You Know That Badge That Opens The Door – Security or Convenience, Pick Just One
Using a badge to get you in the office (and for some companies out of the office as well) may not be as secure as you thought it was.
French security services firm Quarkslab has made an eye-popping discovery: a significant backdoor in millions of contactless cards made by Shanghai Fudan Microelectronics Group, a leading chip manufacturer in China.
The attack only requires a few minutes to execute and the attacker only needs to be near the card – like say at a restaurant at lunchtime.
The attack only requires access to a card and not the card reader to clone the card. *IF* the card is the only thing that is required to open the door, then the hacker is in and he or she lays the blame on your employee.
So what can you do?
First, if you haven’t already done this, tell your employees to take their badges off when they leave the building. Although this would be hard to enforce, you could also provide them with copper sleeves like the government does with certain RFID cards. That neuters any attack that needs to be able to talk to the card.
A more reasonable alternative is MULTI-FACTOR AUTHENTICATION. Just like you use to access your bank account or email, MFA will protect you in this case. There is some cost to the business, but it is mostly a one time cost.
To do this, you need badge readers which have a keypad on them. If your badge readers don’t have one, you will need to upgrade your system to add that.
Then, for all of your users, you need to add a PIN (the second factor) so that JUST having the badge will not get you in.
If you are willing to compromise security a bit, you can say that a badge alone will get you in during working hours when there are many other people in the building who would notice and challenge a stranger (would your employees do this?) and require MFA outside normal working hours.
In any case, it is important to understand that single factor authentication is so last decade. You can also say that convenience is more important than security. If that is so, you should change your login password to password. And send me the link to access your network.
If you have questions, please contact us. Credit: Security Week
by 