Contact Us

6 Reasons Why Cards and Fobs Are a Security Risk and How Easily They Can Be Cloned

/ Biometric Access Control, Security & Hygiene

6 Reasons Why Cards and Fobs Are a Security Risk and How Easily They Can Be Cloned

Access cards and key fobs have long been marketed as a secure, modern alternative to traditional keys. They’re convenient, inexpensive, and familiar. But convenience is not the same as security. In reality, many card and fob-based access systems are vulnerable by design and can be cloned far more easily than most organisations realise.

At Arana Security, we regularly assess physical access systems for businesses. One of the most common, and most underestimated, risks we encounter is outdated or poorly implemented card and fob technology. Here’s 6 reasons why cards and fobs can be a security risk:

1.    The Illusion of Security

Cards and fobs feel secure because they are electronic. There’s no visible key to copy, no obvious way to duplicate them, and access logs give the impression of control and accountability.

However, many widely deployed systems rely on low-frequency (LF) or basic RFID/NFC technologies that were designed decades ago. These credentials often:

  • Transmit a static, unencrypted identifier
  • Do not authenticate the reader
  • Do not change data between uses

In simple terms, the card or fob says the same thing every time it’s scanned. If that message is captured once, it can be replayed indefinitely.

2.   Cards and Fobs can be easily cloned

Much easier than most people expect.

With inexpensive, readily available hardware, an attacker can:

  • Read the unique ID from a vulnerable card or fob
  • Store that data digitally
  • Write it onto another blank card or compatible device

This can be done:

  • In seconds
  • Without damaging the original card
  • Without the owner ever realising it happened

In crowded environments, offices, apartment buildings, gyms, events, credentials can be read discreetly from very close range or during legitimate use at a reader.

No lock picking. No forced entry. No alarms.

3.    Lost Cards Are Only Part of the Problem

Most organisations focus on lost or stolen cards as the primary risk. While that is an issue, cloning introduces a more serious threat:

  • The original card still works
  • Access logs look normal
  • There is no indication of compromise

An unauthorised duplicate can exist indefinitely, even after audits or card counts are completed.

This makes investigations difficult and often leads to a false sense of security after an incident.

4.    Shared Credentials and Poor Hygiene

Another common issue with card and fob systems is how they are used in practice:

  • Cards are shared between staff
  • Temporary access is never revoked
  • Old credentials remain active for months or years
  • Contractors retain access long after jobs are completed

When a system is already vulnerable to cloning, poor access hygiene significantly increases risk.

5.    Many Systems Haven’t Been Upgraded

If these risks are so well known, why are insecure cards and fobs still everywhere?

  • They are cheap to deploy
  • Legacy systems are hard to replace
  • Users resist change
  • The risk is invisible until something goes wrong

Unfortunately, attackers don’t wait for incidents to make their move.

6.    Modern Threats Require Modern Access Control

Secure access control today should include:

  • Encrypted credentials with mutual authentication
  • Rolling or dynamic data, not static IDs
  • Multi-factor authentication (something you have + something you are or know)
  • Mobile or biometric-based access where appropriate
  • Centralised auditing and rapid revocation

These approaches dramatically reduce the risk of cloning and unauthorised access.

How Arana Security Can Help

At Arana Security, we help organisations:

  • Assess existing card and fob systems
  • Identify vulnerable technologies
  • Design secure, future-proof access solutions
  • Transition away from cloneable credentials with minimal disruption

If your access control relies on traditional cards or fobs, it’s not a question of if the system can be cloned, it’s a question of when.

Ready to Secure Your Site?

Contact Arana Security to review your current access control and ensure your premises are protected against modern threats. You can also download our Martyn’s law checklist to check if your business is compliant.

Convenience should never come at the cost of security.