If you have been watching the news you have probably seen that card/fob based access control systems are increasingly being hacked.  We all know that social engineering, for instance borrowing someone’s card, has always been the easiest way around a system but there are many other ways to compromise a card/fob based access control system. Many systems can be compromised by using duplicate PIN numbers.  Bad guys figure out what PIN numbers are already enrolled in the system, sometimes just by looking at the number printed on the card, then use a simple, off-the-shelf programmer to make duplicates.  “Skimming” is also getting easier.  Any access control reader mounted on the unsecure side of a door is easy to “skim” by attaching a simple, cheap skimming device to the reader’s output.  To help avoid these hacks, you should always use the following guidelines to prevent your system from being compromised:

NEVER mount a reader on the unsecured side of the door.  A reader on the outside of a door can be easily skimmed.  Always mount the reader on the secure side and when possible, out-of-site. VIZpin Bluetooth reader /controllers can be mounted anywhere within 30’ (10M) of the door/device you are controlling.

NEVER transmit unencrypted data over the air.  Access control cards and FOBs sometimes send unencrypted data which can be easily intercepted and replicated using off-the-shelf hardware.  Any data transmitted over-the-air should use AES128 encryption or higher. VIZpin Electronic Keys use AES128 Bit encryption as well as a proprietary VIZpin encryption algorithm.

NEVER transmit the same code twice.  An sophisticated hacker with enough time and resources can eventually decode any encrypted signal.  Only use a system that automatically and continually changes over-the-air data so they don’t enough time to hack it.  VIZpin Electronic Keys are automatically changed several times a day.

NEVER store PIN numbers or other sensitive information in the credential.  Most people wouldn’t notice if their card was missing for a few hours….or days….during which a criminal could take the information and reproduce it without them knowing. The VIZpin SMART app contains no sensitive information.  It relays encrypted information from a secure server to the VIZpin Bluetooth reader /controllers.

NEVER make it easy to share a credential.   Implement practices that encourage people to take responsibility and ownership of their credential.  Make them aware that if they share it with someone, they will be held responsible and that the consequences are real. With VIZpin, “your phone is your key™” and people are much less likely to loan their phone to someone.