The growth of the now billion-dollar RFID business is prompting industry experts, from consumer advocates to company figures specializing in RFID protection, to question whether the technology can ever be made adequately secure.
Walt Augustinowicz, CEO of the RFID-protection company Identity Stronghold, distills concerns over Radio Frequency Identification to a simple tradeoff. Many retailers, he points out, are willing to exchange the security of your data for the convenience of RFID asset tracking and point-of-sale simplicity.
“RFID chips are basically tiny two-way radios that are so small they can fit inside a credit card, an article of clothing, the inside of a shampoo bottle cap, etc.,” he explains. The chip, essentially a transponder, carries identifying data and can be queried and read, or “sniffed,” at a distance. RFID technology is now in use in credit cards, ATM cards, “enhanced” driver’s licenses, highway toll networks, and inventory tracking systems.
“Wireless credit cards do seem to speed up paying for merchandise and eliminate magnetic stripe problems,” says Augustinowicz. “[RFID] also makes inventory tracking extremely easy, when you can simply turn on a scanner in your warehouse and have it instantly tell you if item XYZ is in stock. There are just endless possibilities for its use… if you are not worried about security.”
Katherine Albrecht, co-author of the book “Spychips: How Major Corporations and Government plan to Track your every Move,” believes speeding up transactions at the point of sale is a powerful inducement for retailers to introduce RFID technology in their stores.
“The reason you’re starting to see [RFID tags show up in credit and ATM cards] is that the industry itself did some studies and found that people spend more when they actually don’t have to handle their credit card. The act of looking at your credit card, and the act of then having to get out a pen and sign for [the purchase], creates many decision points at which a consumer could decide not to make the purchase.”
Albrecht’s describes her consumer organization, Consumers Against Supermarket Privacy Invasion and Numbering (CASPIAN), as a “pressure group.” She encourages consumers to boycott RFID technology altogether.
“Obviously,” she says, “it’s a lot easier to protect against a threat that you’re not carrying in the first place than to try to remedy something after the fact. I recommend that people simply not ever carry or have any devices with RFID in them. There are ways, for most things, that we can actually live that way.”
Albrecht and CASPIAN identify three categories of RFID threats. The first is what she describes as unscrupulous retailers, who use RFID and programs like frequent-shopper cards to amass personal data about you and your purchases in order to more effectively target you for future sales and marketing efforts. The second category, a threat simply ignored by many commercial and government entities introducing RFID technology, is hackers.
“If the protocol used by the RFID tag is poorly designed, then the attacker might be able to thereby do something bad,” explains Jonathan Westhues, a widely known electronics, software, and security expert who has done considerable work exposing the vulnerabilities of RFID technology. “The same kinds of cryptographic techniques that make credit card transactions secure on the Internet can be used to prevent these attacks, but in many cases, the designers of the systems didn’t bother.”
Westhues has developed a battery-powered device capable of reading and reproducing the data on a VeriChip implant, a human-implantable RFID chip. The company that makes the VeriChip announced earlier this month that it will be providing its VeriChips to the Israeli Defense Force, raising serious questions regarding the implications of government-issued, RFID-equipped credentials.
“The big threat that we face right now as citizens is an ‘enhanced’ driver’s license,” Katherine Albrecht insists. She points out that the third threat category identified by CASPIAN is government. While no states currently mandate an RFID-equipped driver’s license or non-driver ID card, those that do are using the ID as a de facto passport.
“What they didn’t tell you is that they do that by adding remotely readable RFID into your driver’s license,” Albrecht says – and that RFID chip is among the least secure in the industry, readable even “by the underwear shelf at Wal-Mart.”
“The industry will tell you that the card has a unique ID number, not your name,” Albrecht points out. “But all you have to do is be around that person once to ‘sniff’ that number and know [who that number represents.]”
What’s worse, using RFID in government identification like passports could make it possible to target American citizens for terrorist attack. “We’re making it possible,” says Albrecht, “for Americans traveling in foreign countries, where America’s not very popular, [to be] singled out and identified in crowds.” A bomb equipped with an RFID reader could lie in place undetected for years, Albrecht asserts, before detonating in proximity to a specific ID signature.
Citizens concerned about these vulnerabilities, not to mention many government agencies whose employees carry RFID credentials, have turned to everything from aluminum-foil-lined duct tape wallets to specially manufactured products, such as the RFID-blocking wallets and card sleeves produced by Walt Augustinowicz’ ID Stronghold. While these products work well, the problem, Augustinowicz explains, is that the RFID industry itself simply cannot keep up with the technology’s potential exploits.
“We have never been ahead,” he says. “As new products are developed, we are woefully falling behind. Many attack angles have not even been thought of by those creating the [RFID] devices.”
The only solution may be simply to stop using RFID technology altogether.
“With the exception of inventory tracking,” Augustinowicz says, “I haven’t seen any use where the benefits outweigh the risks.”
Katherine Albrecht echoes this assertion. “There is zero benefit, none, zero benefit whatsoever, to having RFID in your credit card or your ATM card, and there’s actually a huge amount of threat that it can be remotely sniffed, that it can be used to essentially commit fraud and spend money out of your account.”