Card-swipe door locks

ColoradoGuy · Nov 17, 2006

I've got a question for the security experts here that I need answered for a plot device. For a decade or more all the institutions where I work have given each employee magnetic cards to use on the card-swipe door locks to allow after-hours entry. I have always assumed that the data on what card opened what door when is stored in some security computer somewhere and could be retrieved. Is that true? If so, any idea when that capability appeared and how long the information is stored?

Thanks.

Maryn · Nov 17, 2006

I don't know about the institutions where you work, but twice in the last 18 months I've stayed at swanky hotels which had malfunctions with the entire cardswipe system and had to send a bellman or other employee up with a physical key every time a guest wanted room entry.

In Boston, the system was down when we arrived and did not come back up during our three-night stay. (We had to wait nearly an hour when we returned from the Stones concert, since many of the hotel's guests had attended and we all returned more or less at the same time.) In Paris, it lasted two days.

There must be more to it than simply recalling the stored information from some secure computer, or replacing it with new information which could be transferred to new keycards handed to guests. If it were that simple, the problem could have been fixed in hours, don't you think?

I'll be watching to see if anyone has more information.

Maryn, who found it hugely inconvenient and can't imagine how the hotels' employees kept their good humor

Kate Thornton · Nov 17, 2006

Yes - in most proximity card or swipe card systems (the Hirsch system is an industry standard in defense contractor facilities) the data is stored on a stand-alone console and can be retrieved in a myriad of ways - by time, date, card-assignee, zone, specific door, level of access, etc.

Each card - and the cards are expensive! - is encoded at the time of issuing. In hotels, the cards are encoded with room door numbers. Housekeeping and management/security staff have cars encoded for all doors. In DoD secure areas, cards are encoded with employee, level of access and the particular areas which can be accessed. In the DoD world, the cards also serve as employee badges and bear a photograph and lots of other information (Clearance, accesses, dates, etc.)

If the system goes down, the doors can only be opened with regular keylocks (if they have been installed) Hotels don't usually do this. The system going down can mean anything from a software glitch or system overload to a major data line failure. Repair can take anywhere from a few minutes to a few days.

rtilryarms · Nov 17, 2006

I’m not sure when Card Access systems first became available but I know that I have been installing them since the late ‘70’s. Back then we did not use PC’s to program the information in; we used the system-based keypad and filled in analogue prompts.

The first PC-based system I installed was for Storer Cable circa 1983. It had an old dual floppy (5-1/4) and a 10 meg hard drive and a green Gorilla monitor. It sat next to the Central Control Panel.

Last year I installed the Latest-and-greatest CCURE 8000 by Softwarehouse in the building I currently manage. This is the industry standard today and very powerful.

In all cases, the information of the hardware – doors, cameras, sensors, detectors etc. are stored in the central database and backed up on other drives. In the old days, it was backed up with floppies. Today I store to the drive and back up to and EMC2 data storage and in addition, we send out a 3rd set of backup info offsite to an archive storage vendor (Iron Mountain).

The information of all the people and their access clearances, plus the setups for hardware do not expire. They remain in place until someone changes or deletes them; even then, we keep a “restore backup”.

We have crashed and, more often, we would freeze while working out compatibilities with Microsoft software and security upgrades, which required our loading of our backups.

I wrote this more to discuss security systems in general than to answer a specific question. I’ll make myself available to answer anything you want. If I don’t know, I sure know the people to ask.

rtilryarms · Nov 17, 2006

By the way, we no longer use the magnetic strips in access controls. We have cards containing chips. The cards are "activated" now instead of programmed. The access levels are controlled at the server.

We took the extra security measure of customizing our cards with a higher rte of bit-transfer than the industry standard. Otherwise it's pretty easy to hack into a system if you have the proper tools. The magnetic strips were even easier.

ColoradoGuy · Nov 17, 2006

Thanks guys. That's just what I needed to know. I figured all that data--what card opened what door how many times and when-- was stored somewhere. As with you guys, most hospitals I work in make the door access cards part of the picture ID system. More and more of them use the proximity type sensor, which sure makes it easier to get into the parking lot.

rtilryarms · Nov 17, 2006

Kate,

I pay $15 per card. What does the military spend?

Also, are you still involved with the Army?

Mac H. · Nov 17, 2006

ColoradoGuy said:
I've got a question for the security experts here that I need answered for a plot device.

Remember that any of these systems (even if they also require a PIN number) can be bypassed using a simple attack.

All the 'black hat' has to do is to install their own fake card reader and PIN pad at a plausible door. The target will naturally swipe their card and type in the PIN number to gain access ... and you then have a copy of their card AND their PIN code.

The more security you have, the easier this attack is .. because people become so used to swiping their card (and entering PIN codes) that they do it without considering if their REALLY should be a security access point there.

The techology to copy a Magstripe card is trivial. The same attack (with one slight variation) described above will work with any system - even smart cards. It's a fundamental limitation.

Mac

ronin · Nov 19, 2006

Mac, that method has never worked.

Bravo · Nov 19, 2006

ronin said:
Mac, that method has never worked.

bad experience robbing a military installation?

ColoradoGuy · Nov 19, 2006

I just need for someone to make a duplicate key-card--is that a difficult thing to do if they had it for several hours or so?

rtilryarms · Nov 19, 2006

Colorado,

In what what year is your MS written for?

Mac H. · Nov 20, 2006

ColoradoGuy said:
I just need for someone to make a duplicate key-card--is that a difficult thing to do if they had it for several hours or so?

It is trivial if they have it for a few seconds - they just have to swipe it through a card-reader connected to a small box, or a laptop.

And yes, the 'fake card reader & pin pad' does work. Usually, it is a stolen card reader with the electronics swapped, which is why the relevant standards insist on Tamper evident cases, etc. The first person was convicted of this in the USA back in 1994, although it is undoubted that many others were getting away with it before that - at least by 1991. They didn't need to fully swap the electronics, because back then there were unencrypted links exposed inside the case.

Mac

spike · Nov 20, 2006

ronin said:
Mac, that method has never worked.

Snopes says that this method was used on ATM machines.

http://www.snopes.com/crime/warnings/atmcamera.asp

ColoradoGuy · Nov 20, 2006

rtilryarms said:
Colorado,

In what what year is your MS written for?

Within the last decade.

Card-swipe door locks

ColoradoGuy

I've seen worse.

Maryn

Baaa!

Kate Thornton

Still Happy to be Here. Or Anywhere

rtilryarms

Crossbows and Handgonnes

rtilryarms

Crossbows and Handgonnes

ColoradoGuy

I've seen worse.

rtilryarms

Crossbows and Handgonnes

Mac H.

Board Visitor

ronin

Bravo

Socialitest

ColoradoGuy

I've seen worse.

rtilryarms

Crossbows and Handgonnes

Mac H.

Board Visitor

spike

Mostly Ignored

ColoradoGuy

I've seen worse.