Forgot your password?
typodupeerror
Privacy Security Your Rights Online

Is RFID Really That Scary? 338

Posted by timothy
from the relaaaaaax-citizen dept.
tcd004 writes "Defcon participant Chris Paget demonstrated his ability to capture RFID data from people hundreds of feet away for the PBS NewsHour. Paget went through the regular laundry list of security concerns over RFID: people can be tracked, their information accessed, their identities comprimised. Not so fast, says Mark Roberti of RFID Journal. Mark challenges Paget to point to a single instance where RFID was successfully used for nefarious purposes. The signals are too weak and the data is too obscure, according to Roberti. So who is right? Has RFID yet lead to a single instance of identity theft, illegal monitoring, or other security compromise?"
This discussion has been archived. No new comments can be posted.

Is RFID Really That Scary?

Comments Filter:
  • Yes and no (Score:5, Interesting)

    by autocracy (192714) <slashdot2007NO@SPAMstoryinmemo.com> on Thursday August 19, 2010 @02:58PM (#33305324) Homepage

    Tracking one person around a city with RFID would be a nuisance. You'd need multiple points, signal quality would vary wildly, it'd be painful in a way.

    Opposingly, you can get a lot of aggregate data in a semi-closed system. I remember once at a public event I was covering (wearing my journalism hat for a moment) that I thought, "I wish I had an RFID system handy. I could identify all the University students in a moment -- I bet you not a one doesn't have their RFID card on them."

    Tracking could be efficiently done in a system such as a mall or subway with exit monitoring.

    • Re:Yes and no (Score:5, Insightful)

      by morari (1080535) on Thursday August 19, 2010 @03:02PM (#33305382) Journal

      My bank switched their debit cards over to ones with "PayWave". It's an RFID chip that allows me to just magically wave my card around in the air and pay for stuff at the checkout line. I immediately bought an RFID blocking wallet. I'm a lot more concerned about being tracked by the stores and the bank, being marketed to by telescreens on the sidewalk, etc. than I am about cyber-thieves.

      • by pdboddy (620164)
        You are tracked by your bank and CC company every time you use your card anyways.

        Being spammed by advertising, that's a more legitimate concern in my eyes.
        • Re: (Score:3, Interesting)

          by veganboyjosh (896761)
          I keep seeing this argument being brought up, in all kinds of contexts. (Facebook targeted ads, web history, etc.) I think one of the major turnoffs for me about mass market advertisiing is that it's so off base as to be annoying. I'm not in the market for a car, so to be subjected to ads for cars while I watch tv is a waste of my time. I don't eat at fast food restaurants, so billboards for big macs are just a scourge on the landscape. If the billboard was advertising something I was interested in, then I
          • Re:Yes and no (Score:5, Insightful)

            by nabsltd (1313397) on Thursday August 19, 2010 @03:58PM (#33306170)

            I think one of the major turnoffs for me about mass market advertisiing is that it's so off base as to be annoying. I'm not in the market for a car, so to be subjected to ads for cars while I watch tv is a waste of my time.

            And targeted ads are even more annoying, because they still don't get it right.

            I was in the market for a car and did my research and bought one a week ago. But, I expect that "targeted" ads for cars will keep hitting my monitor and mailbox for at least the next six months, and I expect many of them will be for classes of vehicles that weren't anything I would ever consider.

            Two years ago these ads would have been a minor bother, and 2-12 months ago they might have been helpful, but for the next 5-10 years they'll be both wasteful and a major annoyance.

          • by mrops (927562) on Thursday August 19, 2010 @04:02PM (#33306242)

            If a microwave isn't available

            1) Take a cheap camera flash
            2) Replace strobe with AWG14 or 15 coiled about (ummmmmm.. say) 10 times around your finger (remove finger)
            3) Charge flash (which isn't a flash anymore) and point to your favorite RFID chip, fire.
            4) Enjoy your restored privacy

            Disclaimer: Do not point towards your pace maker.

