Access Control Cards – Are they really secure?
The news broke to day that over in London England hackers succeeded in cloning or duplicating the cards that most Londoner’s use to ride on mass transit. These so called Oyster Cards are a version of smart card that is used in a great many other places for access control to secured areas. The Dutch government has issued a country wide security alert due to the fact that they use the same or at least very similar technology at most of their government buildings!
Both Wired Magazine (http://blog.wired.com/cars/2008/06/hackers-crack-l.html) and the Evening Standard in London have articles on this story (http://www.thisislondon.co.uk/standard/article-23454596-details/Oyster+card+cloning+fears/article.do).
This is just the latest problem with this technology to come to the surface. The main problems with these systems is that they are often specified incorrectly and sometimes just installed poorly. Also they are only as good as the people who have administrative access. I took over the management of a fairly simple system at a large corporate site and was amazed that the functionality of the software wasn’t even fully enabled and the previous administrator had made no real effort to audit the system. I spent a very hectic 3 weeks auditing the system, inventorying the access rights of several hundred employees and getting the reporting module actually working!
There is a very good white paper on some best pratices for these systems here: (http://www.smart-id.com/documents/Access_Control_Industry_Best_Practices_wp_en.pdf).
The news is full of successful attempts to bypass these systems. Another story from Wired magazine: (http://blog.wired.com/27bstroke6/2007/08/open-sesame-acc.html)
Now I am not saying that I am dead set against using these devices, just that you need to realize that they are far from perfect or fool proof. Just like any other similar system such as a burgler alarm they need to be designed carefully, used with their limitations firmly in mind and monitored constantly.
As always I thank you for your time and interest. Please take the time to Digg, Stumble Upon or add to the other social network of your choice to help me spread the word about these issues. Please forward any questions or suggestions to: firstname.lastname@example.org