The How and Why

Companies switch from proximity to smartcard systems

Richard Zerbib has worked for 10 years for Shaw Systems & Integration, an electrical contracting service out of Southfield, MI. Now a systems sales engineer for the wired or wireless structured cabling, life safety, security and card access, audio/ visual solutions and communications systems integrator, Zerbib has been on the front lines of seeing how important systems security has become a main concern of his customers.


In this time, Zerbib has found more customers worrying about the security of their proximity-based card access systems. As he explains it, RFID devices are typically used as contactless proximity or smart card identification in tracking and access control systems. These systems operate on the assumption that the token is in close proximity to the reader. This proximity, or nearness, is due to the physical limitations of the communication channel.

However, current RFID devices, particularly those operating at 125 kHz, are not suitable for secure identification. Proximity credentials that operate at 125 kHz are vulnerable to cloning. Credential holders have easy access to devices that make copies of their cards at retail stores or by purchasing an inexpensive card cloner on-line. This would allow copies to be given to unauthorized individuals who could then gain entry using that employee’s identity.

As these facts have become better known, there has been a drive by security directors to overcome these shortcomings by moving to more secure, encrypted card technology like that offered by NXP Semiconductors MIFARE DESFire EV2 based RFID credentials.

A Shaw Systems & Integration customer, a leading financial planning company who has been running 500 Farpointe Data proximity readers on the front end of their access system from provider Galaxy Control Systems showcased the problem. Once the company learned about the improved security features of a contactless smartcard system, and its added encryption, while preserving the convenience of a contactless operation, they were ready to upgrade. Learning that the Farpointe smart-card solution could handle the same “ins and outs” plus support secure usage of the company’s copiers and printers just like their present proximity system, they were ready to move on. Then, once they discovered that there was an easy upgrade path, the decision was confirmed.


Zerbib suggested that their best alternative would be a total replacement of all proximity readers and credentials to the faster, more secure smart-card technology rather than intermittently installing the new system. “By doing it all at once,” Zerbib said, “we could remove the possibility that the vulnerable, 125 kHz proximity cards would continue to have to be ordered. Working with Farpointe Data, we engineered a solution that would remove not only all of the proximity credentials, it would also eliminate the possibility that proximity credentials could ever be used again.”

As a result, the group decided to deploy Farpointe’s smartcard technology which is based on the MIFARE DESFire EV2 platform to offer a globally accepted, secure and versatile access control solution. DESFire EV2 credentials employ 128-bit AES encryption, and at the time of the installation, represented the most sophisticated and secure contactless smart cards available.

Farpointe’s Delta readers read DESFire credentials and are easily installed in place of the original proximity readers. This would give the customer the freedom to target different applications with the same exact cards throughout.

Reviewing the program planning, the group soon realized that it would take Shaw weeks to replace 500 plus readers, leading to a revision of the proposal. They, instead, decided to first recredential all customer employees with dual frequency cards that combined both 125 kHz proximity and 13.56 MHz contactless DESFireEV2 smartcard technologies.

Five thousand cards were ordered and all employees were soon issued these new credentials. Once this was done, Shaw began replacing the proximity readers with the Delta contactless smartcard readers. Since the credentials were 125 kHz and 13.56 MHz, they would continue to function on the older proximity readers and the new smartcard readers as they were being installed.

This meant that once all of the readers were replaced, the customer could then order single technology smart cards, as the dual frequency would no longer be required. An added security bene fit is that, once all of the proximity readers were replaced, there was no possibility that proximity cards could ever be introduced into the system again. To track usage of the copiers and printers, Farpointe provided USB readers that allow the new DESFireEV2 credentials to serve the same function.


As the customer was very concerned about increasing the security of their access control system, let’s review what the migration from proximity to smartcard technology has achieved. Today,13.56 MHz contactless smart cards are used to provide increased security compared to 125 KHz proximity cards. One of the first terms you will discover in learning about smart cards is “MIFARE,” a technology from NXP Semiconductors. MIFARE enables 2-way communications between the card and the reader.

MIFARE Classic was the original version of the MIFARE standard used in contactless cards. It stores the card number on one of its sectors, then encrypts the communication between the card and reader to theoretically make it impossible or, at least, very difficult to clone a card.

The newest MIFARE standard, DESFire EV2, includes a cryptographic module on the chip in the card itself to add an additional layer of encryption to the card/reader transaction. This is among the higher standards of card security. MIFARE DESFire EV2 protection is ideal for sales to providers wanting to use secure multi-application smart cards in access management, public transportation schemes or closed-loop e-payment applications. They are fully compliable with the requirements for fast and highly secure data transmission, flexible memory organization and provide interoperability with existing infrastructures.

According to Zerbib, the MIFARE DESFire EV2 contactless integrated circuit (IC) brings many more benefits. Cardholders can experience convenient contactless ticketing while also being able to use the same device for applications such as student ID, closed-loop payment at vending machines, access management and loyalty programs. System providers can offer or sell application space to third parties without having to share the master key. A MIFARE DESFire EV2 product-based card can hold as many different applications as the memory will support and new applications can be loaded after the product is in the field. It’s like having an app store on a smart card.

