6

At work we use RFID tags to enter the building and each floor. The tags double as photo ID, I always wondered if they are used (or can be used) to keep track of staff movements.

I always assumed that they were tied to a staff ID when issued. But another staff member thinks they are generic access i.e. all cards are copies (for each access level) and they just stick your picture on the front.

My question is: What is standard industry practice? I'm sure my scenario is technically feasible, but whether it is widely used is another question.

Jim Hardes
  • 61
  • 1
  • 2
  • 3
    Technically, the card doesn't track you, it's the system reading the card that does. –  Mar 20 '15 at 16:00
  • 1
    @user42178 actually, there are some systems where the cards can carry certain data between readers. Particularly for systems where a reader may be remote and not have a physical (or wireless) network backhaul connection. I only saw the concept at a trade show, not in use -- so no idea how common or popular. So in general you are correct, but there are always exceptions that prove a rule. =) – 0xSheepdog Apr 07 '17 at 20:12
  • If you or any of your colleagues has a phone running android, a way to determine if (for some reason I can't imagine) are generic or personal is to install an app to read RFID cards (last time I checked there were several) and try to read the cards of two people who should have the same rights, if you see differences in what the app reads, it means the cards are personal (or that you were wrong in assuming you had the same rights). – Henrik supports the community Aug 21 '19 at 14:01

4 Answers4

3

Having specified and reviewed smart card and RFID card entry systems as part of PCI DSS audit I can confirm that the system can, and often does, track people as they move through locked locations in a site. This is normally to allow the fine grained control of which person (usually based on role) can access which areas of a building e.g. only a few people can access the server room (often with 2fa anyway), and certain people can access security offices where CCTV is monitored etc. etc. Many security policies require that entry/exit data is retained for audit purposes and therefore tracking is inherent in the system.

David Scholefield
  • 1,824
  • 12
  • 21
2

It depends on how the workplace operates.

For example, I work as an IT Technician at a company, literally, and we tag for when we come in, out, etc. When setting this up, I was asked to assign everyone in the company with their name and role. They wanted it to allow monitoring when people are late a lot more easier which automates a silly deduction off of wages. Don't ask why, it was just asked to be done and had to do it.

Standard industry is just least required to have some security with tags to see what's going on around the building. At least, from experience that's what I know.

Xanmashi
  • 370
  • 1
  • 8
2

I have managed two popular systems, and both have this capability of tracking. If you think about it, you must have a central database with at least a user table and rights tables in the back end in order to restrict people to certain areas (our IT staff were the only ones allowed through the protected server room doors, for example), and all systems I have used tracked history of events. At least one system used MSSQL in the back end. If the system didn't know WHO it was trying to enter, it wouldn't be able to differentiate based on role access.

As a consequence, you can do some nifty security controls with this. You can restrict certain users to certain floors or buildings, and at certain times of the day. You could allow after hours access but generate a report each morning of anomalies. You could track the last place a person ENTERED, though unless you have to use your card to exit, this may not be the current user location. Location tracking over time would be easy. I currently use a SIEM product that aggregates these events as well, so you're sometimes not even limited to the vendor-provided management software for control and correlation.

armani
  • 2,658
  • 19
  • 20
2

Your cards are most likely not generic as this wouldn't make much sense - having two or more identical tags is a security issue in at least non-repudiation point of view.

All systems I came to conatct with used on-line system-side control mechanism, that is, the card was a mere tag with identity info (such as card no., employee ID or some other unique identificator) which was passed by the reader to some kind of control database.

Since almost every card interaction is bound to be backed by a database, it would be, and likely is possible to trace back user's activity by a simple SQL query, if not implemented in the system's UI directly.

In a paranoid scenario there could be hidden "checkpoints" throughout the premises which may be able to activate the RFID chip on a longer distance (up to even a few meters), tracking the card movement quite precisely. This is, however, more of an TLA*-grade security assumption. In most business scenarios there will only be visible locks, doors and gates that will require deliberate user's action (i.e. physically putting the card close to the reader) and these will be the only points able to track the card reliably.


*Three Letter Agency

cptMikky
  • 455
  • 2
  • 5
  • True in most scenarios it'll just be doors. However one of the Universities I looked at had trackers around the department that would track and spatially locate RFID tags in all the rooms of the department. So the technology isn't particularly hard to get your hands on. – Baldrickk Aug 21 '19 at 15:46