The state of access control security in public buildings (EU) 2026

To those concerned,

I have a short story to share, which began in 2020 when I was still at a university in Denmark.

There i noticed the applicable ACS system to rely on “Mifare Classic 1K” cards, publicly known to have a weak and cracked encryption for several years prior. To make matters worse, it only relied on (and still does to this day) on reading the UID. So if you swipe a card and read its unencrypted UID, you can gain the same access as the original card by replicating the UID on a new and separate card. This was raised with the relevant administrative employees, which did not believe this to be any issue.

Then in 2021 I was at a Danish foreign service location, which featured the exact same issue. Only relying on UID readings of an unsafe card. This was raised with relevant employees and dismissed as a non-issue in practice.

In 2022 I began working at a Danish authority, which let me visit a host of other public authority locations (Ministries, Authorities, Parlament, Airports, Defence Command and almost any imaginable public building), where the same problem applied. This was again raised at several instances with relevant employees and dismissed just the same. Since then some buildings have improved their security, namely parlament and select ministries, while most authorities, municipalities and others only have upgraded their ACS system to finally read other sectors of the card and not only the UID - an improvement, alas a futile one.

At the beginning of the year I directly and formally decided to notify it to the security services, which have since been working tirelessly at trying to keep this from the public (big mistake). Public buildings constructed or retro-fitted in 2025 still received crackable ACS relying on “Mifare Classic 1K”.

Most of the senior public servants in the government and ministers from the prior Danish government, know of this issue and have decided to rather persecute me (wasting literal millions of tax-payer money) instead of simply fixing it and improving security in an adequate manner.

To my knowledge there are also public buildings in the UK, Sweden and other EU-countries that feature the same lax security standards.

As a little sweetener for this tip of the ice-berg - the “safe rooms” employed at US and UK embassies worldwide, employed for safe telecommunication, failed to detect implanted micro chips, despite claims of “proactive survaillance”. They were definitely not happy about that.

AMA! If you have any questions.

Wait until you find out how common LF credentials still are in the US.

In all likelihood, it’s not one of the countries i will ever visit again - but yes, it’s only quite the problem, if the same people who want to fight for “security”, willfully neglect some of the most publicly known and accessible issues at hand (pun intended), for tax-payer funded institutions.

Cheers for sharing

certainly interesting

I’m not quite sure what you mean / expecting?

1. How would you suggest they find implants?
2. What would be the realistic threat if they did?

If most access control systems worldwide use NFC, they should all be using UID. But I don’t understand why they are unwilling to switch to more secure NFC cards—NTAG424 and DESFIRE are both very secure. Is it a cost issue, or something else?

They claimed to do active EM-spectrum surveillance and I myself had no expectation of any findings, due to the short-range nature of the applicable frequencies and implants.

However, this all further ties together with more political stuff, which I will not share here due to its real sensitivity. The fun fact is merely a testament to the sheer stupidity and incompetence one must expect from the State Department.

As to realistic threats, I think the big fear would be small implanted batteries / microphones - while technically feasible, highly improbable and impracticle.

I’ve asked myself that question a lot of times, but seeing how much money they rather wasted on covering it up, my guess is, some services like having the backdoors to government facilities.

For example, my airport SIDA badge… (allegedly, I would never actually scan/duplicate a TSA security badge… )