            • by camperslo (704715) on Thursday August 19, 2010 @04:18PM (#33306552)

              Actually I think you'll need to put that coil in series with the flash.
              IIRC, an inverter charges a capacitor up to a few hundred volts D.C. across the flash which doesn't conduct until it is triggered by a brief higher-voltage pulse from a transformer. That pulse causes the gas to ionize (conduct). If the coil were across the flash, the cap would be shorted and couldn't build up a big charge to release in one high-energy burst. Maybe flash designs have changed, but that's how they've worked in the past.

            • by Anonymous Coward on Thursday August 19, 2010 @04:31PM (#33306788)

              (remove finger)

              Holy shit man, I value my privacy but this seems extreme.

          • Re:Yes and no (Score:5, Insightful)

            by blueZ3 (744446) on Thursday August 19, 2010 @04:41PM (#33306962) Homepage

            I think you're making a mistaken assumption that ads are intended to drive you to make an immediate purchase. While that's one reason they're aired, another is brand recognition and familiarity. If you happen to be in the market for a car three years from now, it's likely that at least some of what those car companies have communicated in their ads will stick with you.

            This is especially true for less-well-known brands. Compare a Toyota ad ("We're having a sale this weekend") to a Hyundai ad ("Our cars are reliable and have feature x). Toyota expects you to already know and recognize the value of a Toyota, they're trying to get you into the showroom now, now! NOW! As a relative newcomer, Hyundai is working to get you comfortable enough to consider their car.

            • Re: (Score:3, Interesting)

              by hedwards (940851)
              That's true, however it's not anywhere near as strong an effect as it used to be. The web has done wonders for democratizing marketing. While you don't know who it is that's writing anything, it's a lot harder for companies to hide poor quality when anybody can write a review, and you can typically get a pretty decent idea of the general situation from the various subject specific fora out there.

              The ad might get them a bit of mindshare, but if they haven't created some brand loyalty amongst owners they c
          • Re:Yes and no (Score:4, Interesting)

            by vadim_t (324782) on Thursday August 19, 2010 @05:06PM (#33307354) Homepage

            Are you sure?

            The problem with targeted ads is that they can be creepy, inappropiate and unaware of context.

            For example, imagine you're walking on the street with your friend/boss/old fashined grandmother. Suppose you're into manga/anime. Would you want a billboard to switch to an ad for Miyuki-chan in Wonderland [wikipedia.org] due to your past purchase of the Chobits manga?

            There are lots of things for which you'd really hate to see a targeted billboard ad for in the presence of the wrong people, or any people at all. Just for instance: certain kinds of anime/manga (or anime/manga at all, if you're unlucky to be stuck with people convinced that it's all tentacle porn), hygiene products (buy our incontienence pads!), the wrong kinds of magazines or games, music by an artist you'd rather people not know you listen to, and so on.

            Be careful with what you wish for. There is no guarantee the advertiser will make any effort not to display anything that could be embarrassing, and even if they try there's no guarantee that they'll succeed. I got a few rather odd recommendations from Amazon and am rather glad they don't pop up on the street at just the wrong moment.

            • by dr2chase (653338) on Thursday August 19, 2010 @07:15PM (#33308664) Homepage
              Clearly, the plan is to link an advertising identity for most-embarrassing stuff to an RFID chip, and then surreptitiously tag people with that RFID tag.
          • Re:Yes and no (Score:4, Insightful)

            by 7-Vodka (195504) on Thursday August 19, 2010 @06:48PM (#33308452) Journal
            How fucking stupid are you?

            You're implying that you would like to see ads for things you are interested in. Well fucking wake up mate. There are lies, damn lies and then there are advertisements. Whatever useful information contained in an ad is completely outweighed by the bogus fucking lies they will tell you with the intent on selling you. And if that's not enough, they're obviously going to leave out anything that would encourage you to not buy their shit.

            Worst of all, have you ever even watched an ad? If any ads were reality, then chosing the right toothpaste would make you FUCKING HAPPY AS BLISS and using the right condom would get you laid by a supermodel and drinking the right liquor would make you a million dollars.

            Seriously, if you are clueless enough to ever even contemplate that you might benefit or enjoy watching an ad; you're already sold mate.

