"Some of these cards have been around for 15 years and were developed when there was no awareness of the problem," Carroll said.

Asked why HID hasn't addressed the issue in more recent proximity card systems, after knowledge of RFID threats became common, Carroll said that doing so would cause "major upheaval" among customers.'

Inertia is a more likely cause, said Dan Kaminsky, director of penetration testing at IOActive.

"They didn't want to change to a more secure implementation because of backwards compatibility issues, and they had a lot of sites that use these cards, and HID has stuff to sell them," Kaminsky said.

Paget's hack was no feat of engineering wizardry, Kaminsky said. "It took a month -- and he wasn't even working on it full time."