Hey there… ok, so for the first problem, it may be an antenna coupling issue. I suggest checking out the xLED - www.dangerousthings.com/shop/xled to try to find out where/how you can best read an xNT with those readers.
To your second point… with the xNT based on the NTAG216, there are some ways to secure it better than UID alone, but it’s all kind of pointless because there is no way to actually secure it. I will explain… the NTAG family has a few features that are interesting;
First off, the datasheet is your friend, particularly section 8.8 onward.
ECC signature - you can issue a special command to the xNT that will report back an ECC signature that you can use with the UID to verify authenticity using NXP’s public key. This is pointless though because anyone can issue the command and get back the ECC signature just like they can get the UID.
PWD (password) - The NTAG 2xx family of tags support a password feature which is kinda cool. It is designed to protect tag contents. You have the option of setting a 4 byte password, a 2 byte PACK (password ack), then setting both an AUTH byte and a PROT bit in the config pages.
The AUTH byte is the memory page at which to start password protection. If you set it to 00 then the password protects the entire tag (except UID because that is reported upon the select command regardless). If you set it to, say, 10, then all memory contents from page 10 down (11, 12, 13, etc.) are protected with a password.
The PROT bit sets which kind of password protection those memory pages receive. You can set PROT to 0 (default) which offers write protection for protected memory blocks. Anyone can read them, but the session must be authenticated first (using the PWD_AUTH command) before they can be written to. If PROT is set to 1, then the protected memory blocks cannot even be read until the session is authenticated.
The Password ACK (PACK) is a 2 byte value which is used as part of the authentication process. When issuing the PWD_AUTH command, if the password provided is correct, the PACK is returned to the reader.
Now, the password settings are crap. They protect the tag contents with a minimum attack window… someone with prolonged access to the tag will be able to brute force that 4 byte password… how quickly they can do that depends on their gear, but it’s somewhat trivial to leave a machine running 24/7 to work at it. A set of really sensitive gear that can process power side channel attacks, the time required is less. Still, all of this is not important if someone can get access to both the tag and the reader. Assuming the password option is used to protect your tag…
A) segmented attack - the attacker gets the UID and ECC signature from your tag, they approach the reader and emulate the UID, the reader attempts to authenticate and literally hands over the password. The attacker can then tell the reader the attempt was successful, but at this point the attacker doesn’t have the correct PACK (password acknowledgement) so here’s an opportunity for the reader to notice something is wrong… even if the attacker simply refuses to send back anything, or sends a failure code, the reader is expected the PACK, so at this point an intelligent systems designer will record the whole event and trigger an alert of some kind to the admin. Woefully, most systems just ignore this type of failure and let the attacker go on undetected. So, now armed with the password, the attacker can go back to the tag and pretend to be the reader, authenticate, get the proper PACK, and get all the data on the tag. Now they can go back to the reader armed with the entire tag’s contents. You might raise the bar a slight bit by employ some kind of additional use of the read counter feature and/or updating the data on the protected memory blocks every time the tag is read, but ultimately it’s futile.
B) man in the middle / relay attack - An attacker or pair of attackers put an internet connected device at the reader and one at the tag and relay commands between tag and reader, recording everything during the interaction.
C) eavesdrop attack - An attacker installs a listening device at the reader and just watches all clear text data flow between tag and reader and simply replays it.
So, as you can see, there are steps you can take to secure some things with the xNT, but it is intrinsically not securable. If security is a top concern, we suggest you keep an eye on our VivoKey project.