One aspect of securing a card’s information is to make the internal numbers unusable; they must be encrypted. To read them, the system needs access to a secret key or password that provides decryption. Modern encryption algorithms play a vital role in assuring data security. • Authentication: the origin of a message. • Integrity: contents of a message have not been changed. • Non-repudiation: the message sender cannot deny sending the message.

Here is how it works. The number is encrypted using an encryption algorithm and an encryption key. This generates cipher text that can only be viewed in its original form if decrypted with the correct key. Today’s encryption algorithms are divided into two categories: symmetric and asymmetric.

Symmetric-key ciphers use the same key, or secret, for encrypting and decrypting a message or ffile. The most widely used symmetric-key cipher is AES (Advanced Encryption Standard), which is used by the government to protect classified information. Another common symmetric cipher, noted for its high speed of transaction, is the TEA (tiny encryption algorithm).

Asymmetric cryptography uses two different, but mathematically linked, keys, one public and one private. The public key can be shared with everyone, whereas the private key must be kept secret. RSA (named after Misters Rivest, Shamir and Adleman) is the most widely used asymmetric algorithm.

Additional encryption on the card, transaction counters and other methods known in cryptography are then employed to make cloned cards useless or enable the back office to detect a fraudulent card and put it on a blacklist. Systems that work with online readers only (i.e., readers with a permanent link to the back office) are easier to protect than systems that have offline readers, since real-time checks are not possible and blacklists cannot be updated as frequently with offline systems.

In addition to the functionality for multiple applications, smart credentials also increase the security of information kept on the card and stored in the facility. Zerbib adds that Farpointe’s Valid ID provides another anti-tamper feature available with contactless smartcard readers, cards and tags. At manufacture, readers, cards and tags are programmed with the Valid ID algorithm, cryptographically ensuring the integrity of the sensitive access control data stored on the card or tag.

With Valid ID, readers scan through the credential’s access control data searching for data discrepancies, which may occur during the counterfeiting, tampering or hacking of a contactless smartcard. Valid ID is an additional layer of protection to what is already available in smart card authentication, operating independently, in addition to, and above this standard level of security. In use, Valid ID allows a smartcard reader to effectively verify that the sensitive access control data programmed to a card or tag is not counterfeit.


With all the immense changes to the inside of the access control system, the one thing that surprised Zerbib is that no employee ever reacted to the changes in the system. “There was no downtime and nobody got locked out. They never noticed.”

This article originally appeared in the January / February 2021 issue of Security Today.


  • Maximizing Your Security Budget This Year

    The Importance of Proactive Security Measures: 4 Stories of Regret

    We all want to believe that crime won’t happen to us. So, some business owners hope for the best and put proactive security measures on the back burner, because other things like growth, attracting new customers, and meeting deadlines all seem more pressing. Read Now

  • Today's Enterprise

    Protecting servers and data has evolved rapidly over the past 15-plus years. Early on, concerns centered around the environmental conditions of where servers were housed within a building and the effects of humidity, temperature and air quality on their performance. This led to a better understanding of the need for a controlled environment to maximize equipment lifespan and capacity. It was also a driving force behind consolidating servers in a common space, i.e., the data center. Read Now

  • Study Proves It: Security Awareness Training Reduces Phishing Attacks

    Attackers are increasingly targeting human-based vulnerabilities to infiltrate organizations. Humans have direct access to insider systems and data – any threat actor can easily phish users, steal their credentials and secure keys to the kingdom without having to fight advanced cybersecurity defenses. Studies show social engineering attacks and human errors are behind 68% of all breaches.  Read Now

  • Security Questions Persist After Attempted Assassination Attempt of Donald Trump

Featured Cybersecurity


New Products

  • FEP GameChanger

    FEP GameChanger

    Paige Datacom Solutions Introduces Important and Innovative Cabling Products GameChanger Cable, a proven and patented solution that significantly exceeds the reach of traditional category cable will now have a FEP/FEP construction. 3

  • PE80 Series

    PE80 Series by SARGENT / ED4000/PED5000 Series by Corbin Russwin

    ASSA ABLOY, a global leader in access solutions, has announced the launch of two next generation exit devices from long-standing leaders in the premium exit device market: the PE80 Series by SARGENT and the PED4000/PED5000 Series by Corbin Russwin. These new exit devices boast industry-first features that are specifically designed to provide enhanced safety, security and convenience, setting new standards for exit solutions. The SARGENT PE80 and Corbin Russwin PED4000/PED5000 Series exit devices are engineered to meet the ever-evolving needs of modern buildings. Featuring the high strength, security and durability that ASSA ABLOY is known for, the new exit devices deliver several innovative, industry-first features in addition to elegant design finishes for every opening. 3

  • HD2055 Modular Barricade

    Delta Scientific’s electric HD2055 modular shallow foundation barricade is tested to ASTM M50/P1 with negative penetration from the vehicle upon impact. With a shallow foundation of only 24 inches, the HD2055 can be installed without worrying about buried power lines and other below grade obstructions. The modular make-up of the barrier also allows you to cover wider roadways by adding additional modules to the system. The HD2055 boasts an Emergency Fast Operation of 1.5 seconds giving the guard ample time to deploy under a high threat situation. 3