Hacking a physical access control system

We had the pleasure of auditing a physical access control system based on NFC cards. While NFC authentication technology was up to date and secure we discovered important misconfigurations and insecure protocols which allowed to us to get free chocolate bars, open any door at will and possibly charge money on our card for free.