UPDATED July 11: Demo highlights prox limitations but wrongfully lumps in contactless
Northern Arizona University submits comments, migration to contacless smart cards was underway before stunt
Any campus card administrator will tell you that understanding where your card system’s vulnerabilities lie is imperative, and understanding your card technology and its limits, be it mag stripe, bar code, prox or contactless is a crucial component of this understanding.
There are, however, some folks out there asking the difficult questions and prompting universities to think about their card systems and how they could potentially be compromised. Walt Augustinowicz, founder of Identity Stronghold, has made it his mission to visit campuses across the country to show universities and students alike that their cards might be subject to what he calls a “bump and clone” attack.
The bump and clone attack occurs when a fraudster surreptitiously reads and replicates a student’s proximity card. From there, the fraudster can often apply the cloned credential to a second, blank card and use it as if it were the original.
In a recent demonstration, Augustinowicz traveled to the Northern Arizona University campus, and was accompanied by the television show Inside Edition. The card system at Northern Arizona uses 125 kHz prox technology, a card that is susceptible to the bump and clone attack.
“There have been hardware and software tools out there for years that can clone 125 kHz prox cards,” he says. A prox reader and blank cards can be purchased for around $200 and then used in conjunction with a smart phone and antenna array.
According to Augustinowicz, anyone with the intent could replicate his process. “We were able to look ahead of time at the university’s web site to see what NAU cards looked like and was able to print a blank white card with my picture on it,” says Augustinowicz.
With the permission of a willing student, Augustinwicz cloned an ID card and used it to access buildings and dormitories with the cloned prox credential.
Prox cards have been around since the early 90s so it’s not a surprise that the technology isn’t as secure as a contactless smart card.
“Proximity cards became a de facto industry standard during the late 1990s, but as the industry and technology have evolved we have learned that 125kHz prox cards are not as secure as 13.56 MHz contactless smart cards introduced by HID in the early 2000s,” explains Jeremy Hyatt, director of global public relations and corporate communications for HID Global.
Convenience vs. Security
At its core, 125 kHz prox cards are created for the purpose of convenience. They’re great for providing a student quick access to an academic building, residence hall or rec center, but they’re not designed for security like a 13.56 MHz contactless card.
Augustinowicz’s ability to bump and clone a prox card, then, should come as little surprise to those familiar with the technology. Prox was not designed to support encryption and advanced security features that make the contactless smart card secure.
As Augustinowicz has seen first hand, however, there are still campus card administrators and campus security officials that lack this vital piece of information. “It’s amazing the silence that comes after one of our demos,” he says.
At least some of the access control readers at NAU are capable of reading both prox and contactless smart cards. This fact further emboldened Augustinowicz’ concern. “Campus security personnel shouldn’t be paying good money for multi-class readers and then issuing 125 kHz cards. Why would you not at least take advantage of the basic encryption on a 13.56 MHz card?”
It should be said, however, that if not properly implemented, 13.56 MHz credentials carry a similar vulnerability to their prox counterparts. Every contactless card features a free-read card serial number. This number is not encrypted, can be read by any reader and was never intended for use as a secure identifier. Rather it is used to initiate security functions such as mutual authentication.
The possibility exists, then, that poorly implemented contactless systems could be susceptible if the card serial number is used as the secure identifier. To not leverage the encryption capabilities of a contactless card would be a waste of security features and money, as this is what sets contactless technology apart from prox.
Simply put, the responsibility of implementing a properly secure card system should be a joint effort between vendors and campus card administrators alike, with knowledge of card technology being the key factor.
Augustinowicz’s prescription is to issue a protective shield with every proximity card. A shielded protective sleeve – like that manufactured by Identity Stronghold – essentially turns the card off, keeping hackers from sniffing credential data.
One of Identity Stronghold’s offerings, the BloxProx card holder, has both a shielding mechanism and a jamming mechanism that interferes with the bump and clone process. Instead of simply blocking the attack, the card holder also spits out a false number when someone tries to sniff the card. It’s a solution that Augustinowicz says works for both 125 kHz prox and 13.56 MHz contactless cards alike.
