There are many RFID technologies used in access control systems on the market. The most popular are the old technologies PROX and EM and the newer ones Mifare, DESFire, iCLASS and Seos. Access control system users do not always have specialized knowledge about electronic security and rely on the experience of the installer. Unfortunately, in many cases installation companies focus on the lowest price and not the best solution for a client. Most of the time, a system user expects a solution at a reasonable price that guarantees the security of the installation in the long term.
Such solutions certainly do not include systems that work with PROX or EM cards. This is early 90's 125kHz technology that makes it easy to copy any card. The most popular 13.56 MHz technologies are Mifare, DESFire, iCLASS SE or Seos.
Unfortunately, the concept of "Mifare or DESFire access control system" can be very confusing when considered in terms of security classification. Many of the access control systems that use Mifare or DESFire cards use the serial number (identification) of the chip. The security level of such solutions is very close to the outdated 125 kHz technologies used in the 1990s. Why?
To understand why using a proximity smart card's serial number gives you a false sense of security, you need to understand the basic definitions and how the card works.
The CSN card serial number is the proximity smart card number. According to ISO 14443 and 15693 standards, each smart proximity card must have a CSN number. It is also known as UID (Unique ID), NUID (not a unique identifier) or CUID (Card Unique ID). Note that according to ISO requirements, the CSN number can always be read without having to pass any security or use authentication. In addition, tools for smart card designers, such as protocol analyzers, which enable emulation of an ISO 14443 or 15693 compliant CSN number, are widely available on the market. The CSN number can be compared to the building number. Everyone should be able to easily read it to get to the address they are looking for. Another application of this number is the anti-collision mechanism, which is part of the communication protocol that smart proximity cards use to reliably identify a specific card when many credentials are brought to the reader at the same time. These mechanisms allow the simultaneous communication of the reader with several proximity cards.
According to ISO standards, each smart proximity card must have its own unique CSN number. The ISO standards also describe several different methods for implementing the anti-collision mechanism. It should be noted that the ISO standards never provided for the use of the CSN number for any other purpose than carrying out anti-collision processes.
Also, it should be noted that in some technologies (for example, Mifare Classic 4B UID) it is not possible to guarantee the uniqueness of the CSN/UID number due to the number of cards already produced.
A high level of security can only be guaranteed in the long term by properly implemented systems with encryption keys, or those that include encryption as standard.
For more information on the risks of using CSN, see HID info: Risks of using only CSN
What should a user do who is considering upgrading or installing a new access control system and doesn't want to spend too much time researching security? The best solution will be to use the FoxSec access control system with Seos smart cards and Signo smart card readers: