Tuesday, 2 August 2016

Are keycards safe?

Recently I saw a news story from Sydney, Australia titled, "Swipe Card Scam", which I think perfectly summarises the complexities and ironies in the access control/smart home/security/digital keys/smart lock space.

Putting aside the sensationalist journalism news source here, called 'A Current Affair', and everything that is wrong with these types of shows, "Swipe Card Scam", raised the following issues;
  •  Are families at risk here for swipe card copying?
  • Who is responsible for key management in rental properties?
  • What is the problem here? Is it really a problem? Can it be solved?
  • Is this immoral/is it legal/is it really a scam?
  • What is the solution, and who pays for a better solution if there is one?
  • Has keycard technology broken down/is it secure?
  • Will anything change?
  • Who cares?
In this blog we'll attempt to answer the above questions, perhaps even to do a bit of a "myth busting exercise" to learn more about the security industry. But first, the story summarized so elegantly by a Current Affair on their website is below:

After being tipped off to a money-making racket putting families at risk, A Current Affair reporter Steve Marshall was hot on the trail.
What followed was an insane bolt to expose the man who has been copying card keys in a shopping centre food court.

You get the idea, camera chasing man all over streets, reporter chasing and hassling man to try and make him sound dodgy, throw in lots of negative editing and puns, blah, blah, blah. So firstly the question is about security - are families at risk here?

In the story there was 'undercover' footage of the young man (the 'swipe card scam man') copying keycards and keyfobs with a laptop and a scanner device and taking $70 cash from people for the product/service. The reporter went through with the so called 'scam' himself and showed how he can easily enter an apartment building with the copied key fob.

The people paying the $70 cash to the 'swipe card scam man' in the video were mostly young people, and mostly Asian students. In Sydney its common for students/backpackers/tourists/internationals/travelers/call them what you want, to live in overcrowded accommodation. Its common in the Sydney city centre to find between 5-15 people living together in tiny 2 or 3 bedroom apartments. Living costs, property prices and rent costs in Sydney are some of the highest in the world, and the 'traveler' simply cannot afford to get a place all to themselves, let alone legally sign leases.

We don't want to get too bogged down with background story here, but I've lived in Sydney myself in this type of accommodation so I know first hand about the situation, and I think its important to understand the reality of what's going on here in an attempt to answer the first question about 'security/risk'.

Often landlords aren't aware that they have up to 12 or more people in a two bedroom apartment, or they are aware, and they simply turn a blind eye to it, so they can get more money. The blind eye is turned as its usually illegal to have so many people crammed into the small apartments (e.g fire risks etc).

Sometimes bunk beds are brought in by the tenants who originally signed the lease (lets say 2 people's names are on the lease) and they sub-let to others (illegally). If those 2 people on the lease can squeeze in lets say 3 lots of bunk beds in each of the 2 bedrooms and they sleep in the living room (and its common that artificial walls are built) or move out, and charge say $150 per bed per week x 3 bunk beds in each room =6 people per room x 2 bedrooms = $1800 a week cash in hand to the 2 people on the original lease, then its a nice little money spinner.

Now this leads us back to the so-called 'keycard copying scam'. When the 2 original people signed the lease, they probably received 2 keycard/keyfobs for the common entrance door/street door to the apartment building, and probably a metal key for the apartment door. Copying the metal key to the apartment building is cheap and easy ($2), and the 2 original people on the lease probably give a copy of the metal key to the new 'flatmates' when they say pay a deposit and 2 weeks rent in advance. But then there is the problem of the common door keycard. How do the '12 flatmates' and the 2 original people on the lease (if they still live there) coordinate the common door entry into the apartment building with only 2 keycards? 

The common 'industry' accepted solution is this; place the keycard in the letterbox out the front of the apartment building everytime you come and go, and place the keycard in say a bowl on a table by the front door when you enter the apartment. Usually another small metal key is provided to all 'flatmates' to unlock the letterbox. Now can you imagine 12 young people in a big bright new city like Sydney coming and going at all times, night and day, trying to coordinate entry with 2 keycards and a letterbox? What a nightmare right? Lockouts, phone calls, text messages, waiting around, arguments, planning, coordinating coming and going etc would be a nightmare with all the 'flatmates'.

So as we all know, desperate people do desperate things - so the young 'flatmates' simple cough up $70 to some young tech guy in the shopping centre food court nearby, (our Current Affair swipe card scam man) with a scanner device to copy the keycard and all the flatmates problems are solved. They then have the 24 hour unlimited, uncomplicated access all to themselves. $70 is a small price to pay right for this uncomplicated access right?

Now most of the time, these 'flatmates' aren't interested in getting involved in the seedy underworld, and giving or selling copies of their new keycards to criminals, thieves, rapists, or homeless people so they can come and go as they please and attack and steal from people in the building, or sleep in the hallways of the apartment building.  I don't think the 'swipe card scam man' would be that interested either in bothering to deal with criminals. He looked to have a pretty good business going here!

So getting back to the allegation by a Current Affair - "putting families at risk". Are families at risk here?

Following the argument and reality explained above, you would have to say that the level of risk to families, is not that much 'greatly enhanced' than what it was before 'swipe card scam man' came along.

Further most of these apartment buildings don't have families living in them anyway - its too expensive remember, and its overrun with loud Asian students too remember!

Finally if the apartment buildings have metal keys for the apartment doors, and the common doors have keycards, (and if most of the apartments are rental properties), then there are most likely copies of their metal keys floating out there anyway. So therefore significant "risk" already exists. Criminals and homeless people can simply watch a two minute YouTube video of how to bump, crap, snap, jemmy, or break open a metal key lock in seconds if they wanted too if they didn't have a copy of a metal key. And if these criminals desperately want to get into the common door swipecard entrance of the building, they could wait by the entrance and follow someone in, or go see our "swipe card scam man" and ask him for copies of the keycards to his customers and then follow the 'flatmate' back to their apartment, building, or even extract the address from data on the keycard.

So it's taken to the end of this blog post to bust the myth posed by A Current Affair, and that is, 'families are no more at risk now then what they were before by the "swipe card scam man"'.

Finally the question has to be asked, "why doesn't the lease signed tenants who are taking all the cash from the flatmates for rent provide a copy of the keycard to their 'flatmates' when they pay the cash to stay there and when they get their copy of the metal key?

Are the lease signer tenants either; ignorant, lazy, too tight to pay the $70, don't care, or are they concerned about an audit of the keycard locks, and having their own scam uncovered? We will attempt to answer these questions and the others on the list above in next weeks blog post.

A New Year means New Technologies to Unlock Time Access control for Everyone

Welcome to 2017! What a year 2017 is shaping up to be for the security, smartlock and access control industry with the emergence of new low ...