If you have a badge that you can wirelessly scan to gain access to a building or facility, then you probably have an RFID badge. These badges allow you to tap or hold up against a device that reads the credentials on the badge and checks to see if they are on the access list. If there is a match, you will get a beep and whatever area you are trying to access unlocks. If there is no match, or if you do not have an RFID card, well you are not going to be gaining access to the area easily. I have a separate article that talks about tailgating and all the security implications of not appropriately handling tailgaters. While RFID tags are great for a different variety of business needs, they have a critical flaw that can easily be taken advantage of by bad actors.
RFID badges work by wirelessly transmitting bits of data which can then be used to enable something. Since the RFID card itself is passive, you need a device that is powered and can read the data on the card. This simple technology can be easily used against you and your company or whatever you are trying to protect. How is this possible? A couple of things to demystify. RFID cards are made by a handful of manufacturers. Those manufacturers sell to anyone willing to pay money for their good. Both companies and bad actors have the ability to buy the exact same RFID card. Next, the tricky part is getting your credentials. This part is actually not that difficult. If you carry your badge around your waist, around your neck, or in your pocket, all someone has to do is get close enough to you to take your credentials. They have to have a special device that can either be bought or built which basically can take your credentials. This can be done while you are walking to lunch, at the park, on the subway. The attacker just needs to be close enough to your unprotected RFID card and then they have your credentials.
The credentials themselves don’t actually do anything. The attacker just has some bits and a copy of a blank RFID card. The attacker then has to buy or have access to an RFID card creator which then puts the stolen credentials on their personal copy. Next, they have to do a bit of social engineering to put it to use. They have to make the card look believable and ideally a replica of your original card. Then, all a person has to do is walk up to your place of business and scan away. The card reader on your door wont know if it’s real or fake. On a separate but related note, some credit/debit cards also have RFID, so those are vulnerable to being stolen as well.
By now, you are probably a little worried about having your RFID card out in the wild exposed. Worry not, there is a simple and effective way to protect yourself. Invest in an RFID shield. This is a thin sleeve that you slip your badge into and protects it from any attackers. They also make wallets that can keep your credit/debit cards safe. With all of this said, just don’t ever lose your RFID card, because there’s really no easy way to protect yourself against that.