So Mifare Classic is broken beyond repair . But there are still tens of thousands of installations out there that use it. Not a few of them for real security purposes, like protecting access to a datacenter. So what do you do as a responsible company? Update the readers and issue new RFID-tokens with real crypto to your customers? Wrong.

This is what customers of a major european data center found in their mail today:

The white thing on the left is an access card containing broken Mifare crypto. You are supposed to insert that card into the shiny new RFID “skimming protector”. Essentially, it is a plastic card holder with a springed hinge and a card-sized piece of sheet metal. If you want to use the card, you click it open, so the RFID card angles away from the metal. In you pocket, the hing is closed, so the metal is near to the RFID and de-tunes the antenna, so the card can not be read. The device unfortunatelly came without any hints or marks on who is making it, so I can´t point you to a manufacturer.

I must say it is a ingenious way to solve a software problem (bad crypto) with hardware. But it still feels very much wrong.