The How and Why

Companies switch from proximity to smartcard systems

Richard Zerbib has worked for 10 years for Shaw Systems & Integration, an electrical contracting service out of Southfield, MI. Now a systems sales engineer for the wired or wireless structured cabling, life safety, security and card access, audio/ visual solutions and communications systems integrator, Zerbib has been on the front lines of seeing how important systems security has become a main concern of his customers.


In this time, Zerbib has found more customers worrying about the security of their proximity-based card access systems. As he explains it, RFID devices are typically used as contactless proximity or smart card identification in tracking and access control systems. These systems operate on the assumption that the token is in close proximity to the reader. This proximity, or nearness, is due to the physical limitations of the communication channel.

However, current RFID devices, particularly those operating at 125 kHz, are not suitable for secure identification. Proximity credentials that operate at 125 kHz are vulnerable to cloning. Credential holders have easy access to devices that make copies of their cards at retail stores or by purchasing an inexpensive card cloner on-line. This would allow copies to be given to unauthorized individuals who could then gain entry using that employee’s identity.

As these facts have become better known, there has been a drive by security directors to overcome these shortcomings by moving to more secure, encrypted card technology like that offered by NXP Semiconductors MIFARE DESFire EV2 based RFID credentials.

A Shaw Systems & Integration customer, a leading financial planning company who has been running 500 Farpointe Data proximity readers on the front end of their access system from provider Galaxy Control Systems showcased the problem. Once the company learned about the improved security features of a contactless smartcard system, and its added encryption, while preserving the convenience of a contactless operation, they were ready to upgrade. Learning that the Farpointe smart-card solution could handle the same “ins and outs” plus support secure usage of the company’s copiers and printers just like their present proximity system, they were ready to move on. Then, once they discovered that there was an easy upgrade path, the decision was confirmed.


Zerbib suggested that their best alternative would be a total replacement of all proximity readers and credentials to the faster, more secure smart-card technology rather than intermittently installing the new system. “By doing it all at once,” Zerbib said, “we could remove the possibility that the vulnerable, 125 kHz proximity cards would continue to have to be ordered. Working with Farpointe Data, we engineered a solution that would remove not only all of the proximity credentials, it would also eliminate the possibility that proximity credentials could ever be used again.”

As a result, the group decided to deploy Farpointe’s smartcard technology which is based on the MIFARE DESFire EV2 platform to offer a globally accepted, secure and versatile access control solution. DESFire EV2 credentials employ 128-bit AES encryption, and at the time of the installation, represented the most sophisticated and secure contactless smart cards available.

Farpointe’s Delta readers read DESFire credentials and are easily installed in place of the original proximity readers. This would give the customer the freedom to target different applications with the same exact cards throughout.

Reviewing the program planning, the group soon realized that it would take Shaw weeks to replace 500 plus readers, leading to a revision of the proposal. They, instead, decided to first recredential all customer employees with dual frequency cards that combined both 125 kHz proximity and 13.56 MHz contactless DESFireEV2 smartcard technologies.

Five thousand cards were ordered and all employees were soon issued these new credentials. Once this was done, Shaw began replacing the proximity readers with the Delta contactless smartcard readers. Since the credentials were 125 kHz and 13.56 MHz, they would continue to function on the older proximity readers and the new smartcard readers as they were being installed.

This meant that once all of the readers were replaced, the customer could then order single technology smart cards, as the dual frequency would no longer be required. An added security bene fit is that, once all of the proximity readers were replaced, there was no possibility that proximity cards could ever be introduced into the system again. To track usage of the copiers and printers, Farpointe provided USB readers that allow the new DESFireEV2 credentials to serve the same function.


As the customer was very concerned about increasing the security of their access control system, let’s review what the migration from proximity to smartcard technology has achieved. Today,13.56 MHz contactless smart cards are used to provide increased security compared to 125 KHz proximity cards. One of the first terms you will discover in learning about smart cards is “MIFARE,” a technology from NXP Semiconductors. MIFARE enables 2-way communications between the card and the reader.

MIFARE Classic was the original version of the MIFARE standard used in contactless cards. It stores the card number on one of its sectors, then encrypts the communication between the card and reader to theoretically make it impossible or, at least, very difficult to clone a card.

The newest MIFARE standard, DESFire EV2, includes a cryptographic module on the chip in the card itself to add an additional layer of encryption to the card/reader transaction. This is among the higher standards of card security. MIFARE DESFire EV2 protection is ideal for sales to providers wanting to use secure multi-application smart cards in access management, public transportation schemes or closed-loop e-payment applications. They are fully compliable with the requirements for fast and highly secure data transmission, flexible memory organization and provide interoperability with existing infrastructures.

According to Zerbib, the MIFARE DESFire EV2 contactless integrated circuit (IC) brings many more benefits. Cardholders can experience convenient contactless ticketing while also being able to use the same device for applications such as student ID, closed-loop payment at vending machines, access management and loyalty programs. System providers can offer or sell application space to third parties without having to share the master key. A MIFARE DESFire EV2 product-based card can hold as many different applications as the memory will support and new applications can be loaded after the product is in the field. It’s like having an app store on a smart card.

