ID Safety 24 on 7

Why are RFID cards and tags dangerous and insecure?

1. Information stored on most RFID cards can be read by anyone with a cheap receiver. A security reseacher quotes on his website "it's quite practical to read someone's card without removing it from their wallet. A bit of deliberate clumsiness, a reader up my sleeve, and I would have little trouble cloning anyone's card." ( reference )

2. The activation range of standard RFID tags can be extended significantly. This results in the ability to attack RFID technologies at greater distances. Two college students were able to extend the range to 69 feet! ( reference )

3. RFID cards can be copied with minimal effort after being read by an attacker. ( research reference, video of an attack on the speedpass )

4. The encryption methods on most RFID cards are proprietary. They often rely on security through obscurity. Reseachers have already exploited this design flaw and broken a real world system. ( reference paper, video of how encryption was broken )

5. RFID technology can be used as a tracking mechanism. ( reference )

6. Several consumer privacy organizations have been concerned with insecurities and abuses of RFID technology. Some institutions have rolled back usage of RFID technology because of the above concerns. ( reference )

What are others saying about RFID insecurities?

1. There was a full day conference at MIT about RFID privacy concerns. (video here)

2. Tags can be read from a distance, not restricted to line of sight, by readers that can be incorporated invisibly into nearly any environment where human beings or items congregate. RFID readers have already been experimentally embedded into floor tiles, woven into carpeting and floor mats, hidden in doorways, and seamlessly incorporated into retail shelving and counters, making it virtually impossible for a consumer to know when or if he or she was being "scanned." (PrivacyRights.org)

3. "The thought that your travel documents could be broadcasting your nationality to those with an interest in harming U.S. citizens is bad enough," said ACTE President Greeley Koch. "But it could also be pinpointing likely targets for pickpockets, thieves, and even providing information to steal.” (Association of Corporate Travel Executives)

4. The Coalition urges the State Department to heed the concerns and advice of privacy and security experts from the U.S. and around the world. Current barcode technology represents a superior and tested alternative to RFID use. Moreover, there are other “contact” technologies that would prevent the broadcasting of Americans’ identities to those who would do them harm. (Business Travel Coalition)

5. "Spychips make Orwell's Big Brother seem relatively harmless." In "Spychips," Albrecht and McIntyre prove that the RFID industry's claims that their tags would not be used to track people are total lies. They do so by excerpting patent applications made by the some of the biggest proponents of RFID: transnational corporations such as IBM (patent application # 20020165758 -- IDENTIFICATION AND TRACKING OF PERSONS USING RFID-TAGGED ITEMS), Procter & Gamble (patent application #20020161651 -- SYSTEMS AND METHODS FOR TRACKING CONSUMERS IN A STORE ENVIRONMENT) and Philips Electronics (patent application # 6,611,206 -- AUTOMATIC SYSTEM FOR MONITORING INDEPENDENT PERSONS REQUIRING OCCASIONAL ASSISTANCE). (Spychips.com)