From a security standpoint, RFID tags are the scariest thing I have come across in a long time.
First I must explain. To begin, RFID (radio frequency identification) was initially developed and implemented as a tool for inventory control. It works like this: the RFID tag is a kind of chip with information stored on it. For example, it can be located in a plastic tag, which is then clipped to a shirt at a clothing store. When inventory time comes along, an employee takes that shirt and waves it in front of a station that acts as a receiver and transmits the radio frequency required to activate the RFID tag. Once the RFID tag in the shirt comes within range of the signal, the tag responds by transmitting its data back on the same radio frequency. Somewhere a computer records the data about what kind of shirt it was, what manufacturer produced it and so on.
The benefits of RFID technology are huge. Unlike a scanner, the RFID tag does not have to be oriented a specific way or be particularly close to the transmitter that activates it. The transmitter broadcasts the signal all the time, so it is just waiting for your RFID tag to come along. Transmitters are able activate an RFID tag from 10+ meters away, through a wallet or clothing, and unless the RFID tag is in some kind of protective cover, it will send its data back. The RFID tag is small, and so can be added to a card that fits into your wallet, or sewn into a piece of clothing. Another benefit is that the RFID tag itself does not need to be connected to a power source to operate. All of these benefits (and more) meant that this technology became popular very quickly, and its use and applications have grown faster than anyone could have anticipated.
The result is that RFID technology is being applied to uses for which it was that it was never intended. In terms of securely transmitting data RFID technology is fundamentally flawed. And because this technology was NEVER designed to be used this way, forcing it through is quite simply setting us up for major identity theft problems.
The problem is this: there is nothing special about the transmitter and the receiver that prompts the RFID tag to send its data. It is radio equipment. And the RFID tag does not have the ability to authenticate the credentials of a transmitter before sending its data. If the RFID tag is activated, it WILL send its data. Period. That means that if you want to collect the data, all you need is a transmitter tuned to the correct radio frequency to activate the RFID tag and a mechanism to capture and store the data it sends you. The equipment you need to do this is not particularly specialized, and completing purchases on the internet would allow the average person to obtain it without a radio license. Currently, an $8.00 purchase on Ebay will buy you the equipment required to clone and re-transmit the RFID tag of a credit card. It is that easy and accessible. For well less than $250.00 you can purchase a complete set up that would allow you to clone and transmit most RFID tags for credit cards, passports and drivers' licenses for whatever use you like.
Ok, so it has been proven again and again and again just how easy it is to capture (hijack) the data stored on RFID tags. People have made presentations and said, "It is simply NOT safe to transmit data this way". And the response is, "Well, if they steal the data it's ok, because the data is encrypted".
Please.
First of all, a lot of vendors and companies currently using RFID technology do not bother encrypting the data that is transmitted. Scary thought, isn't it?
Second, the encryption has been cracked, documented, and is readily available on the internet. That means that with a little effort you can un-encrypt the data you collect.
Third, and most importantly, the person stealing the data does not have to un-encrypt it to be able to use it.
Another example: Joe Schmoe hangs out at his local neighborhood coffee shop all day working on his laptop computer. He has all the equipment needed to activate RFID tags and store the data, and it is hidden on his person or in his laptop bag. He captures the credit card data of individuals throughout the day. He then loads that data onto his PDA, which is set up to transmit the data, and now he can go buy gas, or coffee, or merchandise at any vendor that accepts cards with RFID tags in them. If the transaction is under $25.00 Joe will not be asked to show the card or id. And if it is over $25.00, the chances are pretty good the salesperson still won't check. Joe Schmoe does not have to know that Jane Doe came in to buy coffee that day, and had a Visa with an RFID tag in it, or her credit card number. All he has to be able to do is to transmit her data the same way the RFID tag in her Visa card did.
Even though security experts have pointed out all of these issues they have been ignored and the popularity of RFID tags continues to spread. They have been incorporated into passports and some states have added them to drivers' licenses. While using RFID tags along with photo identification is more complicated and requires a physical document in addition to the tag, we already know there are sophisticated forgers out there that can produce very convincing passports and drivers' licenses.
Do you begin to understand why I am extremely concerned about the increasingly widespread use of this technology?
In the past year we have seen the stock market plummet the most it has since the Great Depression. Unemployment is at the highest levels in 25 years. Credit Suisse is predicting that the credit crisis will directly result in the foreclosure of 8 million homes, and it is generally accepted as a conservative number. Basically, there are suddenly a lot more desperate people out there, and stealing this data is seductively easy. The stakes are huge. The perception that RFID data is secure makes people complacent so if you steal it, and use it, you are less likely to be caught. People are less likely to look closely at the picture on your passport or drivers' license. They are less likely to confirm the signature on a receipt or ask for photo id on a credit/debit transaction.
This is a serious risk. Back in February someone spent less than $500 on Ebay to buy the equipment, set everything up, and then went on a 20 minute drive through down town San Francisco. In that 20 minutes he collected and copied the RFID tag passport data from two people. Imagine how much data he could collect if he loitered around the ticket counter of the airport, which is not a secured area. Or what if just sat in his car in the airport parking garage?
So what can you do to protect yourself? Fortunately, you do have a choice as to whether or not your credit/debit card has an RFID tag. Do not allow a bank to issue you one. When Washington Mutual sent me a replacement debit card with an RFID tag, I refused to activate it, and went to the bank and requested one without the RFID. I was able to obtain one with minimal hassle. I hate to say it, but with your passport or drivers' license you might have little choice if the technology has already been implemented. In situations where you can't avoid carrying an RFID tag there are holders, sleeves, wallets, and purses available made out of fabric that prevents the radio signal from reaching and activating the RFID tag. Unfortunately, as soon as you take the RFID document out of the protective cover you are at risk, since one second is all someone needs to steal the data, but the chances that the person will be on hot standby to steal your data during the limited amount of time you have it out is reduced. Finally, if you hear of a push in your area to incorporate RFID technology, fight it. Inform your friends and contact your legislators. In California, the proposal to implement RFID technology into their drivers' licenses was defeated by a narrow margin, but it WAS defeated.
While I am not one to take an alarmist view, these are serious risks to consider. Right now at least 45 countries are using RFID technology in their passports. Four states are in various stages of deployment for their drivers' licenses. Unless public awareness grows, and we begin to see what a risk it truly is and take measures to force the use better technology, the use of RFID tags will expand to more areas of our daily lives. Some of the potential uses would make you lose sleep at night.
More generally RFID technology is a very good illustration of how something might be cool, and can be used in many different ways, but that doesn't mean that it SHOULD be. Since technology is moving at a faster and faster pace, it is becoming increasingly important to consider the consequences of using technology for a use other than what it was initially developed for.
If you are interested in learning more about RFID and other technologies that put our information at risk visit Fix Hack, LLC
0 comments:
Post a Comment
Click to see the code!
To insert emoticon you must added at least one space before the code.