Anti-Copying Access Control Solution

NGÀY ĐĂNG 05/02/2026

Võ Hồng Tiên

As smart buildings, industrial zones, and high-security infrastructures increasingly rely on Access Control Systems (ACS), the risk of RF card cloning has become a serious security threat.

Once an unauthorized individual gains access, the consequences may include:

• Bypassing physical security layers
• Accessing sensitive or restricted areas
• Threatening assets, data, and operational safety

In reality, many security incidents do not originate from sophisticated cyberattacks, but rather from outdated card technologies and unprotected communication protocols.

Common Card Technologies & Their Security Vulnerabilities

Proximity 125 kHz Technology

125 kHz proximity cards were once widely adopted due to:

• Low cost
• High durability
• Ease of deployment

However, from a security perspective, this technology provides no encryption. The card only transmits a fixed UID (Unique Identifier) in plaintext and lacks:

• Mutual authentication
• Data encryption
• Protection against eavesdropping or replay attacks

With inexpensive cloning devices, attackers can:

• Read the UID remotely
• Write it onto blank cards
• Create indistinguishable clones for the system

MIFARE Classic 13.56 MHz

MIFARE Classic was once considered a smart card due to:

• Sector-based memory architecture
• Sector-level access keys
• Authentication mechanisms

However, today MIFARE Classic is no longer regarded as a true smart card, because:

• Crypto-1 was fully cracked in 2008
• Full card data can be dumped and cloned 1:1
• Many systems still use default keys (FFFFFFFFFFFF)

Next-Generation Anti-Cloning Smart Card Technologies

MIFARE DESFire EV1 / EV2 / EV3

The MIFARE DESFire family features:

• AES-128 / AES-256 encryption
• Dedicated hardware security modules
• Mutual authentication

In particular, DESFire EV3 introduces advanced anti-cloning mechanisms:

• SUN (Secure Unique NFC): dynamic transaction codes to prevent replay attacks
• Proximity Check: protection against relay attacks
• Multi-Application & Key Separation: multiple applications with independent key sets

HID Seos

HID Seos is based on the Secure Identity Object (SIO) architecture:

• Encrypted and encapsulated identity data
• Mutual authentication
• EAL5+ certified security

Key advantages:

• Practically unclonable
• Supports Mobile Access (NFC / BLE)
• Centralized management, ideal for large enterprises and multinational organizations

Communication Protocols – Why OSDP Is as Critical as the Card

In an Access Control System, even if the card itself is secure, the system can still be compromised if communication between the reader and the controller is not protected. This is the fundamental weakness of Wiegand and the reason OSDP (Open Supervised Device Protocol) has become the new standard.

Wiegand

• Plaintext data transmission
• Vulnerable to sniffing and replay attacks
• One-way communication with no reader supervision

Attackers can record card data and simulate door-open signals without a physical card.

OSDP Secure Channel

• AES-128 encryption for all communications
• Bidirectional reader ↔ controller communication
• Detection of reader tampering or replacement
• Remote reader management and configuration

OSDP is a mandatory protection layer for modern anti-cloning Access Control Systems.

Key Diversification & Secure Modules

Key Diversification - One Unique Key per Card

Each card is assigned a unique derived key based on:

• Master Key
• Card UID
• AES algorithms

Even if one card is compromised, the rest of the system remains secure.

SAM (Secure Access Module)

SAM is a dedicated hardware security component that:

• Stores Master Keys securely
• Performs cryptographic operations internally
• Prevents keys from being exposed

This effectively mitigates the risk of extracting keys by stealing or tampering with readers.

Mobile Access - The Future of Access Control

Mobile Access leverages NFC or BLE on smartphones, combined with:

• Secure Enclave / Trusted Execution Environment (TEE)
• Biometric authentication (Face ID, fingerprint)
• Dynamic tokens

Key benefits:

• Impossible to clone
• Instant credential revocation
• Reduced long-term operational costs

KPS – Integrated Security Solutions Ecosystem

KPS delivers comprehensive Security & Access Control solutions for projects with high security requirements, including smart buildings, industrial zones, data centers, airports, and critical infrastructure.

Core solution portfolio:

• Access Control Systems (ACS): Bosch, Genetec, HID, CNB
• Security Gates & High-Security Doors: MAG, Kumahira
• Access Control Locking Devices: electromagnetic locks, bolt locks, electric strikes… (CNB, Tycon)
• Intrusion Detection Systems: Bosch, Optex

In addition, KPS collaborates with multiple other security technology partners to build an integrated security ecosystem, ensuring:

• Multi-system interoperability
• Flexible scalability
• Compliance with project standards and long-term operation

Contact KPS for consultation and design of an integrated Access Control solution tailored to your project.