Could Someone Clone Your Keycard and Walk Into Your Building?

Can keycards be cloned and used to access your building without anyone knowing? Yes, and it is easier than most business owners realize. Legacy RFID proximity cards, which are the most common type used in commercial buildings across Albuquerque and the rest of New Mexico, transmit an unencrypted signal that anyone with a cheap reader can copy in seconds. The person carrying the original card never feels a thing.

Wired NM has been installing access control systems for New Mexico businesses, schools, government agencies, and organizations for 21 years. We see this vulnerability in the field constantly. This post explains exactly how keycard cloning works, which systems are at risk, and what you can do to close the gap before someone walks through a door they should never have been able to open.

Yes, Keycards Can Be Cloned — and It Takes Less Than 10 Seconds

Yes, and the tools required are not hard to find. Basic RFID cloning devices are available online for less than $30, require no technical background to operate, and can copy most legacy proximity cards in under 10 seconds. According to security researchers, these devices can read card data from several feet away, meaning a bad actor does not even need to physically touch the card or the person carrying it.

The problem affects a large portion of commercial buildings. Industry estimates suggest that close to 80 percent of keycards used in commercial facilities rely on older, unencrypted RFID technology that is vulnerable to this type of attack. If your building uses the standard white or gray proximity cards that have been common for the past 30 years, there is a good chance your system falls into that category.

The Cloning Process Is Simpler Than You Think

Most legacy keycards use 125kHz low-frequency RFID technology. When you wave one of these cards near a reader, the card broadcasts a fixed identification number. The reader checks that number against an approved list and either unlocks the door or does not. There is no encryption involved. The card just shouts its number out loud whenever it gets close to anything that listens.

A cloning device works by pretending to be a reader. When someone gets close enough, the device captures the card's signal and saves that number. The attacker then writes that number onto a blank card. From that point forward, the blank card behaves identically to the original. It opens every door the original card opens. It shows up in the access log under the same employee name. And it does all of this without triggering any alert, because as far as the system is concerned, the right credential presented itself at the right door.

Here Is Why a Cloned Card Never Triggers an Alarm

This is where the real danger lives. A cloned card does not look like a break-in. There is no forced door, no broken window, no alarm. The access log simply shows that an authorized credential badged into a door at a particular time. If that employee was actually at home or out of the office when the entry occurred, the discrepancy might never get noticed.

In most organizations, nobody reviews access logs unless something obvious goes wrong. So a cloned card can give an attacker repeated access to a building, a server room, a storage area, or a secure office over days or weeks with no one the wiser. By the time anyone notices something is missing or compromised, the trail is cold and the entry records look completely normal.

Which Keycards Are Most Vulnerable?

Not all keycards carry the same risk. Understanding which type your building uses is the first step toward knowing how exposed you are.

• 125kHz proximity cards and fobs — the most common and most vulnerable type; no encryption, easy to clone in seconds
• Magnetic stripe cards — similar risk level; the stripe stores static data that basic skimmers can read and copy
• 13.56MHz smart cards — significantly more secure; these use encrypted communication that is much harder to intercept and clone
• Mobile credentials — the most secure option currently available; uses your smartphone with encrypted, dynamic authentication that changes with every use

According to security industry research on key fob cloning, most legacy fobs can be duplicated in under 10 seconds with no technical skill required. The upgrade path is straightforward, but it requires replacing the readers and credentials at your entry points, not just the software.

Your Building Could Already Be Compromised and You Would Never Know

Honestly, you probably would not. That is the most unsettling part of this vulnerability. A cloned card leaves no physical evidence. The access log shows a normal entry. No alarm fires. No camera catches someone forcing a door. The only way to detect it is to cross-reference access log times against employee schedules and look for entries that do not match up. Very few organizations do this regularly.

If you have former employees whose credentials were not immediately deactivated, vendors whose access was never removed, or a history of lost cards that were reported but never fully investigated, your building could have multiple active credentials out in the world that you do not control. Each one is a potential cloning target, and each one that gets cloned gives someone a silent key to your facility.

Six Steps to Close the Vulnerability Now

The good news is that the fix is real and available right now. Modern access control systems in Albuquerque have largely moved past the legacy proximity card vulnerabilities. Here is what a practical upgrade path looks like:

• Upgrade to encrypted smart card credentials — 13.56MHz cards with rolling encryption are dramatically harder to clone than legacy proximity cards
• Switch to mobile credentials — smartphone-based access uses dynamic encrypted tokens that change with every use, making cloning functionally impossible with current tools
• Add multi-factor authentication to sensitive areas — require a PIN or biometric scan in addition to a card for server rooms, executive offices, or high-value storage
• Audit access logs regularly — compare badge-in records against employee schedules monthly to catch unusual entries before they become patterns
• Enforce immediate offboarding — deactivate credentials the moment an employee or vendor relationship ends, not days or weeks later
• Report and replace lost cards immediately — a lost card that stays active is a vulnerability until someone deactivates it

What a Secure Modern Access Control System Actually Looks Like

Wired NM installs Salto and Verkada access control systems for businesses, schools, healthcare facilities, and government agencies across New Mexico. Both platforms use encrypted credentials that eliminate the 125kHz proximity card vulnerability. Both also operate through cloud dashboards that give administrators real-time visibility into who entered which door and when, from any device.

Verkada access control integrates directly with Verkada cameras, so a door event and the corresponding camera footage are linked automatically. If something unusual shows up in the access log, you can pull the footage for that door at that exact moment in seconds. Salto wireless locks are particularly useful for retrofitting older buildings, since they mount on existing doors without major wiring work and support both encrypted smart cards and mobile credentials.

Either platform gives you something legacy keycard systems simply cannot: real confidence that the person who badged into your building is actually the person the credential belongs to. That is the gap that keycard cloning exploits, and it is the gap that encrypted, modern access control closes.

Not Sure If Your Building Is at Risk?

If your facility uses standard proximity cards and you have never had an access control audit, there is a reasonable chance your system carries this vulnerability right now. Wired NM offers free commercial security assessments for businesses across Albuquerque and New Mexico. We will walk your building, review your current credential types, identify your exposure, and recommend a practical upgrade path that fits your budget and timeline.

You do not need to replace everything overnight. In many cases, the highest-risk doors can be addressed first while the rest of the system is upgraded in phases. Contact Wired NM today to schedule your free assessment and find out exactly where your building stands.