Key Cards Are the Weakest Link in Your Building's Security
Most buildings we walk into have access control. The problem is that nobody's been reviewing it. Key cards get cloned, shared, and never deactivated -- here's what to do about it.
Key cards have three problems: they get cloned, shared, and never deactivated. Most buildings have active credentials for people who left months or years ago. Upgrading to mobile credentials or a cloud-managed access platform closes all three gaps without replacing your entire system.
Key Takeaways
- 1Standard HID Proximity cards (the most common type in NYC) can be cloned with a $30 RFID reader in under two seconds.
- 2Shared key cards are invisible to your audit log -- the log shows a door opened, not who held the card.
- 3Most buildings have active credentials for employees or tenants who left months ago.
- 4Mobile credentials on smartphones are tied to a specific device, cannot be passed around, and can be revoked instantly.
- 5A cloud-managed system lets you audit your full credential list and remove anyone in seconds.
Most buildings we walk into have access control. The problem isn't that they don't have it -- it's that nobody's been reviewing it.
The Three Ways Key Cards Fail You
First, they get cloned. Standard HID Proximity cards -- the kind used in millions of NYC buildings -- operate on 125kHz technology with no encryption. A $30 RFID reader from Amazon can copy a credential in under two seconds. Your tenant holds their card near someone on the elevator, and that person has a working duplicate before the door opens.
Second, they get shared. You issued one card to Unit 4B. But the package delivery person has been using it for six months. Your building's access log shows the door opened -- it doesn't tell you it was the wrong person.
Third, they never get deactivated. When someone leaves -- an employee, a tenant, a contractor -- the process for revoking their access is usually "I'll do it tomorrow." And tomorrow gets pushed. We find active credentials for people who left 18 months ago in almost every building we audit.
What Your Access Log Is Actually Telling You
Pull your access log for the last 30 days. How many of those credentials belong to people who still work or live there? Do you know?
If you can't answer that in under five minutes, your access control system is giving you the appearance of security, not the substance of it.
The Fix Isn't Ripping Out Your System
In most buildings, the readers can stay. What changes is the credential type and the platform managing it.
Mobile credentials on smartphones tie access to a specific person's device -- something they own and carry, not a card that can be passed around or cloned. And they can be revoked instantly from a browser or your phone. You don't have to physically retrieve anything.
Cloud-managed systems like Brivo let you see your full active credential list, sort by last-used date, and remove anyone in one click. That audit used to take an afternoon. With the right platform, it takes five minutes.
What You Should Do This Week
Pull your current access roster. Compare it against who's actually supposed to have access. If you find credentials for people who have left, that's a problem you can fix today -- not a reason to delay until you have budget for a full upgrade.
Start with a review. Then talk to us about what a credential migration looks like for your building. In most cases, it's less disruptive and less expensive than people expect.
Your Checklist
- Pull your full active credential list today
- Cross-reference it against your current employee or tenant roster
- Flag anyone who left in the past 6 months and still has active access
- Check whether your system can report on credentials by last-used date
- Ask your integrator what a credential upgrade looks like on your current hardware
Common Mistakes to Avoid
"We only give cards to people we trust."
Trust doesn't prevent cloning or card sharing. The credential doesn't know who's holding it.
"We deactivate cards when people leave."
In practice, this happens inconsistently. A cloud audit almost always turns up credentials that should have been deactivated months ago.
"Upgrading to mobile credentials means replacing everything."
In most cases, new readers install on existing wiring. The migration is less disruptive than most managers expect.
Frequently Asked Questions
Can HID Proximity key cards really be cloned that easily?
Yes. HID 125kHz Proximity cards have no encryption. They broadcast a fixed ID that can be captured and replicated with widely available RFID equipment. HID iClass SE, SEOS, and mobile credentials use encryption and are significantly more resistant to cloning.
How do I find out which employees or tenants still have active access?
Pull a report from your access control system sorted by last-used date. Anyone with a credential that hasn't been used in 30 or more days should be reviewed. If your system doesn't offer this report, that's a sign the platform isn't giving you the visibility you're paying for.
Do I have to replace my whole access control system to upgrade credentials?
Not always. HID Signo readers support Prox, iClass, and mobile credentials simultaneously, so you can run both credential types during a gradual transition. Existing cardholders keep working while new users are enrolled on mobile.
How long does a credential audit take?
For most commercial buildings, 30 to 60 minutes if your system has a sortable access log. PAX Security can run a full access audit as part of a free site survey.
Related Services
Ready to audit your building's access?
PAX Security offers free site surveys for commercial buildings across NYC and NJ. We'll show you exactly where your access control has gaps.