Card Security 101
Smart and secure, card technologies explained
Whether you’re using a key, a proximity card, a smart proximity card, or your mobile phone – they are all technologies that work towards the same purpose: getting through the door.
What does differ, is how they facilitate this and the level of security and assurance each technology provides. Recent surveys showed that over a third of companies reported they still use an insecure card technology like 125kHz, this is a worldwide problem.
In this article, we’ll take you through the different types of technology, show you why some are much more effective than others, and arm you with the facts to help you make informed decisions when beginning your card security journey.
For hundreds of years, keys were considered the most practical way to secure a location. But the downsides include the expense - which can easily run into the thousands of dollars - to rekey all locks if a key is lost or stolen, as you can’t just cancel a lost key. There’s also a lack of transparency and no reporting or audit data about who uses them and when they are used. And physical keys - even those marked ‘do not copy’ - can be copied, shared, or sold, leaving a seemingly secure site vulnerable to intrusion at any time.
Advancements in the 70s and 80s led to proximity card (or prox card) technology. The widespread adoption of the 125kHz proximity card took security into the modern age, and for a time, provided convenient and robust electronic access control. So much so, that even today, almost 40% of credentials sold worldwide are still 125kHz.
As flaws in 125kHz became apparent, other technologies were developed - from PINs and biometrics, through to 13.56MHz proximity smart cards and mobile credentials - but until recently, none have looked to overtake the ubiquity of the humble 125khz prox card.
Introduction to Card Technologies
So far, we have talked about 125kHz credentials, but if you take a step back, you can divide credentials into 3 distinct groups:
What You Have
An access card or fob.
What You Know
This could be a PIN or password.
Who You Are
A biometric credential like a fingerprint or facial scan.
What You Have makes up most credentials present in the marketplace today. This includes key cards, mag stripe, wristbands, key fobs, mobile credentials, and license plate recognition.
This is mainly split between 2 types of physical cards – 125kHz prox cards and 13.56MHz smart cards – and more increasingly, mobile credentials.
Watch our explainer on What You Have credentials to find out the main differences between 13.56MHz smart cards and 125kHz prox cards.
Security Risks with 125kHz Proximity Cards
As the video demonstrates, there are a number of very good reasons why high-frequency proximity smart cards are more secure than legacy 125kHz prox cards.
In addition, with 125kHz cards, it’s possible for 2 locations to have the same site and card number. In fact, due to the limited number of available site codes, this is almost a certainty. If these supposedly ‘unique’ identifiers were the same, then it’s possible your card for the gym could give you accidental (but still legitimate) access to a completely different building such as a corporate office, or financial institution.
There are also multiple examples online showing how easy it is to hack a 125kHz card by scanning remotely and cloning. You can learn more about the associated security risks in our article Card Security 101: Cloning 125kHz Prox Cards is So Easy it’s Scary.
Despite this, IPVM found that 14% of integrators said that low-frequency 125kHz prox cards were their favorite type of credential. This was still the second highest percentage, only coming behind high-frequency smart cards.
One potential explanation for this is a lack of education of users. Many are unaware of the security risks surrounding 125kHz cards - this article aims to make it easy to understand the concepts.
Another factor, is that 125kHz cards have traditionally been the most cost-effective option. This is no longer the case. Advances in encryption and technology mean it’s now more cost effective to get a 13.56MHz MIFARE DESFire credential than a 125kHz prox card in many instances. So now there’s no real excuse to stick with an insecure, outdated legacy technology.
Smart Encryption with DESFire
As the flaws in 125kHz prox card technology were exposed and the risks of intrusion became a reality for several high-profile sites, engineers worked tirelessly to stay ahead of the hackers. This led to the development of the first high-frequency smart cards, which operate on the 13.56MHz frequency as opposed to the lower 125kHz frequency.
The first 13.56MHz proximity smart card - the MIFARE Classic - was actually developed for public transport ticketing solution, but was soon adopted by the security industry as a more secure alternative to 125kHz prox cards. Then came MIFARE DESFire, which in itself has several iterations.
We recommend MIFARE DESFire for all sites. It has the highest standard of card security currently available, so users can feel assured that their credentials are protected by industry best practices.
As the most secure card technology available today, DESFire is suitable for all types of properties – providing the same high level of security to a small family run business, that you would expect in federal or government buildings which use the same technology. DESFire can also be beneficial for locations such as gyms or apartments that have large amounts of users, and have traditionally been affected by card cloning in the past.
A DESFire card also offers a multi-sector solution, so you can also include additional applications on the same card. This could give you the flexibility of wireless or offline locking systems, or wireless staff lockers too.
If you’d like a more in depth or technical look at smart credentials, then check out our Card Security 101: DESFIRE Credentials Overview article and the Benefits of a DESFire Solution.
The DESFire Experience
If you currently use 125kHz prox cards, it’s worth noting that using DESFire credentials is a slightly different experience. Due to the advanced encryption technology requiring more power, it has a shorter read range than low-frequency cards. You can’t just wave or swipe a card in the general direction of the reader to gain access like you might be used to. Instead, think of it like contactless payment – just hold the card firmly near the reader until authorized. To avoid frustration, we recommend training your staff on this too.
DESFire has proven to be the most secure card technology available today, but there are also circumstances when you might consider other technology such as mobile credentials or biometrics for additional flexibility or convenience.
If you’re currently using 125kHz credentials and looking to change, you don’t necessarily have to do it in one hit. ICT’s multi-technology tSec readers work with both low-frequency 125kHz cards and 13.56MHz DESFire smart cards. This means you can manage the transition to a more secure system at your own pace, helping spread the cost of new cards, or perhaps giving staff a period to become comfortable with the new technology, while keeping the comfort of the old. Once the transition is complete, you can disable the 125kHz frequency on the tSec readers, so none of the old cards - or any copied cards that are floating around – can be used to gain access any more.
Whatever solution you end up choosing, you may want to consider adding a keypad and PIN to deliver the additional level of security that two-factor authentication (2FA) offers.
Now we’ve covered the basics about card security, you should understand the differences between the more secure high-frequency smart cards and legacy 125kHz prox technology. You’ll also be familiar with the security risks posed by the continued use of 125kHz credentials, and why there are now no financial barriers to choosing the more secure solution for your property. You’re now a Card Security 101 graduate, congratulations!