That is true for strip card (credit card style) and simple prox cards. But what I have been seeing more often is that companies are using the smart card and wireless smart card variety for high security areas. So instead of having a card that will always return the same value (making it easy to duplicate) the smart cards will use good old fashion PKI to mutually authenticate the card to the reader and the reader to the card. This way, the card won't give out its security information until the card reader is verified to be a legit member of the security system. In addition to this, I am seeing a push to go with 2 factor authentication, so you need the card plus some sort of biometrics. This way, if you lose the card, it is useless unless the criminal also managed to chop off your thumb. But if you are AT&T and have spend millions of dollars on equipping all your COs with swipe readers because you got sick of having rekey the locks every time someone lost a key; so when stuck with the choice of replacing all of your COs' security equipment with something more secure, or creating blanket polices, creating a policy is cheaper. My $.02 Adam Stasiniewicz -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Warren Kumari Sent: Monday, October 23, 2006 1:34 PM To: Roland Perry Cc: nanog@merit.edu Subject: Re: Collocation Access On Oct 23, 2006, at 10:57 AM, Roland Perry wrote:
In article <20061023103731.W56322@iama.hypergeek.net>, John A. Kilpatrick <john@hypergeek.net> writes
The fellow I chatted with at AT&T said they are not allowed to hand over their badge because it would compromise their security.
My tech said the same thing. That keycard could grant central office
access
On its own? No keycode or anything. What if he lost it?
so he couldn't surrender it.
But presumably it would need to be stolen. Wouldn't the tech notice that happening... Or is there some way the colo security guy can clone
it undetected?
These are trivial to clone -- all you need is a reader hooked up to a PC and you can read the number off the card. You can then buy a batch of cards that cover the serial numbers that you are interested in (no, I don't really understand WHY you can buy numbered ranges, but you can...) The other alternative is something like: http://cq.cx/proxmark3.pl This device will read and clone a large number of proximity cards -- you don't even need real access to the card, all you need to do is brush up against the cardholder with the antenna cincealed in your pocket....
-- Roland Perry
-- If the bad guys have copies of your MD5 passwords, then you have way bigger problems than the bad guys having copies of your MD5 passwords. -- Richard A Steenbergen