Skip to main content
      Hotline: 028 3997 6009

      Cloned Access Card: A Hidden Threat in Office Buildings and Security Solutions

      Recently, there has been a rise in incidents where certain individuals exploit their connections with building service units to carry out violations. These actions are often enabled by familiarity, complacency, or inconsistent management processes, which lead to oversight. As a result, these individuals are able to illegally access restricted areas and steal tenant property in a sophisticated manner, making detection extremely difficult.

      HOW THE ATTACK WORKS

      1. Exploiting internal relationships: Former employees leverage their connections with service personnel, who usually have wide-ranging access, to obtain access cards temporarily.

      2. Using cloning technology: Access card data can be cloned within seconds with a smartphone app and low-cost devices.

      3. Returning the original card: The card is returned after copying to avoid raising suspicion.

      4. Gaps in deactivation: In some buildings, management doesn't promptly deactivate returned cards, or the system lacks real-time validation. The cloned version may still work if the original card is deactivated.

      WHY THIS THREAT IS SERIOUS

      • Hard to detect: Since cloned cards mimic legitimate ones, access logs show them as authorized entries.

      • Abuse of trusted roles: Service units enjoy broad access with minimal oversight.

      • Ongoing vulnerability: Cloned cards can be kept and used anytime, long after creation.

      SECURITY SOLUTIONS FOR BUSINESSES AND BUILDING MANAGEMENT

      1. Real-time credential validation
        Ensure your access control system checks each scan against an up-to-date database in real time. Any deactivated card or its clone should be denied access immediately.

      2. Use encrypted smart cards or dynamic mobile credentials
        Replace magnetic stripe cards with encrypted smart cards or use mobile credentials that refresh dynamically (OTP, rotating QR codes).

      3. Monitor and analyze access logs.
        Deploy software to detect anomalies like off-hours access, use of deactivated credentials, or duplicate entries from multiple devices.

      4. Restrict service provider access
        Limit access areas and times for third-party vendors. Issue single-use or short-duration credentials that auto-expire.

      5. Train building management staff
        Train staff to:

        • Immediately deactivate returned cards.

        • Recognize suspicious return behaviors.

        • Report anomalies to security or tenant companies.

      6. Conduct regular security audits
        Perform biannual security checks to identify weaknesses, including penetration testing to simulate real-world attacks.

      7. Use write-once access card
        Adopt RFID or smart cards that only allow data to be written once, preventing unauthorized overwriting or duplication.

      8. Quarterly card recall and master card rotation
        Collect and replace all access cards every quarter, and issue a new master key system while revoking all prior permissions to eliminate hidden risks.

      9. Implement multi-factor authentication
        In sensitive zones, combine card access with biometrics or photo ID verification for an additional layer of security.

      Cloning access cards presents a real and evolving threat, but it is preventable. By adopting multi-layered security protocols and staying proactive, both businesses and building managers can significantly reduce risk. In an era where every card is potentially cloneable, robust preparation is the key to avoiding undetectable breaches.

      Manage your preferences

      You can decide how we use cookies on your device by adjusting the settings below. Click on “Accept all” if you accept all cookies. If you do not accept us storing cookies that are related to Google Analytics you can leave the box empty. All other cookies that we use are considered as always active since they are required for us to let visitors interact with and use the websites. When you have made your choice, scroll down the list and then click on the “Confirm my choices” button in the bottom of the list.

      Learn about how we use cookies on our website.
      • Name:
        _ga

        Used to distinguish users. A unique anonymous identifier associated with each user is sent to each response from the server to determine which traffic is bound to which user. This cookie allows the website owner to track a visitor's behaviour and measure the performance of the website.

        Name:
        _gat

        Used to limit the frequency of requests to the website. This cookie does not store any information about the user. The main purpose of this cookie is to improve the performance of the website.

        Name:
        _gid

        Used to distinguish users. This cookie allows the website owner to track a visitor's behaviour and measure the performance of the website. The main purpose of this cookie is to improve the performance of the website.

      • Name:
        ai_session

        Speed ​​up page load time and override any security restrictions that may be applied to a browser-based on the IP address it is from.

        Name:
        ai_user

        Unique user identification cookie to count the number of users accessing an application over time.

      • Name:
        ARRAffinity

        Routes the request made through a web browser to the same machine in the DXC environment. See also: ARRAffinity - Microsoft Azure.

      • Name:
        __cfuid

        Speed ​​up page load time and override any security restrictions that may be applied to a browser based on the IP address it is from.

      • Name:
        CookiesAccept

        Used to find out whether or not the user has accepted the use of cookies. This function is only activated if the visitor has clicked "Accept" in the website's cookie banner.

      • Name:
        EPiForm_{FormGuid}:{Username}

        Used when a visitor submits data through one of the site's forms, and stores the partial entry so that the user can continue later. Stores the current form submission state (formGuid, submissionID, and whether or not the submission is complete).

        Name:
        .EPiForm_BID

        Specifies the form submission made to the site when a visitor submits data through a form. Registers a GUID (Globally Unique Identifier) ​​which is the browser identifier.

        Name:
        .EPiForm_VisitorIdentifier

        Identifies the site submission form when a visitor submits data through a form. Registers a GUID (unique identifier) ​​which is the visitor's identifier.

      • Name:
        EPI-MAR-<Content GUID>

        Records visitor interaction with an ongoing website optimization test, to ensure that a visitor has a consistent experience.

      • Name:
        ASP.NET_SessionId

        Used to keep track of a user browsing the website. It is used to transfer information between pages and to store information that the user could reuse on different pages. The main purpose of this cookie is to improve the performance of the site.

      It appears your browser doesn't support this page. Please open the page in another browser.