        • Re:Yes and no (Score:5, Insightful)

          by ffreeloader (1105115) on Thursday August 19, 2010 @04:14PM (#33306476) Journal

          Being tracked when you use your card, because that is required just because you used it, and being tracked just because you walked past a checkout counter are two separate and distinct things.

      • by sjames (1099) on Thursday August 19, 2010 @03:17PM (#33305584) Homepage

        Wow. If we thought butt dialing was a problem, just wait until butt-buying starts.

        In soviet america, ass bankrupts you!

        • Re: (Score:3, Funny)

          at my dormitory, my absolute favorite way to open the locked door (magnetic strike) controlled by a RFID reader is to open the door with my ass.
          • at my dormitory, my absolute favorite way to open the locked door (magnetic strike) controlled by a RFID reader is to open the door with my ass

            So nice to see the fruit of higher education.

            • Re: (Score:3, Informative)

              by rwa2 (4391) *

              DC metro turnstiles went smartcard + RFID a few years back. It's actually pretty nice to be able to open the gates by sidling up to the sensor while your arms are full.

              All the same, I keep a traditional disposable magstripe card that I bought with cash in my wallet, in case I need to go somewhere without being tracked. Haven't really used it yet other than for guests, but I'm sure someday I'll be trying to dispose of a body and I'll curse it for not being able to use the ass trick.

          • Re: (Score:3, Funny)

            by bmw (115903)

            Pelvic thrust is the way to go.

        • Re: (Score:3, Funny)

          by Anonymous Coward

          ...ass bankrupts you!

          The anthem of divorced men everywhere.

      • If you can feel where the RFID chip is in the card you can crush it (assuming it is the only chip that your card has of course). I've done this accidentally with my ID card at work, a simple pair of pliers should do the trick and you'll never have to worry about it again.

      • by thepotoo (829391) <thepotoospam.yahoo@com> on Thursday August 19, 2010 @04:21PM (#33306612)

        I immediately bought an RFID blocking wallet.

        You mean you lined it with tinfoil? Yeah, me too. I've also got a stylish hat and matching suit made of the same material. The underwear is a little itchy at times, but you'll get used to it.

    • Re:Yes and no (Score:5, Informative)

      by CyberLord Seven (525173) on Thursday August 19, 2010 @03:03PM (#33305400)
      It seems to me you are assuming that the RFID is the only method being used to track someone. I don't track people but it seems trivial to me that a device that identifies a single person out of a mob would be extremely useful.

      Instead of setting my head on a swivel and looking around suspiciously I need only keep my gaze directed at my open book (hiding my tracking device) while I walk around keeping track of my subject.

      Yes, alone, the device is useless; however, people in the business might find plenty of uses for it that you and I cannot imagine.

    • by oodaloop (1229816)
      I was thinking of the Starbucks next door. Probably hundreds of defense contractors with their access badges walk through there every day, probably more than a few with their RFID passports and other IDs too.
    • I heard that once RFID's are in place, the only things that need to upgrade are the actual reading technology, not the signal emission. The RFID itself doesn't need to broadcast any further than a couple meters - its the scanners who pick up the stuff that need improving.

      So - right now, we have those issues with signal quality and and obscurity - but thats only going to improve. Would you want to adopt this kind of technology solely on how its going to be used now or are people going to start thinking long

    • Re: (Score:3, Insightful)

      by alvinrod (889928)
      You don't even need tracking to do something nefarious. You could easily gather RFID information about people congregating in a certain area, say a political protest. Now you've got a computer creating a dossier on you because you may be some kind of radical seeking to bring down the government. A government like China could easily use a system like this to track dissidents. They don't even need to have anyone physically monitoring the people. Just find out where they meet and start grabbing information on
    • Answer is YES (Score:5, Informative)

      by GameboyRMH (1153867) <gameboyrmhNO@SPAMgmail.com> on Thursday August 19, 2010 @04:53PM (#33307150) Journal

      RFID-enabled credit cards broadcast all the data on the front of the card in plaintext when energized. So I'd say the answer is YES.

      http://www.youtube.com/watch?v=vmajlKJlT3U [youtube.com]

      Look how old that video is.

