Upgrading Your Campus Security with Smart Card Readers? Think Again
Understanding multi-factor authentication and how it can work for your campus
- By Larry Reed
- April 01, 2019
Today, schools’ doors are primarily
secured by traditional metal lock
‘n keys and low frequency (aka
125 kHz) card-based access control
systems. With the recent
media hype about low frequency card readers
being easily hacked, schools are now
being encouraged to upgrade their low-frequency
card readers to higher frequency
13.56 MHz (also known as smart card technology)
which are far more difficult to hack.
But will smart card technology really
improve a school’s security? Are there
“smarter” alternatives?
This article discusses the security flaws of
smart card technology and how layering
security achieves a far safer school environment
and better ROI.
Evolution of Access Control Technology
Where did it all begin and where are we today?
Traditional metal lock ‘n key systems.
Still today, most doors in schools are secured
with a metal lock ‘n key door handle. The primary
reason is because metal keys are very
cheap and light weight which makes them
easy to carry. However, metal keys are also
very easy to copy and share with unauthorized
parties. It’s also near impossible to know
who exactly is in possession of the keys.
If discovered there was an impropriety in
the school, lock ‘n key systems don’t provide
a door-entry audit trail. So, its near impossible
to determine who is guilty of the impropriety
(unless you have a surveillance camera
pointed at every door in the school and don’t
mind searching through hours of recorded
video). So how do you address the problem
of unauthorized parties copying keys and not
having a door-entry audit trail?
Barcode and Magnetic stripe badge
readers. These type credentials are cheap
while being more difficult to copy than metal
keys. Since barcode and magnetic stripe
readers work with electronic access control
systems, an audit trail is produced which
allows security personnel to identify who
accessed a door and when. However, just like
metal keys, barcode and mag stripe badges
can still be shared with unauthorized parties.
Another drawback is that barcode and
mag stripe technology is a “friction” technology.
The barcode and mag stripe are physically
in contact with a reader head each time
the badges are read. This leads to the barcodes
and stripe becoming worn and unable
to be read. The badges become a terrific consumable
for the badge supplier but a major
headache and recurring expense for the
school. So, what comes next?
Low-frequency radio frequency identification
(RFID) badges. These type credentials
are friction-less and therefore far more
durable than the barcode and mag stripe
badges. RFID badges have an embedded
antenna which emits a radio frequency containing
the badge’s unique number. The
school’s access control system maintains a
database which associates each badge with a
user. If the user has door access permission,
the door will unlock when the user’s badge is
recognized. Due to its low cost and audit trail
capability, low-frequency RFID is the most
prevalent access control technology used by
schools today. However, recently low frequency
RFID duplicators have popped up on
e-commerce websites. For just $10, anyone
can purchase an RFID badge duplicator and
make copies of low frequency 125 kHz badges.
So, what comes next?
High frequency radio frequency identification
(RFID) badges. High-frequency
RFID (aka smart card) technology transmits
at 13.56 MHz and is extremely difficult to
copy/hack. An undeniable advantage of the
new smart card technology is the cards
(badges) contain a computer chip with storage.
Instead of only having a badge number,
additional user information can be stored on
the badge (i.e. employee name, photo,
department, etc.). But is the availability of a
low frequency card duplicator truly a security threat to schools?
The makers of high frequency 13.56 MHz
RFID technology would certainly have you
believing low frequency RFID is a major
security threat which needs to be addressed
immediately. However, metal keys are far
easier to copy yet they’ve been used for
decades. Metal keys are used to secure doors
in most every home in the world. So, are
homeowners all over the world panicking
that their metal keys will be copied by
intruders planning on breaking into their
homes? This is highly doubtful.
The makers of smart card technology are
in the business of selling card access readers.
In order to sell more card readers, they must
create sufficient fear, uncertainty and doubt
(FUD) so that customers will upgrade their
low frequency RFID readers to smart card
technology. If a school has sufficient budget
to upgrade their low frequency RFID readers,
then why not utilize the highest security technology
available today? Consider biometrics.
Biometric Access Control
High-frequency RFID is certainly more difficult
to hack than low-frequency RFID, but
high-frequency RFID badges can still be lost,
stolen, forgotten or misused by unauthorized
parties. Conversely, a biometric credential
can only be used by the actual person. A finger,
face, vein or retina-pattern is unique for
every person on earth. Biometrics assures
the person attempting door access is who
they claim to be. Therefore, a biometric reader
is far superior to any badge reader, regardless
what frequency it transmits or how
much encryption it utilizes. So, can security
systems utilizing biometric be further
improved upon?
Two-factor authentication. Any one
single credential (i.e. password, PIN, badge,
fingerprint, face, vein-pattern, iris pattern,
etc.) can be compromised. So, what’s the
best solution? Two-factor authentication.
