It works and my customer like the idea
Yes-No?
Subscriber Discussion
Would You Use Credit Card As An Access Control Card?
U
Undisclosed #2
Nov 10, 2018Yes, I do it all the time:
U
Undisclosed #1
Nov 10, 2018U
Undisclosed #2
Nov 10, 2018...do you have a real answer?
Not yet, but I have a real question:
Are you using the end-user’s own credit card or issuing your own card?
Let say it's funny
You can do that with just one click.
U
Undisclosed #1
Nov 10, 2018U
Undisclosed #2
Nov 10, 2018Makes a lot of sense for a fee-based parking structure.
U
Undisclosed #1
Nov 10, 2018U
Undisclosed #2
Nov 11, 2018UM
Undisclosed Manufacturer #3
Nov 10, 2018Too risky... Think of all the potential skimming opportunities. No need to give some one your credit card details when they don't need it. Also think about the number of times your access card is dropped or lost. Now you lose your cc which has your name and your credit attached to it.
U
Undisclosed #4
Nov 10, 2018agree.
Why does the customer 'like' the idea UD1? i.e. what is the benefit to them of doing it?
Is the customers wallet too thin to hold 2 cards?
I would advise the client that just because it can be done does not mean it should be done, nor is it a wise thing to be done. For the reasons stated by UD3.
UI
Undisclosed Integrator #5
Nov 11, 2018I would never allow my card to be used for card access if I were an end user. That is insane.
Brian Rhodes
Nov 11, 2018If the finance company/bank reissues the card, will it change the access credential?
U
Undisclosed #1
Nov 11, 2018Brian Rhodes
Nov 11, 2018Does everyone that needs access in this system use the same bank/carry the same type of card? Or is this a single user or small number of users?
U
Undisclosed #2
Nov 11, 2018Note, OP may be actually talking about “smart cards”, see above.
U
Undisclosed #1
Dec 25, 2018Majority people in Canada can use their CC or Debit cards to access ATM located inside Banks after regular hours
The same concept
U
Undisclosed #2
Dec 25, 2018Does it actually verify that the card is tied to a person with a open account?
U
Undisclosed #1
Dec 25, 2018
I would say yes,
You have acc you can open door
Here is a sample of AC soft reading CC card
U
Undisclosed #2
Dec 25, 2018I would say yes,
You have acc you can open door
Sure, but might a library card open it as well, or any track 2 formatted magstripe for that matter?
In that case the system is different than what you propose as the data never leaves the door and doesn’t require tie in to a back-end system, and therefore the card never expires.
Next time you’re at the bank try an expired card, $1 says it opens it...
U
Undisclosed #1
Dec 25, 2018U
Undisclosed #2
Dec 25, 2018Ok, but I think the point stands that if you can use any MiFARE card to open the bank door, e.g. expired, stolen, then it’s not exactly the same as your application, because there is no backend communication necessary, and the token is only used as a way to say “I’m at least someone who has access to a MiFARE card”, as opposed to granting access to a specific person.
U
Undisclosed #1
Dec 25, 2018"Ok, but I think the point stands that if you can use any MiFARE card to open the Bank door"
Where did I say that ANY MIFARE card can open a door?
Of course, it has to be part of the AC database
U
Undisclosed #2
Dec 25, 2018Where did I say that ANY MIFARE card can open a door?
You didn’t say. That’s why I said “if”.
I do know this, the bank doors to the ATM at my Wells Fargo open to (apparently) any magstriped card. Probably cuz it makes the system so simple.
So it’s not inconceivable that a mirfare system could work the same way. Have you tried an expired card or not?
U
Undisclosed #1
Dec 25, 2018U
Undisclosed #2
Dec 26, 2018
Dave Gideon
Dec 27, 2018It will- the reader simply looks for a magstripe, it pays no attention to the card data. The ones I've done have no connection to a database or any outside connection at all- it's only a magstripe reader. Made me wonder why the door isn't just kept unlocked. I suppose they're counting on the fact that most people won't know how it works and will assume there is some database connection to their (presumably) valid card.
Dave Gideon
Dec 27, 2018Uh...no, not the same concept. The magstripe opens the lobby door to let you into where the ATM is. All this does is deny entry to the homeless person that doesn't have a card with a magstripe. There is no audit trail, no log, no user database, no access levels, just unlocks the lobby door.
U
Undisclosed #1
Dec 26, 2018Thank you,
Merry Christmas to you and everybody on IPVM!
U
Undisclosed #6
Dec 26, 2018Smartphones people. Get rid of the inventory.
If you need access to a bank and an access control door.
Unify those two systems, Bye Bye HID. Let the real cyber security teams handle the future integrations development and design.
With a smartphone there is more ownership of the credential, more ways to authenticate those credentials. Many, many ways.
Why use hard coded stamped, printed plastic magstripe, prox, emv chipped pieces of you know what?
Digital people, digital. We live in a world where we must advance our technology, any device, code, services that ages also decays and makes it vulnerable, cloneable, hackable, less secure. Stay on top of it.
Bank card for access control, come on man! That's like people still installing coax and using encoders for ip video.
Happy Holidays to those that agree, and if you don't then you are a Design-O-saur!
U
Undisclosed #2
Dec 26, 2018Why use hard coded stamped, printed plastic magstripe, prox, emv chipped pieces of you know what?
Because
when is the last time the battery on your prox card died?
when is the last time your prox card failed after a firmware upgrade?
when is the last time you cracked the screen of your magstripe card?
UI
Undisclosed Integrator #7
Dec 27, 2018I don't think this is a good idea, too much risk. Are you willing to accept the risk of card theft either through skimming or database breach?
Brian Rhodes
Dec 27, 2018I think this is a reasonable concern. I'm not sure how PCI Compliance weighs into financial cards used as access credentials, but in the US it could be argued as mandatory, ie:
To whom does the PCI DSS apply?
A:The PCI DSS applies to ANY organization, regardless of size or number of transactions, that accepts, transmits or stores any cardholder data.
Security/surveillance systems can cause PCI trouble by even sharing the same network equipment/routers as payment card data, so I imagine storing card numbers in the access system could be a showstopper for a PCI auditor.
New discussion
Ask questions and get answers to your physical security questions from IPVM team members and fellow subscribers.
Newest discussions