  • by Anonymous Coward

    Prevention is a better method of addressing an identified legitimate security concern than "waiting to see what happens."

    I view it like vaccinations. I don't plan on getting measles this month, but I still had my MMR...

    • Re: (Score:3, Interesting)

      by Peach Rings (1782482)

      Yeah the other guy is basically saying: "There haven't been known cases of identity theft from RFID use, therefore the system is secure and we should expand it!" despite being shown conclusively that it is not secure and widespread use of RFID could be a disaster.

      • by ArcherB (796902)

        Yeah the other guy is basically saying: "There haven't been known cases of identity theft from RFID use, therefore the system is secure and we should expand it!" despite being shown conclusively that it is not secure and widespread use of RFID could be a disaster.

        There HAVE been case of cash and credit cards being stolen and/or duplicated. Should we do away with all forms of cash and credit? After all, it seems that these are more insecure than RFID since they have already been breached. Hell for that matter, homes have been broken into and things stolen and people killed. Should houses be banned?

        Seriously, just because something has been or could be used for nefarious uses doesn't mean it should be avoided. Just be careful with it and keep it monitored (if pos

  • by Pojut (1027544) on Thursday August 19, 2010 @02:58PM (#33305332) Homepage

    RFID really is something that needs to have an eye kept on, but sensationalist headlines make it seem worse than it is.

    Of course, if you're really worried about it, there are options [thinkgeek.com] depending on what you need to protect [thinkgeek.com].

    • but sensationalist headlines make it seem worse than it is.

      OGM!! Facebook now has RFID!!

      • by hAckz0r (989977)
        I would not laugh too loud. Facebook is adding 'location information', so the next step would naturally be 'verifying' that location. That wont be hard once your drivers licence, credit cards, and other 'store convenience cards' all have RFID embedded for their own brand of convenience.

        I can see a hypothetical situation now:

        Officer: "No need to sign any traffic ticket Son, we know who you are, and you can find your ticket and licence info on the departments facebook page for the County's "Deadbeats, Spee

    • Re: (Score:3, Funny)

      by dwye (1127395)

      Both those RFID-blocking wallets are out of stock. Are you just a dupe of the Vast RFID Conspiracy, or was that deliberate disinformation? Wait, ThinkGeek is related to SlashDot, too, so Cmdr Taco must be in on it, too! And I ran out of aluminum foil in my kitchen, just last night. Oh, God! I must be in on it, too! We're all doomed!

      Ah, paranoia. The Delusion of the Gods!

  • I dunno if RFID isn't something to be worried about, but there is definitely a misunderstanding around here about how trackable it is.

    It wasn't all that long ago that there was a story on Slashdot about how school uniforms were going to have RFID tags embedded in them and there were +5 comments about how pedophiles were going to sit in their van with a little screen showing the position of where each child in the city is. There's some impression that RFID tags broadcast their GPS co-ordinates into space o

    • Yes and no. If the technology was invasive enough it could potentially track your location by what reader you were near. My work is currently testing a scheme to monitor the movements of personnel based on their RFID badges. I don't count it as an invasion of privacy because I don't expect privacy at work, but If the government/businesses tried to do the same thing with my visa card it would be grounds for carrying cash. The potential for abuse is there. Also, the potential range is much greater than advert
      • Yes and no. If the technology was invasive enough it could potentially track your location by what reader you were near.

        You say that as if that's a trivial thing to do. If we were talking about one entity rolling out RFID readers across the country and tying those to something you're likely to carry, sure, be afraid. Just remember to stop carrying a cell phone and credit cards, those are betraying you RIGHT NOW.

        • Trivial, perhaps not, but how long until we have targeted advertisements based on personal information gleaned from your RFID credit cards? It's a lot easier than any other identification method, and it's just the thing marketers would use. The point isn't that they contain personal information, but that they broadcast it to the world. When I use my credit card it goes into a database, that's fine I control when I use it, with an RFID card I lose the control over who can read that information. That's the di
          • The point isn't that they contain personal information, but that they broadcast it to the world.

            No, they broadcast it about 20 feet.

