Is RFID Really That Scary?

tcd004 writes "Defcon participant Chris Paget demonstrated his ability to capture RFID data from people hundreds of feet away for the PBS NewsHour. Paget went through the regular laundry list of security concerns over RFID: people can be tracked, their information accessed, their identities comprimised. Not so fast, says Mark Roberti of RFID Journal. Mark challenges Paget to point to a single instance where RFID was successfully used for nefarious purposes. The signals are too weak and the data is too obscure, according to Roberti. So who is right? Has RFID yet lead to a single instance of identity theft, illegal monitoring, or other security compromise?"

Re:Yes and no

[CyberLord Seven]

It seems to me you are assuming that the RFID is the only method being used to track someone. I don't track people but it seems trivial to me that a device that identifies a single person out of a mob would be extremely useful.

Instead of setting my head on a swivel and looking around suspiciously I need only keep my gaze directed at my open book (hiding my tracking device) while I walk around keeping track of my subject.

Yes, alone, the device is useless; however, people in the business might find plenty of uses for it that you and I cannot imagine.

Re:Not really.

[oodaloop]

I've got one. I put my RFID badge in it, and it still scanned at the same distance I always hold it in the same time (1 to 2 seconds). I've half a mind to line it with aluminum foil.

If only the chips worked!

[cruachan]

I am extremely skeptical of the current generation of RFID tags when used in practice out there in the wild.

About three years back I set up software to support a recycling scheme, whereby every household in a community (ca 10,000) were given a couple of plastic boxes in which to place recycled goods. The boxes where chipped *and* barcoded, and there were scales on the collection lorry to weigh the box and automatically scan the rfid chip at the same time, thus collecting usage data.

Three years on it turns out that the one thing we were not expecting - the rfid chips not to be reliable - has proven a major issue. The failure rate is not high, but we consistently have a score or more boxes needing replacing every month, which is a far higher rate than we were lead to expect. We did think it might be the manufacturer, but we've talked to several people doing similar things now and everyone has similar stories - the chips do fail.

Perversely - the barcodes, which we sealed in transparent plastic but didn't expect to last (hence going with rfid tags as major impact) have given us less than a dozen damaged to the point we can't scan them in the whole three years.

Re:Here's a better Defcon RFID story...

[Anonymous Coward]

The Wall of Sheep (wallofsheep.com) at defcon did it (minus the camera) a the year after that and even had a warning near it... but then a subpoena got the hard-drives removed from the machine and wiped.... They (WoS) got free RFID wallets/card holders for their troubles though from a vendor who sold them like hotcakes (again)....

Re:Yes and no

[rwa2]

DC metro turnstiles went smartcard + RFID a few years back. It's actually pretty nice to be able to open the gates by sidling up to the sensor while your arms are full.

All the same, I keep a traditional disposable magstripe card that I bought with cash in my wallet, in case I need to go somewhere without being tracked. Haven't really used it yet other than for guests, but I'm sure someday I'll be trying to dispose of a body and I'll curse it for not being able to use the ass trick.

Re:Portable RFID chip Killer

[camperslo]

Actually I think you'll need to put that coil in series with the flash.
IIRC, an inverter charges a capacitor up to a few hundred volts D.C. across the flash which doesn't conduct until it is triggered by a brief higher-voltage pulse from a transformer. That pulse causes the gas to ionize (conduct). If the coil were across the flash, the cap would be shorted and couldn't build up a big charge to release in one high-energy burst. Maybe flash designs have changed, but that's how they've worked in the past.

Re:Yes and no

[MozeeToby]

You actually have to pull your card through a magnetic strip skimmer in order for it to work and even a cursory glance can generally spot them. An RFID skimmer on the other hand can be out of sight, even inside the actual reader itself if there is enough room.

Answer is YES

[GameboyRMH]

RFID-enabled credit cards broadcast all the data on the front of the card in plaintext when energized. So I'd say the answer is YES.

http://www.youtube.com/watch?v=vmajlKJlT3U [youtube.com]

Look how old that video is.

Re:Yes and no

[pokraka]

Tracking could be efficiently done in a system such as a mall or subway with exit monitoring.

That's already the case in Brussels public transport. We have to use RFID cards to check in before stepping in a bus, tramway or metro, and the STIB/MIVB (the Brussels public transport service) said they could handle the date to the police if they wanted to know where some people was at a certain time.

Re:Credit cards

[evilviper]

No it didn't, it had a little paper sticker on the front telling me to activate and sign it.

Yes, some banks don't do so. Most do, however.

The card readers need it to be practically touching it to work,

An idiotic statement. Mass market RFID readers need to be within about 6 inches. However, there's NOTHING stopping someone from cranking up the power and getting far more distance out of it. How does 11 meters sound? http://www.foodproductiondaily.com/Supply-Chain/Long-distance-RFID-reader [foodproductiondaily.com]

I don't think people are mass scanning my mail.

With enough money on the line, they will be... Criminals go to great lengths to get credit card numbers with skimmers, fake ATMs, and the like. A tine scanner in a post office would be relatively easy and low-risk.

Re:Yes and no

[rhook]

No it is not, your RFID equipped credit card could be skimmed when you simply walk by a hidden reader. I wouldn't be hard for someone to walk around a city with a RFID skimmer in their backpack and read cards all day long. If you read the title you'd know that you can do this from over 100 feet away.

Re:Yes and no

[Anonymous Coward]

Regardless, you need to have the card less than 4 inches away from the reader and held there for several seconds to read it.

""Defcon participant Chris Paget demonstrated his ability to capture RFID data from people hundreds of feet away for the PBS NewsHour."

Maybe the readers that are in common use have a limited range of 4 inches. But that doesn't mean the 'bad guys' equipment won't be better.

Re:Yes and no

[Anonymous Coward]

Disclaimer: I used to work in the RFID card payment industry

RFID skimmers have been around and demonstrated for over a decade. They're now cheap and unobtrusive, and are being used by crooks world-wide. The scary thing about RFID skimmers is that they can use a really tiny repeater station which communicates with a higher powered device hidden safely away at a distance. There's nothing to detect, as it's the target machine that activates the antenna and facilitates the broadcast of data; this profile isn't going to change when the skimmer is placed nearby, and the skimmer is totally passive.

Re:Yes and no

[hedwards]

That's a solid point. My credit union has its ATMs designed so that it's a bit of a challenge to slip a skimmer onto them. Basically the slot isn't straight across like they used to be. It's got a curved bit of translucent plastic. Makes it a bit more of a challenge to attach a skimmer without making it really obvious. Now with RFID, they could place the device near the slot, but would likely be able to better camouflage it than at present.