If you bought one of that looks like the picture below, I would say it’s not secure. I have a contact (RFID) card that works for a card reader shown below in a certain organization A. One day I saw the exact same model in a different and totally unrelated organization B. Out of curiosity I tried the card I had and was shocked to find out that it actually worked. So for organizations that are using these type of reader or any off the shelf reader/system do read on to understand how this security issue has arisen.
The readers have onboard memory to store information of the cards that it allows access to. It stores “Account No” and the name associated to that account number. The pack of RFID cards supplied with the reader (or bought at a later date) can be programmed with a specific Account Number. A central control software for the reader is used to upload new account numbers to each reader.
After some investigation the data field that was being check to grant or deny access was the “Account No” field. When I put my card on the reader in organization A it displays this Account Number and my name associated to it but when I tried it on organization B’s reader it just showed the Account Number without my name. Data is loaded into the readers via some control software that uploads the data into the reader’s memory storing account numbers and names associated to the account number: this explains the lack of my name in organization B’s reader. Technically this Account Number can be changed but it can only be numbers with a maximum of 5 digits and there can always be a possibility of collisions.
There is no quick fix or sure-fire solution to this security issue with the current implementation if the reader only uses the Account Number for authentication (I do not have access to the hardware to see if there are different and more secure authentication methods available). The reader firmware could be upgraded to recognize the serial number for each card (as each card manufactured should have a unique serial number) and this would prevent collisions and unauthorized access assuming cards have all unique serial numbers. If serial number storage is too memory consuming for the reader, alternatively another piece of information e.g. a passphrase could be used to have 2 factor authentication. The reader can store one copy of this passphrase and use the existing current “Account No” for authentication via 2 different pieces of information. This would make things much harder for collisions and unauthorized access to occur. This is certainly not fool-proof but it makes things much more difficult to gain unauthorized access.
So next time be wary of (cheap) off-the-shelf security solutions, it may not provide the full security you think you’re getting.
Note: The model that was affected was the ZKSoftware A11 however I would think anything that uses the ZKSoftware or has the similar display user interface would be affected.