            When I use my credit card it goes into a database, that's fine I control when I use it, with an RFID card I lose the control over who can read that information. That's the difference.

            You don't take the card with you, then. Heck, wrap it in a small faraday cage. From a practical standpoint you haven't saved yourself much.

    • by sjames (1099)

      The standard reader certainly can't get coordinates, but there is absolutely no reason the RFID tags can't be used like a radar transponder. Use a directional antenna to send out the needed signal and use the response time to get distance. There's no need for it to send GPS coordinates.

      That may be going a bit far considering the range is currently only proven out to 100 feet or so (still a long way for a "proximity device") but it's not technically impossible.

      • That may be going a bit far considering the range is currently only proven out to 100 feet or so (still a long way for a "proximity device") but it's not technically impossible.

        From what you just said, it is technically impossible. Heh.

  • by woboyle (1044168) on Thursday August 19, 2010 @03:00PM (#33305366)
    Just because you don't know for sure that something has happened, that doesn't mean it hasn't. The problem with RFID "scraping" is that you will never know that it has occurred. My instinct tells me that it has been going on for some time. As for RFID in identity cards, passports, etc. I think that their security is mostly, to put it in the words of Bruce Schneier, just theater.
    • Re: (Score:3, Insightful)

      by jellomizer (103300)

      From my understanding RFID usually don't carry that much data except for a unique identifier. Ok so I se a Hex value. However you may not know what type of RFID it is is for. Eg. Is it for your credit card or is it just that book you got out of the campus book store. Perhaps it is for your medical history that you got implanted in you skin. Maybe it is your Dogs virtual ID Tag implanted.

      Say if I dropped a Passord of a vital system in the Middle of New York City and you pick it up. And that password is

  • Yes and no... (Score:5, Interesting)

    by BobMcD (601576) on Thursday August 19, 2010 @03:02PM (#33305384)

    Is RFID, as described in the article really all that scary? No, not really. E.g.

    30 to 40 million people carry RFID tags on their windshields to allow them to cross bridges, and more carry them in their wallets, and there is not a single example of anyone who had their privacy infringed because of the tags.

    So the fear that the government would use RFID to gain data that they already have is likely debunked. Also the tracking is largely moot. They can do that in all sorts of other ways...

    This is the part that scares me:

    Taken as a whole, Roberti asserts, the benefits of RFID tags -- to track merchandise and packages, and keep track of drugs and food -- far outweigh any downside.

    Where I bought my specific pair of shoes for today likely is not in a database anywhere. With RFID it wouldn't need to be. You just scan the tag and ask the shoes. This potential privacy issue also lacks an implementation, but still represents more information than anyone specifically needs to have. I fear the unintended (or secretly-intended) consequences of all this consumerist stuff in our lives suddenly having a history.

    • The tags are in the tags, not the shoes. Do you leave your tags on your shoes? And how often do you walk across networked RFID transceivers, anyway?

      • by BobMcD (601576)

        The tags are in the tags, not the shoes.

        Maybe at present, but not always. They put them in tires, do they not? And tires have stickers, not tags. Further this could change at any time with the simple excuse of 'sometimes tags fall off', so I'm not seeing that as a meaningful rebuttal.

        And how often do you walk across networked RFID transceivers, anyway?

        Not very often. Not yet, anyway.

    • Re:Yes and no... (Score:4, Interesting)

      by Qzukk (229616) on Thursday August 19, 2010 @04:43PM (#33307000) Journal

      there is not a single example of anyone who had their privacy infringed because of the tags.

      Other than the cases of people's tags' movements being used against them in divorce proceedings and stuff? http://www.msnbc.msn.com/id/20216302 [msn.com]

      Oh wait, as long as the privacy goalposts can be moved at a whim, there is not a single example of anyone who had their privacy infringed because of the tags.

