simple smartphone apps that use the phone’s built-in NFC technology to clone 13.56MHz cards.

As a result of the advances in technology that can crack MIFARE Classic systems, the manufacturer of these credentials recommends migrating to higher security products².

How to protect your organisation from card cloning

There are a number of measures you can take to reduce the risk of a security breach due to card cloning. These include opting for a card or credential type with a higher built-in level of security, and implementing a multi-factor authentication process.

MIFARE® DESFire® EV2 credentials

In response to security weaknesses discovered in its MIFARE Classic technology, a new generation of RFID chips was introduced. MIFARE DESFire EV2 chips utilise the same 13.56MHz transmission frequency, but combine it with secure encryption and decryption of the data as it is passed from the card to the reader.

The DES stands for Data Encryption Standard. The FIRE stands for Fast, Innovative, Reliable, Enhanced. The additional layer of encryption added to the communication between the card and the reader adheres to the AES128-bit standard. This encryption method was selected by the US government as a standard symmetric block cypher for protecting classified information.

MIFARE DESFire EV2 credentials cannot be cloned. Even using a supercomputer, it would take 1 billion billion years to crack an AES128-bit key using brute force methods³. Naturally, cards embedded with this level of security are more expensive than the low frequency alternatives. However, the extra investment in cards that cannot be cloned comes with the confidence and peace of mind that your buildings and assets are safe.

CDVI’s ATRIUM access control is equipped with end-to-end encryption. From the secure server to the controller, reader, and credentials, data transmitted is robustly protected.

Mobile-PASS smartphone credentials

MIFARE DESFire EV2 credentials offer an uncrackable level of built-in security that means they cannot be cloned. However, if someone’s genuine access card was lost or stolen, an intruder could still use it to falsely gain access to secure areas. This is a small but real risk for all types of physical credentials.

To combat this, CDVI developed Mobile-PASS smartphone credentials. This innovative solution utilises the built-in Bluetooth and NFC technologies in modern smartphones. Your credential is contained within a free-to-download app and issued only to you. When you approach the door, you can use your smartphone to validate your identity and gain entry. You are significantly less likely to lose or forget your smartphone compared to a swipe card. Moreover, even if an attacker stole your phone, they would be unable to gain entry without first unlocking the phone.

Mobile-PASS credentials use encrypted MIFARE DESFire EV2 technology. That means they benefit from AES128-bit encryption, and also cannot be cloned.

Multi-factor authentication

Access control systems that use multi-factor authentication require the user to provide more than one method of validating their identity before allowing access. You’ve probably come across this when signing into an online account – often you are asked to input your password and then input a code sent to your mobile phone. Multi-factor authentication (MFA) can also be implemented in physical access control systems to enhance security. This could include:

• A fingerprint reader and a swipe card
• A swipe card and a keypad code
• Facial recognition and fingerprint recognition, plus a keypad code

or any other combination of methods.

Adding extra steps to the authentication process massively increases the overall security of the system. The chances of one method being spoofed, cloned, or hacked are low. The chances when there is more than one method are just a fraction of that already low chance. In relation to logical access control (access to computer files, systems, and data) MFA reduces the risk of identity compromise by as much as 99.9% compared to passwords alone⁴.

CDVI’s iface™ facial recognition unit can be set up for MFA quickly and easily. Adding a requirement for a keypad code or a MIFARE DESFire EV2 card/tag takes seconds. iface™ already offers the inherent security of 3D facial recognition that cannot be fooled with a photograph. Adding a code or card as well creates a robust and reliable system that keeps the risk of breach through cloning or spoofing to a minuscule minimum.

Card cloning is still a small but real risk to the integrity of security systems in many businesses. Those operating using legacy RFID credentials are vulnerable to cloning if an attacker gets hold of a legitimate swipe card or tag. Technology has advanced to meet and overcome the risk of cloning by introducing better encryption and more secure validation methods. However, every time security technology has made a step forwards, criminal technology has not been far behind. In the future, manufacturers of RFID chips and access control systems must be vigilant and respond quickly to a rapidly changing criminal landscape.

1. https://www.hidglobal.com/doclib/files/resource_files/hid-pacs-2020-state-physical-access-wp-en.pdf 
2. https://www.mifare.net/en/products/chip-card-ics/mifare-classic/security-statement-on-crypto1-implementations/
3. https://www.eetimes.com/how-secure-is-aes-against-brute-force-attacks/#:~:text=As%20shown%20above%2C%20even%20with,universe%20(13.75%20billion%20years).
4. https://www.microsoft.com/security/blog/2020/03/05/it-executives-prioritize-multi-factor-authentication-2020/