Monday, May 05, 2008

Just Say No To RFID

Red Tory is already on the case of the sinister incursion of RFID chip technology into our lives. I recently received chipped replacement cards for my two Visa accounts and I am none too pleased. The ever reliable boingboing is on the case.

These devious little people-tracking devices are being shipped out with the notion that they are increasing both your security and your convenience. Of course the security of something that is passively broadcasting your data is instantly suspect and as the video above shows, that fabulous security is a lie. The hacking has begun, as two Tel Aviv engineering students showed in a paper published a couple of years ago.

Two electrical engineering students from Tel Aviv University have written a paper to be presented at Usenix called "How to Build a Low-Cost, Extended-Range RFID Skimmer." It does pretty much what it says on the tin: shows you how shockingly insecure the RFIDs in your office key-fob, subway-card, car-key, etc all are -- easy to "skim," clone, and walk away with. The two achieve skims at more than 25cm, and note that they are "halfway to a full-blown relay attack."

I'll be visiting my bank this week to have a little talk about opting out of their identity theft invitational card program and client tracking system. I'll let you know what the drones have to say. In the mean time, here's yet another useful
boingboing article to peruse.


Via the fabulous Sheena in comments Corporate Ass and Spychips, the culprits.


A New York Times technical report detailing the vulnerabilities of these helpful little scam chips.


Sheena said...

Hey Corporate America - Quit Looking at My Ass!

Cameron Campbell said...

Just got back from Euroland where my unchipped card caused much confusion and dismay.

Are there different kinds of cards and are all of them RFID?

Ti-Guy said...

Get with the program, you communists. The new economy works like this:

1. Roll out a technological innovation before anyone really knows whether they need it or not or as a result of propagandising that manufactures a need, which includes the need to be fashionable, marketed as "choice" and "individualism."

2. Wait until widespread adoption to notice a significant downside or failing in the technology.

3. Roll out more technology to address that issue which makes the previous technology obsolete/unusable. Shove more gadgets into landfills or into, packed garage and basements and start planning the weekly yardsales.

4. In the ensuing frenzy of research-driven consumption and consumption-driven research, notice that everyone is distracted about whether any of this is of any real use and forget who's really benefiting. Try not to notice how garish and ugly consumer products, especially cultural ones, have become.

I'm moving one level up and looking into how to automate this whole thing to remove the middleman, the consumer, altogether. I'm not going to get any corporate-funded research grants for that obviously, but I'm hoping to get a state-funded grant before Harpie bankrupts the state and makes it impossible to get those.

Gordo said...

Just wait until the Dicks in Ottawa decide that we have to have RFID chips in our passports like the Yanks. My "favourite" bit about these things is how you can just scan a bunch of mail and pick up/clone any that you come across. Including US passports.

E in MD said...

Yay! Now a pick pocket doesn't have to go through all the trouble of picking my pocket to make off with my credit card!

I'm glad we finally made it easier on those poor guys.

liberal supporter said...

I think the Europeans are using a smart chip (not an RFID chip) and you have to enter a pin number.

Not only does the card have to be inserted in the smart reader, it must stay in the reader until the transaction completes from the processor. Supposedly this system is already broken, but someone would have to get your card in their physical possession. No worse than the waiter who skims your card swipe in their portable reader, and probably harder to scam.

If implemented properly, the reader would have to be compromised in order to get your pin number. The chip on the card should be doing an encryption step so the card info would not be compromised without resorting to an electron microscope.

Frank Frink said...

Gordo, BC is introducing them in new ('Enhanced') driver's licenses aimed at border crossing fast-tracking - emphasis on the tracking.

liberal supporter said...

You need an RFID Blocking Wallet!

If you have more than one RFID card, stack them together and they are harder to read.

For maximum security, put your RFID cards under your tin foil hat!!! Yes, aluminum foil blocks them!

Lindsay Stewart said...

aluminum actually makes them more difficult to read but isn't a total block. basically what you need is a faraday enclosure.

"If implemented properly, the reader would have to be compromised in order to get your pin number. The chip on the card should be doing an encryption step so the card info would not be compromised without resorting to an electron microscope."

The reader doesn't need to be compromised, as the PIN protection is only at point of sale transactions. The skimmer gets your name, card type and number and expiry date. The skimmer then simply takes their business online where there is no PIN requirement or over the phone, same deal there. As for encryption, the decryption now takes place at the point of sale rather than over the wires at head office/secure server. All in all a disaster for privacy and security.

liberal supporter said...

Do you have a technical reference for this? I thought chip and pin system goes back to the card processor.

Lindsay Stewart said...

Liberal Supporter, I'm trying to backtrack and find citations as I scanned a lot of articles this morning. I may have misspoke saying the decryption took place at point of sale, when in fact the following link and also the New York Times link in the post seem to indicate that there is no encryption to decrypt.