  • Just because criminals have not yet taken to attacking RFID does not mean that it is beyond the realm of possibility that they will do so. I propose another question, though: what problem does RFID actually solve? In particular, why put it in credit cards and other cards that really do not benefit from RFID? Are those problems really worth the risks, particularly since RFID cards are hard to make secure (because of power constraints)?
    • by jd (1658) <imipak@noSPam.yahoo.com> on Thursday August 19, 2010 @03:19PM (#33305622) Homepage Journal

      Ummm, we can't be sure if nobody has attacked RFID. I seem to remember an international incident, not too long ago, where 50+ passports were successfully cloned - including those from countries implementing RFID on passports. At this time, there is zero information on whether the cloning was someone compromising the primary databases of the respective countries or whether it was done more directly by lifting information from passports in the open. It is extremely doubtful that we will ever be given that information, as no government is going to want to admit that people can access secure databases OR admit that the security on their passports is useless. (It has to be one of the two.)

      Since we cannot know where the vulnerability was, it is prudent to assume that ANY part of the chain could be broken. Only a complete fool would do otherwise. This means that whilst we cannot be certain RFID has been compromised, we MUST believe that it might have been. To assume, blithely, that of course it couldn't be RFID is stupid. Why? Because that results you in only looking at facts that meet your theory. A very bad practice, and one that no reputable journal would be caught dead doing. Of course, a trade magazine isn't really a reputable journal. No trade magazine is ever going to question the assumptions of those who both pay for the advertising and then pay for the journal afterwards.

      (Those familiar with certain works of Jeremy Brett may be familiar with the cry of "Data! I cannot work without data!")

  • by CodePwned (1630439) on Thursday August 19, 2010 @03:08PM (#33305468)

    The point that's being made about RFID is that the encryption method is not good enough for most uses when it comes to private information. If it becomes mainstream someone could EASILY begin to collect this information using a remote reader and collect it later without every touching the device again.

    Imagine someone takes a small box about the size of sandwich. It could hold enough battery power to collect every single RFID scan for quite some time and then come by perhaps the next day with a laptop and receive it remotely as to never touch the device again in case it was found and being watched.

    RFID tags are GREAT to identify you by an ID #... not hold SS # or other private information. Keep that stuff in a more secure manner. I'm no alarmist, and not even a hacker. But this is something someone with almost no tech experience could do... and make bank.

  • by bradorsomething (527297) on Thursday August 19, 2010 @03:10PM (#33305492)
    A few years ago a gentleman calling himself Major Malfunction decided to do a proof of concept at Defcon on the dangers of RFID. He set up a table with a box doing RFID queries. When the box got a return and found usable data, it snapped a picture.

    Many Federal agents walked by the table. They were not pleased when they found out the nature of the experiment. The data was destroyed, but the point was made. RFID protective wallets sold *real* well that year...
    • But... but... Mark Roberti says it hasn't ever been successfully misused! How is this possible?!?! Could it be that he doesn't know shit and is just shilling for an industry he effectively represents and serves?
  • Potential (Score:4, Insightful)

    by ddillman (267710) <dgdillman@gmail.AUDENcom minus poet> on Thursday August 19, 2010 @03:12PM (#33305516) Journal
    Just because it hasn't already been used for nefarious purposes (and we don't know that for certain, do we? We just haven't seen public reports of it...) doesn't mean it can't and won't be done in the future. That guy's argument is as bogus as the "If you've done nothing wrong, you have nothing to hide" crap spouted by those who want to spy on everyone.
  • by RingDev (879105) on Thursday August 19, 2010 @03:12PM (#33305526) Homepage Journal

    Mark challenges Paget to point to a single instance where RFID was successfully used for nefarious purposes

    I challenge Mark to point to a single instance where Intercontinental Ballistic Missiles with Nuclear Warheads were successfully used for nefarious purposes.

    Nothing?

    Well then, I guess we can just stop all this silly nonsense about non-proliferation, missile defense shields, and international nuclear arms reduction treaties.

    -Rick

  • Last week, I removed the blade guard from my saw, taped down the safety lever on my lawnmower and cut the ground pin from all of my power tools and I'm just KZERRRRT!

  • by cruachan (113813) on Thursday August 19, 2010 @03:14PM (#33305550)

    I am extremely skeptical of the current generation of RFID tags when used in practice out there in the wild.

