KEN KIRSCHENBAUM, ESQ
ALARM - SECURITY INDUSTRY LEGAL EMAIL NEWSLETTER / THE ALARM EXCHANGE
You can read all of our articles on our website. Having trouble getting our emails?  Change your spam controls and whitelist ken@kirschenbaumesq.com 

****************************** 

Keyfobs easily compromised / ISC meetings / request for emails
September 12,  2024
*********************
Keyfobs easily compromised 
**********************
Ken:
        Your readers may not be aware of that if they are selling and installing systems that utilize standard keyfobs that the system can be easily compromised.  A company called Keyme offers duplication of just about any RFID card at self service kiosks or through the mail. (See: https://key.me/rfid).   This "service" brings the level of sophistication to bypass any system using standard ID cards to near zero!
           The other options are mobile smartphone credentials, or muti-factor authorization with some type of bimetrics, not a keypad since a passcode could also be easily shared. 
According to John LaFond of Sicunet, the Desfire/Mifare EV2 & EV3 series of encrypted credentials have not been cloned yet.
          It was a dirty little secret that the cards could be copied with the right equipment, but this company is putting the vending machines in Home Depots and 7-11s. 
This has actually been around for a while. I had not seen it in stores until recently.
 https://www.cbsnews.com/news/keyme-kiosks-cbs-news-radio-investigation-key-copying-kiosks-security-threat/
       If you look at their website they openly say they will copy the credentials no questions asked.  If a key or credential is marked "Do Not Duplicate" they say they have no responsibility to not duplicate the item.  I find it hard to reconcile that these guys operate a locksmith service and see no conflict on their part.
From your point of view what is the liability of a company that knowing installs a systems that can be defeated so easily.  What’s worse is that if someone was able to duplicate another person’s key-card and used it to access their office it is going at least initially the evidence is going to point to the wrong person.
  Mark S. Fischer
Systems Support Specialists
mfischer@systemssupportspecialists.com
516-384-6064
************************
Response
************************
          Thanks for raising this issue.
          Security companies that believe the recommended system can be easily compromised should disclose that vulnerability to the customer; this can be done in the Schedule of Equipment and Services and should be done in the Disclaimer Notice.  I don’t know if there is work-around this issue but if there is then it should be offered to the customer.  While every security system is subject to compromise I suppose it’s easier with some systems than others and this needs to be disclosed so customers can make informed decisions.  Giving the customer the opportunity to make informed decisions is a layman’s way of describing the legal issues raised.  First of all, you as the security expert will be disclosing to your customer what you know or believe regarding the intended system to be installed.  Next, by placing the customer in the position of having to make a decision based on well-informed information you are effectively shifting the risk of loss to the customer.  If customer is OK accepting the system with the risks you have told them about then it’s the customer’s responsibility, especially when using the Standard Form Agreements which clearly shifts risk to the customer.
          It would make sense to have some alternative to recommend for the customer’s consideration, but certainly do not suggest that whatever you are recommending cannot be compromised, which would contradict many of the provisions in your Contract with the customer.
*****************************

Help this forum grow
********************
          This forum is, I believe, the largest distribution in the security and fire alarm, low voltage and electronic integration industries, and certainly the most read on a daily basis. 
          First, let me assure you that the K&K email list is used exclusively for distribution of the articles, which is distributed by two separate bulk mailing services, as many of you know because you get both emails daily.  Emails are sent every day to the alarm industry; there is no charge for the articles.  The classified section, The Alarm Exchange, which is also free, is updated daily as needed, and I believe it’s the largest and most active classifieds in the industry, visited by the most in the industry. K&K does not sell or share the email list with anyone, for any reason.  We retain only emails, no names or other information. It’s free; you can subscribe all the addresses you want and you can always unsubscribe, though you won’t be able to re-subscribe that address.  So your email is secure.
          Now here’s the ask.
          I’d like to make the forum even more available by increasing the distribution, so here’s the “ask” and sweetener added in:
          Send me emails of those in this industry, one email on each line, and we will add them to the list.  Whether it’s your association list, for vendors to the industry your alarm dealer list, employee list, central station list, send it to me pasted on your email or as WORD or XL attachment.  [this is not request for alarm customers list - the forum isn't for alarm customers]
          K&K will give you $100 credit against K&K contracts or Concierge Program for every 100 emails.  You can use the credit yourself or if an association raffle it off or use it for promotional purposes.  We will honor the credit to your “assignee”.  Thanks in advance for your efforts and assistance.
***************************

ISC East - private meeting
*************************
       I'm considering going to ISC EAST if there is sufficient interest in private meetings during the day.  If you're interested in a private [yes, it's free] meeting please contact Stacy Spector,Esq at 516 747 6700 x 304 or SSpector@Kirschenbaumesq.com. Concierge Clients will have priority.  Thanks.
********************

K&K Holiday Party - Save the date:  December 12, 2024
********************
STANDARD FORMS  Alarm /  Security / Fire and related Agreements
 click here: www.alarmcontracts.com
***************************

CONCIERGE LAWYER SERVICE PROGRAM FOR THE ALARM INDUSTRY You can check out the program and sign up here: https://www.kirschenbaumesq.com/page/concierge or contact our Program Coordinator Stacy Spector, Esq at 516 747 6700 x 304.
***********************
ALARM ARTICLES:  You can always read our Articles on our website at ww.kirschenbaumesq.com/page/alarm-articles  updated daily             
********************
THE ALARM EXCHANGE - the alarm industries leading classified and business exchange - updated daily
*************************
Wondering how much your alarm company is worth?  
Click here:  https://www.kirschenbaumesq.com/page/what-is-my-alarm-company-worth
******************************
Getting on our Email List / Email Articles archived: 
    Many of you are forwarding these emails to friends or asking that others be added to the list.  Sign up for our daily newsletter here: Sign Up.  You can read articles and order alarm contracts on our web site www.alarmcontracts.com
**************************

Ken Kirschenbaum,Esq
Kirschenbaum & Kirschenbaum PC
Attorneys at Law
200 Garden City Plaza
Garden City, NY 11530
516 747 6700 x 301
ken@kirschenbaumesq.com
www.KirschenbaumEsq.com