Most everyone today withdraws money
from ATMs by using their bank debit card.
So, what prevents a thief who steals someone’s
bank card (one credential) from
accessing the person’s money? The thief
doesn’t know the person’s PIN (second credential).
Banks secure their customers’
money by implementing a two-factor
authentication money withdrawal system.
This added security gives banking customers
the confidence to deposit their money in the
banks checking accounts.
Likewise, in schools, biometric readers
which also have a keypad and/or RFID
badge reader is advisable. The least expensive
option would be a fingerprint and keypad-
only reader. However, if the school is
concerned PIN codes will be shared
amongst unauthorized users, the school can
use fingerprint readers with an integrated
RFID badge reader. If the schools have no
need for the available storage on high-frequency
smart cards, the schools can save
money by using a fingerprint reader with a
low-frequency 125 kHz badge reader. So,
what’s the next level of security which can
be achieved?
Multi-factor authentication. It’s highly
unlikely any unauthorized party can compromise
a fingerprint AND a PIN, or a fingerprint
AND a badge. However, for those
who are extremely concerned with security,
today on the market you can purchase door
access readers containing multiple biometric
sensors. For instance, ZKTeco designs a single
device containing both a fingerprint and
a face reader, while also having a keypad and
integrated RFID reader (i.e. up to four-factor
authentication). For customers preferring
convenience, the reader’s face recognition
camera provides true hands-free door access
control. So, does layering security end at the
door? It doesn’t have to.
Layered Security Begins at
the Furthest Entry Point
Parking facility. In today’s world, intruders
most often arrive by driving a vehicle. If your
school has a parking facility, it makes sense
first limiting access to your parking facility.
License plate recognition (aka LPR) technology
can associate a license plate with an
authorized user. If the plate is recognized,
the parking gate opens and the user’s access
is recorded (i.e. audit trail). An alternative to
LPR is UHF (ultra-high frequency) tags
adhered to the car’s license plate or windshield.
ZKTeco has UHF readers which can
detect tags from up to 200 feet away.
Reception area. Before you enter an airport
terminal, your baggage must first pass
through the x-ray scanner. Surprisingly,
smaller affordable baggage x-ray scanners on
now available on the commercial market for
schools to consider installing. While scanning
baggage, visitors should also be
scanned. Surprisingly, affordable walkthrough
metal detectors are also now available
to the public, as well. Especially considering
all the public shootings taking place in
schools and places of worship, the presence
of walkthrough metal detectors can act as an
excellent deterrent for anyone considering
committing acts of violence by using dangerous
concealed metal objects.
After visitors successfully pass through
x-ray and metal scans, an excellent additional
layer of security is a turnstile. Schools can
program turnstiles not to release unless a
visitor successfully passes through both
x-ray and metal scans. So, any other security
layers which should be addressed?
Visitors. We’ve addressed how to restrict
and record access for authorized users and
deny access to unauthorized users. But what
about authorized visitors? In the past, most
companies receiving visitors would use a pen
and paper sign-in sheet. But since pen and
paper produces no irrefutable audit trail,
many companies are now switching to electronic
visitor management systems (aka
VMS). When visitors present their credentials,
they are electronically entered into the
receiving company’s VMS in which an audit
trail is produced. However, relying on the
visitor to produce their credentials is a risky
proposition.
Imposters with phony ID credentials can
gain unauthorized access to an office and
perpetrate a crime. To prevent imposters
from entering the premises, modern VMS
systems now incorporate user authentication.
For instance, ZKTeco’s VAMS (Visitor
Authentication & Management System)
enables the meeting host to create a secret
QR code which is forwarded to their visitor
via a text message or e-mail. Upon arriving at
the host’s office, the visitor simply displays
the secret QR code on their phone to the
host’s security personnel. Once the QR code
is scanned and verified, the visitor is permitted
access. Without a valid QR code, visitor
access is denied.
Support Multi-Authentication
There is no silver bullet when it comes to
security. Where there is a will there is a way.
A determined bad guy can defeat any one
layer of security. Therefore, its essential to
layer your security. True, smart card technology
is harder to hack than low-frequency
RFID. But regardless the frequency or
encryption, cards can be lost, stolen or forgotten.
Instead, invest in devices which support
multi-authentication (i.e. fingerprint
and/or face and/or card and/or PIN readers).
Lastly, don’t stop at the door. Secure your
parking facility and then look inwards
towards your building’s main entry points.
Consider affordable baggage X-ray scanners,
walkthrough metal detectors, turnstiles
and visitor management systems (with
user authentication). Choose security solutions
which are scalable, integrated and can
be managed under a single platform. Get
educated on modern security technology
and don’t fall for the fear, uncertainty and
doubt (FUD).
This article originally appeared in the March/April 2019 issue of Campus Security Today.