Posts Tagged ‘privacy’

UK Government HQAbstract: A UK government-backed report that explores certain security flaws in RFID / contactless technology.  Well worth a read is this…

Source: http://www.ico.gov.uk

“It will be the responsibility of RFID users to prevent any unauthorised access to personal information. One concern is a practice that has become known as “skimming”. Since a transponder’s signal can be picked up by any compatible reader, it is possible for RFID tags to be read by unauthorised readers, which could access personal information stored on them. Users can guard against skimming by using passwords. The EPCglobal Class 1 Generation 2 RFID specification enables the use of a password for accessing a tag’s memory. However, these are not immune to “hacking”.

Most RFID systems require a short distance between tag and reader, making it difficult for “rogue” readers to scan tags but this could nevertheless be done in a situation where people are naturally at close range, for example, on a crowded train. The nominal read range of some tags can also be extended by the use of more powerful readers. It is also possible to read part of a tag’s number by eavesdropping merely on a reader’s communication with a tag. Readers, with a much higher power output than tags, can be read at much greater distances.

While some RFID applications might not need communication between tag and reader to be encrypted, others that process personal and especially sensitive personal data will need an adequate level of encryption to safeguard the data being processed. In most cases “skimmers” would also need a way of accessing the external database containing the personal data, but in some cases inferences might be made about someone from information which in itself does not relate directly to him. If a person leaves a store having purchased items carrying RFID tags that have not been disabled, he carries with him a potential inventory of his possessions. This would enable someone with a suitable reader and knowledge of EPC references to discover what items he was carrying at a given time. Sensitive personal data about a person’s illness, for example, might be unknowingly revealed by him via the EPC referring to the medication in his pocket. An insufficiently secure RFID chip could also be “cloned”. By copying personal data stored on the RFID chip of an identification card, a person could for practical purposes steal the identity of the cardholder. If the information on the database (e.g., a fingerprint) is checked only against the information on the card, rather than directly against the person himself, a criminal would not need to access the information stored on the database.”

http://www.ico.gov.uk/upload/documents/library/data_protection/detailed_specialist_guides/radio_frequency_indentification_tech_guidance.pdf

For more information visit:  RFID Protect

Finally, if you’re in any doubt as to whether or not RFID skimming is a real threat, then perhaps watch the following video evidence.

Video evidence from the United States of America, claiming that RFID enabled devices are vulnerable to skimming, cloning and hacking.

Electronic Pickpocket – YouTube Video
(Approx. 4minutes – n.b: opens in a new window.)

Advertisements

http://www.skipassdefender.co.ukAs you travel to a resort which incorporates RFID in their lift passes, you may not know what information is stored on the RFID chip in your pass or how it is encrypted, nor what type of back office safety systems the resort has in place.

Already there are many instances of ski-passes (using contactless technology) being hacked, cloned and decrypted.  Aspen Ski Company integrated RFID technology into ski season passes in 2008-09.  Industry insiders have suggested that their RFID program will soon extend its reach so that ski passes can be used as credit / debit cards (i.e. store cards)  in any of its retail shops and restaurants.  The expanded use of RFID technologies, will no doubt assist Aspen Ski Company to profile its customers.

But what’s the option for those of us who want to ski the slopes, but not have our every movement – or transaction – tracked, hacked or profiled?

Companies like ID Stronghold in the States – the main supplier / wholesaler for SkiPass Defender – are well worth a visit.  Here in the UK, you might consider trying RFID Protect – particularly should you need a swift turnaround, excellent sales support and aftercare.

RFID Protect can supply 13.56MHz RFID enabled ID card / ski-pass holder designed to protect RFID enabled ID and door entry cards from being skimmed.  (To allow the card to be read you simply press the top of the holder to release the spring mechanism, which temporarily moves the card away from its protective shield.)