Turning a contactless card off when not in use can be beneficial if you are protecting personal information like that stored on a bankcard. But many would argue that shielded card holders only safeguard a physical location when every student has one, uses it, and keeps their credential on their person at all times.
“The technology that the vendor has chosen to exploit in the demo is 30 years old and is simply not comparable to the highly secure credentials available today,” says Jeff Staples, vice president of marketing development at Blackboard Transact. “The answer to this challenge is not to deploy a sleeve that costs $7.98 each, but rather involves refreshing the card technology and taking advantage of credentials with strong encryption.”
“If a fraudster wants to compromise a card in this scenario they can simply remove it from the shield, meaning this product only guards against a passerby,” says Staples. “The institution can only guard against a determined bad actor by utilizing cards with advanced encryption.”
Staples suggests that secure contactless smart card credentials are particularly well-suited for this application and are priced between 50% and 75% less per card than a sleeve. “Leveraging the media, while fraudulently creating and using a student ID card is a curious way of selling your product,” he says.
“Our clients have been going through this refresh process for several years now and Blackboard has shipped more than two million secure credentials since 2010,” explains Staples. “These schools are securing their program from the inside-out, rather than bowing to the questionable tactics of a vendor whose product costs more than twice as much and only secures those cards where it would be used 100% of the time.”
Nothing but the best
Every institution should keep best practices in mind when implementing a secure card system. Staples says an institution should adopt a high security credential and follow widely accepted rules of issuance and acceptance including:
- Issuing ISO-standard secure credentials that support a minimum 112 bit encryption, either triple-DES or AES
- Utilizing the secure areas on the card to store credentials used for any sensitive transactions
- Using best practices for contactless security, including mutual authentication, diversified keys and encrypted data payload.
HID’s Hyatt concurs, stating that “regardless of which card technology is used, it is important to keep in mind that access control cards and readers are only one aspect of a facility security system, and that the most effective security is achieved by a layered approach.”
The day may never come when a single, magic-bullet solution is deployed. However this layered approach, when implemented properly, can provide the security needed to safeguard not only physical locations on campus, but the students that use them as well.
Migrating card technology may seem an insurmountable task, but it’s a crossroads at which many – if not all – universities arrive in time. Moreover, if your campus relies on older, susceptible technology, card migration may be the only way to completely eliminate the cloning risk.
The lesson that can be learned from the bump and clone demonstrations is an important one nonetheless. It is essential to understand your card technology so that neither your card office nor university administration are blindsided should its limitations be exploited.
Comments from NAU
According to Tom Bauer, director of the office of public affairs at Northern Arizona University, the demo was unplanned, with campus administrators only catching wind of the incident after Augustinowicz and the Inside Edition crew had left.
As for the university’s credentials, Bauer explains that a migration is already in full swing. “We are migrating to encrypted cards this fall,” Bauer explains. “Proximity cards are no longer being issued as our primary card technology.”
As for the readers on NAU’s campus, there are only a few prox holdouts, but there are plans to phase those out as well. “NAU uses multi-class readers throughout campus and manages the accepted credential technologies as appropriate,” says Bauer. “NAU uses prox readers on legacy exterior doors, but will be migrating away from that in the near future so that all doors on campus utilize encrypted card-to-reader communications.”
Despite the impending adoption of encrypted credentials on campus, Bauer does acknowledge the reality of the bump-and-clone attack.
“It’s viable, perhaps, but I don’t think it’s a widespread threat. The situation will change when we introduce encrypted cards,” explains Bauer. “I was disappointed in that Inside Edition used Mr. Augustinowicz as a consultant when he owns a business selling sleeves that prevent card cloning. It appears, on the surface, to be a conflict.”
“Nevertheless, NAU learned an important lesson and has taken steps to prevent this type of threat in the future,” insists Bauer.