One aspect of securing a card’s information is to make the internal numbers unusable; they must be encrypted. To read them, the system needs access to a secret key or password that provides decryption. Modern encryption algorithms play a vital role in assuring data security. • Authentication: the origin of a message. • Integrity: contents of a message have not been changed. • Non-repudiation: the message sender cannot deny sending the message.

Here is how it works. The number is encrypted using an encryption algorithm and an encryption key. This generates cipher text that can only be viewed in its original form if decrypted with the correct key. Today’s encryption algorithms are divided into two categories: symmetric and asymmetric.

Symmetric-key ciphers use the same key, or secret, for encrypting and decrypting a message or ffile. The most widely used symmetric-key cipher is AES (Advanced Encryption Standard), which is used by the government to protect classified information. Another common symmetric cipher, noted for its high speed of transaction, is the TEA (tiny encryption algorithm).

Asymmetric cryptography uses two different, but mathematically linked, keys, one public and one private. The public key can be shared with everyone, whereas the private key must be kept secret. RSA (named after Misters Rivest, Shamir and Adleman) is the most widely used asymmetric algorithm.

Additional encryption on the card, transaction counters and other methods known in cryptography are then employed to make cloned cards useless or enable the back office to detect a fraudulent card and put it on a blacklist. Systems that work with online readers only (i.e., readers with a permanent link to the back office) are easier to protect than systems that have offline readers, since real-time checks are not possible and blacklists cannot be updated as frequently with offline systems.

In addition to the functionality for multiple applications, smart credentials also increase the security of information kept on the card and stored in the facility. Zerbib adds that Farpointe’s Valid ID provides another anti-tamper feature available with contactless smartcard readers, cards and tags. At manufacture, readers, cards and tags are programmed with the Valid ID algorithm, cryptographically ensuring the integrity of the sensitive access control data stored on the card or tag.

With Valid ID, readers scan through the credential’s access control data searching for data discrepancies, which may occur during the counterfeiting, tampering or hacking of a contactless smartcard. Valid ID is an additional layer of protection to what is already available in smart card authentication, operating independently, in addition to, and above this standard level of security. In use, Valid ID allows a smartcard reader to effectively verify that the sensitive access control data programmed to a card or tag is not counterfeit.


With all the immense changes to the inside of the access control system, the one thing that surprised Zerbib is that no employee ever reacted to the changes in the system. “There was no downtime and nobody got locked out. They never noticed.”

This article originally appeared in the January / February 2021 issue of Security Today.


  • Live From ISC West: Day 2 Recap

    If it’s even possible, Day 2 of ISC West in Las Vegas, Nevada, was even busier than the first. Remember to keep tabs on our Live From ISC West page for news and updates from the show floor at the Venetian, because there’s more news coming out than anyone could be expected to keep track of. Our Live From sponsors—NAPCO Security, Alibi Security, Vistacom, RGB Spectrum, and DoorKing—kept the momentum from Day 1 going with packed booths, happy hours, giveaways, product demonstrations, and more. Read Now

    • Industry Events
    • ISC West
  • Visiting Sin City

    I’m a recovering alcoholic, ten years sober this June. I almost wrote “recovered alcoholic,” because it’s a problem I’ve long since put to bed in every practical sense. But anyone who’s dealt with addiction knows that that part of your brain never goes away. You just learn to tell the difference between that insidious voice in your head and your actual internal monologue, and you get better at telling the other guy to shut up. Read Now

  • On My Way Out the Door

    To answer that one question I always get, at every booth visit, I have seen amazing product technology, solutions and above all else, the people that make it all work. Read Now

    • Industry Events
    • ISC West
  • Return to Form

    My first security trade show was in 2021. At the time, I was awed by the sheer magnitude of the event and the spectacle of products on display. But this was the first major trade show coming out of the pandemic, and the only commentary I heard was how low the attendance was. Two representatives from one booth even spent the last morning playing catch in the aisle with their giveaway stress balls. Read Now

    • Industry Events
    • ISC West

Featured Cybersecurity

New Products

  • BIO-key MobileAuth

    BIO-key MobileAuth

    BIO-key International has introduced its new mobile app, BIO-key MobileAuth™ with PalmPositive™ the latest among over sixteen strong authentication factors available for BIO-key's PortalGuard® Identity-as-a-Service (IDaaS) platform. 3

  • Connect ONE’s powerful cloud-hosted management platform provides the means to tailor lockdowns and emergency mass notifications throughout a facility – while simultaneously alerting occupants to hazards or next steps, like evacuation.

    Connect ONE®

    Connect ONE’s powerful cloud-hosted management platform provides the means to tailor lockdowns and emergency mass notifications throughout a facility – while simultaneously alerting occupants to hazards or next steps, like evacuation. 3

  • HID Signo Readers

    HID Signo Readers

    HID Global has announced its HID® Signo™ Biometric Reader 25B that is designed to capture and read fingerprints in real-world applications and conditions. 3