Mainstream Information Security news lines [http://bit.ly/pDaXpN] were reporting another physical security attack against one of the most popular access card services, Mifare, which is still remembered by some for the 2008 attack on the Mifare Classic. The Mifare DESFire card technologies are used across the world by businesses, governments, and residential consumers for protecting everything from garage door openers to critical infrastructure.
The attack requires a malicious person to acquire the physical card for around 7 hours to obtain the card’s secret key. Once obtained, an attacker can assume the digital identity of individuals who use the card to authenticate/authorize their access. The atack highlights the reality that any physical devices can be cracked given enough time and cleverness.
When granting access to sensitive assets it is best to rely on multi-factor controls (something you have: the card; plus something you know: PIN or passphrase).