Contactless card-based access control systems were developed to better and more easily protect facilities from unauthorized visitors. Of course, then, the bad guys figured out how to capture and use card-based information to fool the system and let the unauthorized in by using skimming, eavesdropping or relay attacks. Skimming occurs when the attacker uses his reader to access information on the victim’s RFID token without consent. An eavesdropping attack occurs when an attacker can recover the data sent during a transaction between a legitimate reader and a token. A successful relay attack lets an attacker temporarily possess a “clone” of a token, thereby allowing him to gain the associated benefits. Using any of these relatively inexpensive methods will let an unauthorized person in.
Adding to the problem is that Wiegand, the industry standard over-the-air protocol commonly used to communicate credential data from a card to an electronic access reader, is no longer inherently secure due to its original obscure and non-standard nature. Today, no one would accept usernames and passwords being sent in the clear nor should they accept such vulnerable credential data. ID harvesting has become one of the most lucrative hacking activities. In these attacks, a credential's identifier is cloned, or captured, and is then retransmitted via a small electronic device