Use NFC contactless bank card for authentication

Question

I want to use contactless bank cards (what our community usually already have) as ID for building access system (where RFID tags are ususally used).

I am able to read RFID tags with PN532 (RFID/NFC reader). Also I tested reading some contacless cards by Android phone and was able to read some UID, so I will have same level of security like with common RFID tags - anyone with proper HW can send the same UID if he knows it.

But is it possible to use some more advanced security features of this cards without cooperation with card issuer for authentication? (signing etc.)

Answer 1

No, without cooperation from the card issuer you will not be able to use cards in a non-trivial way. The small amount for own cards saves huge effort (disclaimer: my company supplies cards, but I'm in development). Note, that the token you show looks like a MIFARE-classic, which can be considered a common NFC token is no longer secure due to cryptographic weakness.

You may want to take a look to OSPT alliance page, to have some headstart, which would address at least access control and ticketing. Digital signing is a different and multi-faceted issue (any legal requirements to be fulfilled?) and it depends on your requirements in which direction to progress.

Answer 2

Expanding on @guidot's answer: any identifier you can read from a contactless card can also be read by an attacker and replicated using a different card. If your security needs are really low you can use world-readable identifiers like the card's UID, but knowing that there are cards there that with programmable UID.

It is probably easier to issue cards yourself. If you fully control the cards, you can deploy an application implementing a secure identifier.