12 Aug 15

Keep Safe From Token Cloning in Access Control Systems

By Dave Hughes – Global Product Manager at STANLEY Security Products

Token cloning is a serious issue faced by many organisations in various fields, from housing associations to hospitals, hotels, commercial premises and high security environments. Credentials such as badges, RFID tags or entry tokens can all be used for granting entry to a facility or restricted areas. With token cloning technology easily available to anyone and third party tokens being cheap, duplicating a token can be done within a few seconds with the right equipment. But, this is not the full story. This article will discuss the various levels of security in access control and how to prevent unauthorised entry.

Access control systems provide the essential services of authorisation, identification authentication, access approval and accountability. Electronic credentials are stored in the memory of a card or token and, theoretically, it is possible to create a process to clone any of them. Technologies used for storing data in tokens are usually based in open standard hardware which is easy to duplicate. This is not always the case however, as the key word here is ‘theoretically’. It is however important to remember that when it comes to access control there are various levels of security available; finding the right solution for specific needs is the way of staying safe.

There are several reasons why people clone tokens and cards. Sometimes it is with criminal intent but most times it is done to simply obtain duplicates in case of loss and to avoid paying official fees for replacement devices. This puts landlords, institutions and individuals at risk as tokens end up in the wrong hands, making it difficult to control usage patterns.

Differences Between Mechanical and Electronic Access Control

One question that crops up in response to this is whether it might be better to use mechanical locks and keys in place of electronic access control readers and RFID tags to avoid the whole issue of token cloning altogether.

Whilst key based locks remain by far the most popular door security by some considerable way and have an important role to play in the nation’s security, key’s can also be copied and locks are vulnerable to picking. Cloning a token is generally a more complex process requiring a device to read and reproduce the RFID signal in a blank token.

But the question really isn’t the right one to be asking in the first place. The starting point should be what level of security you require and what do you need from the system. Where a higher degree of security is needed, electronic solutions are a better fit. What’s more, they provide the user with a wide range of added benefits that are particularly useful to larger sites and / or with larger volumes of ‘key holders’.

With electronic access, your single entry token or access code grants you access to every door you need to access, so there's no chance of forgetting the key for a particular door. If you get to a site where you need access and you are not recognised by the system, a network operator can add you or your supervisor to the list instantly.

An additional benefit of electronic access control is complete history logging. This can be an invaluable tool when investigating vandalism or theft, or for tracking response times or technical activities internally. Furthermore, when an outside contractor or visitor needs access, the door can be opened remotely without any effort.

So, for example, employing an electronic access control system provides you with the ability to instantly revoke access. If a physical key is lost there is no way to block it or be sure that it has not fallen into the wrong hands. The only way of blocking access to the lost key would be replacing the original lock. This is not the case with electronic credentials as revoking access privileges is as easy as telling the system to stop trusting the revoked key. No further work is necessary.

Selecting an Appropriate Level of Security

An access control point can be a door, turnstile, parking gate, elevator, or other physical barrier, where granting access can be electronically controlled and can contain several elements.

Access control systems can vary from basic solutions that simply read a card number or PIN, and forward it to a control panel to the more secure intelligent readers that comply with strict security legislations and an externally tested and recognised certification such as the AES-128.

Depending on the level of security needed manufacturers offer different types of access control solutions and each application has its own use. It is always advisable to consult with your manufacturer or installer and do a risk assessment of the site to find out the best solution for your application.

If high security is a must, a system that features an AES-128bit certification might be the best solution.

AES is available in many different encryption packages, and is the first publicly accessible and open cipher approved by the US National Security Agency (NSA) for top secret information when used in an NSA approved cryptographic module.

The AES-128 encryption is one of the most secure and the only known attack to successfully break it requires about 38 trillion terabytes of data, which is more than all the data stored on all the computers on the planet. As such this is only a theoretical attack that has no practical implication on AES security.

AES-128 bit encryption is available from manufacturers such as STANLEY Security Products with affordable readers that can be easily installed on top of a legacy system to upgrade it to a smart system. Smart readers such as the Oneprox GS3 HF range used in conjunction with smart credentials offer a highly secure access control solution suitable for any commercial or residential environment.

Many times manufacturers struggle to keep up with cloning techniques however they can incorporate processes and systems to ensure that electronic credentials remain safe and secure to those who would want to duplicate them. As technology evolves many manufacturers introduce new readers for higher security that prevent unauthorised entry and token cloning. While one may think that upgrading a system is a costly and time consuming procedure more often than not there is no need for a complete system upgrade. The new smart readers can be incorporated into the existing system without too much effort or costly procedures and offer a secure solution. If security or unauthorised entry is of concern speak to an installer or manufacturer to learn more about smart readers.

Author’s Biography

Dave Hughes is Global Product Manager at STANLEY Security Products and has 18 years of experience across many roles in the security industry. In the past 12 years Dave has held sales positions for both PAC and STANLEY Security Solutions. With an ONC in Electronic Engineering, he has extensive knowledge of Bio-metrics, Proximity Access Control and Smart Reader Technology and has helped develop PAC’s new range of High Frequency Readers, the new EL Smart Door Handle and PAC 212 Controller. Throughout his long career Dave has managed many major STANLEY Security Products’ customers such as – Scottish Prison Service, Northumbria Water, National Grid.


Editor’s Note – Corporate Information:
A part of Stanley Black & Decker, STANLEY Security Products is a sales channel of STANLEY Security.  STANLEY Security Products designs and manufactures access control, door entry and door hardware products for over 200 dealers and distributors worldwide.  With world class security product brands of PAC Access Control and GDX Door Entry we pride ourselves on the quality of our products, our customer service and technical support that we give to our partners and all our products are supported by the resources of the global STANLEY organisation.

STANLEY Security Ltd. Registered in England and Wales No. 181585
Registered Office: Stanley House Bramble Road Swindon Wiltshire SN2 8ER