Card cloning in AP Cybersecurity

Card cloning is a physical attack in which an adversary copies the data from an authorized person's access card or badge onto a duplicate, letting them bypass badge access controls and enter a restricted space as if they were authorized.

Verified for the 2027 AP Cybersecurity examLast updated June 2026

What is card cloning?

Card cloning is when an attacker copies the data stored on someone's access card (the same kind of badge you tap to get through a secure door) and writes it onto a blank card. Now the attacker has a working duplicate. As far as the door reader is concerned, the cloned card is the real card.

This lands squarely in Topic 2.2: Physical Vulnerabilities and Attacks. Most badge systems use RFID or magnetic-stripe cards, and if those cards aren't encrypted or protected, an adversary standing close enough with a cheap reader can skim the card's signal and copy it. The attacker doesn't need to steal the physical badge or even talk to anyone. They just need to get near it. Once cloned, the fake card grants the same access the real one did, which means the attacker can walk into a restricted area and bypass the technical controls protecting the systems inside.

Why card cloning matters in AP Cybersecurity

Card cloning lives in Unit 2: Securing Spaces and supports learning objective AP Cybersecurity 2.2.A (identify common physical attacks) and AP Cybersecurity 2.2.B (explain how threats exploit physical vulnerabilities to cause loss, damage, or disruption). It's a clean example of the unit's core idea from EK 2.2.C.1: physical access lets an adversary bypass many technical and layered security controls. You can have firewalls and encryption all day, but if someone clones a badge and walks into the server room, those defenses don't matter. That's why this term matters for the whole "defense in depth" theme that runs through Unit 2.

Keep studying AP Cybersecurity Unit 2

How card cloning connects across the course

Badge access (Unit 2)

Card cloning is the attack that defeats badge access. Badge access is the control that says 'only people with a valid card get in,' and cloning fakes a valid card. Knowing one means knowing what the other is trying to stop.

Piggybacking (Unit 2)

Both get an attacker through a secure door, but the method differs. Piggybacking uses social engineering to trick a person into letting you in, while cloning copies a card so you let yourself in. Same goal, different vulnerability exploited.

Access control vestibule (Unit 2)

An access control vestibule (a mantrap with two doors) is a countermeasure that limits the payoff of a cloned card, since one valid scan lets only one person through at a time. It connects cloning to the design side of physical security.

Is card cloning on the AP Cybersecurity exam?

Expect card cloning as an answer choice on multiple-choice questions that describe a physical attack and ask you to name it. The pattern is consistent: a scenario describes how an adversary obtains access, and you match the description to the right term. For card cloning, look for language about copying, duplicating, or skimming a card or badge, not about tricking a person (that's piggybacking) or watching someone enter a code (that's shoulder surfing). No released FRQ has used this term verbatim, but it fits any prompt asking you to assess physical risks or recommend controls for restricted spaces under objectives 2.2.A through 2.2.C.

Card cloning vs piggybacking

Both attacks get an adversary through a secured door, so they're easy to mix up. Piggybacking relies on social engineering, meaning the attacker manipulates a real person into holding the door open. Card cloning relies on technology, meaning the attacker copies the card data itself and needs no help from anyone. If a person is being tricked, it's piggybacking; if a card is being copied, it's cloning.

Key things to remember about card cloning

  • Card cloning is a physical attack where an adversary copies an authorized person's access card onto a duplicate to gain entry.

  • It defeats badge access controls because the door reader can't tell the cloned card from the original.

  • On MCQs, the giveaway is language about copying, duplicating, or skimming a card, not tricking a person or watching a keypad.

  • Card cloning illustrates EK 2.2.C.1: physical access lets an attacker bypass technical security controls entirely.

  • Encrypting badge data and using access control vestibules are countermeasures that reduce the risk and payoff of a cloned card.

Frequently asked questions about card cloning

What is card cloning in AP Cybersecurity?

It's a physical attack from Topic 2.2 where an adversary copies the data on an access card or badge onto a duplicate, letting them bypass badge access and enter a restricted area as if they were authorized.

Is card cloning the same as piggybacking?

No. Piggybacking uses social engineering to trick a real person into letting the attacker in, while card cloning copies the card itself and needs no human help. If a person is manipulated, it's piggybacking; if a card is duplicated, it's cloning.

How is card cloning different from shoulder surfing?

Shoulder surfing is watching someone enter a PIN or code, like an attacker standing behind a user at an ATM. Card cloning copies the physical access card's data. One steals what you type, the other copies what you carry.

Why does card cloning matter if there are firewalls and encryption?

Because of EK 2.2.C.1: physical access bypasses many technical controls. Once an attacker clones a badge and walks into a server room, software defenses can't stop them from reaching the hardware directly.

How do you defend against card cloning?

Encrypt the data on badges so it can't be skimmed easily, pair card readers with a second factor like a PIN, and use access control vestibules so a single cloned card can't let multiple people through at once.

Keep studying AP Cybersecurity

Connect this key term to the AP exam workflow: review the course, practice questions, and check related study tools.