• SecurePath for Auto Dealers
  • Services
    • SOC Reporting Services
      • SOC 2® Readiness Assessment
      • SOC 2® Reports
      • SOC 3® Reports
      • SOC for Cybersecurity® Reports
    • IT Advisory Services
      • IT Vulnerability Assessment
      • Network Penetration Testing
      • Privileged Access Management
      • Social Engineering Testing
      • Virtual CISO (vCISO)
      • Written Information Security Program (“WISP”)
      • IT General Controls Audit & Compliance
    • IT Government Compliance
      • CMMC Cybersecurity Services & Compliance
      • DFARS Compliance
      • FTC Safeguards Compliance
  • Industries
    • Financial Services
    • Government
    • Auto Dealerships
    • Enterprise
  • Blog
  • About Us
    • Meet The Team
    • Jobs
  • Contact Us

Call us today! 844-OCD-TECH

Find our Location
OCD TechOCD Tech
  • SecurePath for Auto Dealers
  • Services
    • SOC Reporting Services
      • SOC 2® Readiness Assessment
      • SOC 2® Reports
      • SOC 3® Reports
      • SOC for Cybersecurity® Reports
    • IT Advisory Services
      • IT Vulnerability Assessment
      • Network Penetration Testing
      • Privileged Access Management
      • Social Engineering Testing
      • Virtual CISO (vCISO)
      • Written Information Security Program (“WISP”)
      • IT General Controls Audit & Compliance
    • IT Government Compliance
      • CMMC Cybersecurity Services & Compliance
      • DFARS Compliance
      • FTC Safeguards Compliance
  • Industries
    • Financial Services
    • Government
    • Auto Dealerships
    • Enterprise
  • Blog
  • About Us
    • Meet The Team
    • Jobs
  • Contact Us
RFID Cloning: How to Protect Your Business from Physical Infiltration

RFID Cloning: How to Protect Your Business from Physical Infiltration

June 26, 2018 Posted by Daniel Bohan IT Security

If you can gain access to your office building, school, or hotel room by simply tapping a card, then there is a possibility anyone with the right hardware could get in just as easily as you can. These “tap and go” cards may be vulnerable because they utilize a technology called radio-frequency identification or RFID for short. RFID technology works by encoding digital data into RFID tags or smart labels which can be stored and read from the RFID card later. Most businesses in the U.S. have security systems in place that use RFID key cards to determine who has access to vulnerable areas within their building. Unfortunately, these cards can be cloned without much effort, sometimes from several feet away, without anyone ever noticing their security has been compromised.

For example, consider the venerable Proxmark3 RDV. This device is an example of a hardware instrument capable of cloning most RFID card types. The Proxmark3 tries to mimic the card reader and if successful, can access any data stored on the card. Once that data is stolen from the RFID card, the Proxmark3 can clone that data into a duplicate blank RFID card. This duplicated card can then be used to bypass any lock or security system the original card had access to. The Proxmark3 is also user-friendly enough so that any amateur could leverage it to gain access to your organization’s environment.

RFID Risk Management

There are security mechanisms that can help mitigate the risk associated with using RFID technology to control physical access. The simplest way is to use a modern RFID system that supports encryption technology. The encryption scheme makes it so that the key cannot simply be copied into a cloned card. While encrypted, RFID cards can still be vulnerable to attacks if the encryption scheme is cracked.  This is still a much safer option than non-encrypted RFID cards, however. While encrypted, RFID technology is becoming more prevalent as nearly 80% of organizations still rely on the vulnerable, unencrypted protocols.

An even safer technology to invest in is the use of “physically unclonable functions”, also known as PUFs, to differentiate each card’s chip from another. In this situation, each card has a unique identifier as well as a cryptographic key. Because the unique identifier is based on the physical properties of the RFID chip itself, and not on data stored within the chip, cloning becomes nearly impossible.

Finally, it’s important to remember the merits of multi-factor authentication. A truly robust physical access control system may rely on multiple forms of authentication in order to grant access to certain highly restricted areas. For example, while the main office space may be protected via standard RFID keycard access and monitoring, the organization’s data center and wiring closets may require biometric (i.e. fingerprint) or an additional PIN code for a second layer of identity verification. In this way, multi-factor authentication helps to mitigate the risk of unauthorized access to highly sensitive areas due to a cloned RFID card.

Finally, if your organization already has questionable RFID security, and is not in a position to upgrade this infrastructure, there are still basic steps one can take to protect RFID cards from being cloned. For example, there are RFID blocking wallets that will protect your cards from being cloned by blocking any unsolicited RFID transmissions. And, as a best practice, never let any other users, known or unknown, handle your RFID card. It takes only seconds to successfully read (i.e. steal) the required data. This data can then be copied to a blank card at the attacker’s leisure. If you are unsure of your organization’s physical security controls, a physical security assessment is a great way to identify potential risks to your organization’s operating environment. Contact OCD Tech today with any questions on RFID technology and vulnerabilities, or to get ahead of the attacker and plan a physical security assessment.

Tags: CYBERcybersecuritydata breachdata protectionhackersInformation SecurityIT SecurityMulti-Factor AuthenticationMulti-Factor Authentication (MFA)personally sensitive informationProxmark3RFIDSOUTH SHORE IT AUDIT
Share
11

About Daniel Bohan

This author hasn't written their bio yet.
Daniel Bohan has contributed 2 entries to our website, so far.View entries by Daniel Bohan

You also might be interested in

ftc safeguards rule

FTC Safeguards Rule

Jun 13, 2024

What’s Changed & What to Do Next  The FTC Safeguards[...]

Why backups and storage are critical

Why backups and storage are critical

Mar 26, 2024

Data is the lifeblood of our digital world. Businesses and[...]

Understanding Penetration Testing Report Formats

Understanding Penetration Testing Report Formats

Apr 8, 2025

Penetration testing is important for finding weaknesses in systems. However,[...]

Find us on

Contact Us

We're not around right now. But you can send us an email and we'll get back to you, asap.

Send Message
OCD Tech logo Audit. Security. Assurance.

IT Audit | Cybersecurity | IT Assurance | IT Security Consultants – OCD Tech is a technology consulting firm serving the IT security and consulting needs of businesses in Boston (MA), Braintree (MA) and across New England. We primarily serve Fortune 500 companies including auto dealers, financial institutions, higher education, government contractors, and not-for-profit organizations with SOC 2 reporting, CMMC readiness, IT Security Audits, Penetration Testing and Vulnerability Assessments. We also provide dark web monitoring, DFARS compliance, and IT general controls review.

Contact Info

  • OCD Tech
  • 25 BHOP, Suite 407, Braintree MA, 02184
  • 844-623-8324
  • https://ocd-tech.com

Follow Us

Videos

Check Out the Latest Videos From OCD Tech!

Services

SOC Reporting Services
– SOC 2 ® Readiness Assessment
– SOC 2 ®
– SOC 3 ®
– SOC for Cybersecurity ®

IT Advisory Services
– IT Vulnerability Assessment
– Penetration Testing
– Privileged Access Management
– Social Engineering
– WISP
– General IT Controls Review

IT Government Compliance Services
– CMMC
– DFARS Compliance
– FTC Safeguards vCISO

Industries

  • Financial Services
  • Government
  • Enterprise
  • Auto Dealerships

© 2025 — OCD Tech: IT Audit - Cybersecurity - IT Assurance

  • OCD Tech
  • About Us
  • Contact Us
Prev Next