    About three years back I set up software to support a recycling scheme, whereby every household in a community (ca 10,000) were given a couple of plastic boxes in which to place recycled goods. The boxes where chipped *and* barcoded, and there were scales on the collection lorry to weigh the box and automatically scan the rfid chip at the same time, thus collecting usage data.

    Three years on it turns out that the one thing we were not expecting - the rfid chips not to be reliable - has proven a major issue. The failure rate is not high, but we consistently have a score or more boxes needing replacing every month, which is a far higher rate than we were lead to expect. We did think it might be the manufacturer, but we've talked to several people doing similar things now and everyone has similar stories - the chips do fail.

    Perversely - the barcodes, which we sealed in transparent plastic but didn't expect to last (hence going with rfid tags as major impact) have given us less than a dozen damaged to the point we can't scan them in the whole three years.

    • Wait: you RFID scan peoples' garbage when you collect it? Do you take photos, too? That would be some really interesting data.

      • by cruachan (113813)

        The boxes are for particular recyclables - plastic bottles, tin cans, newspaper etc. We record weight against household so we can track who recycles and who doesn't (we give out prizes for participation), and look at it on an are level to see what differences there are and so how we could improve performance.

        Not as fun as snapping garbage :-)

  • Roberti's big thing is that nobody's yet used RFID data in a crime. So the upshot is that as long as people just break it for research, it's still secure. And people wonder why the blackhats make out like bandits on the first breaches of any given protocol, because nobody protected against them when it was merely a subject of research. Good luck with that, tell me how that works out for you.

  • Fixed it: http://www.tombom.co.uk/blog [tombom.co.uk] Chris Paget's Blog

  • by gurps_npc (621217) on Thursday August 19, 2010 @03:31PM (#33305756) Homepage
    With a mobile phone you can get far higher grade information. It actively pings the cell tower, so it's detectable range is much greater. It gives identifiable information, that can in obviosuly be used to call that person. People are themselves not likley to 'forget' it.

    Conclusion: RFID tagging is less scary than existing privacy intrustions we gladly accept.

    • by Hatta (162192)

      You assume that we accept cell phones. You also forget that cell phones can be turned off.

  • First thing to do when reading someone's defence arguments is to consider if they actually are related to the original complaint. Here we see trade body/corporate/politician PR defence #1: deflect criticism by confusing the public about the original complaint simply by defending something related but different. As long as you can control the conversation, you're always going to come out smelling of roses.

    Nobody cares about using RFID to track shipping. The concern is about using RFID to track personal data,

  • Do your credit cards come with EZ Pass or similar? Does your bank mail them to you with little metallic stickers affixed to the front of them? What makes you think it's any more secure in your wallet than in an evnelope? Why are banks doing this extra step if there's no security risk?

  • RFID chips need to be right up close in order to charge, (assuming they don't have their own battery, which the ones attached to higher ticket items do), but once they transmit, the read distance is only limited by the sensitivity of your receiver. To me, that means, "From Orbit".

    Maybe I'm over-simplifying, but 200 feet with home brew technology is pretty impressive. I have a feeling that the military has invested a few more pennies in radio technology over the years than Chris Paget.

    But that's not the po

  • If you were on pluto with you cell phone there are antennas on earth that could receive you. Sure the scanner in the store may have a range of a couple of inches. If some black hat wants to hide an antenna in the back of a white van he is going to be able to read RFID tags from across the street.

    Arguments about "small signal strength" are only relative. If the information is important enough someone is going to find a way to access it from the distance they need. The problem of isolation of a signal from a

  • The IBM PC first appeared in 1981. It was not until 1986 that the first PC virus appeared. It was not until many years after that before malware aimed at theft of data -- as opposed to mere vandalism -- became widespread. There's often a lag between the existence of a gaping security hole and the day when someone finally drives the first of many Mack trucks through it.

  • by pentalive (449155) on Thursday August 19, 2010 @06:51PM (#33308480) Journal
    Why isn't anyone worried about the Wal*mart RFID initiative?

    Wal*mart says if a company wants to sell its product in Wal*mart it must have an RFID in it. It also seems that they do not intend to disable these RFIDs once you buy the product - one of the goals is to identify the specific item when you want to return it. (stopping the "My X broke but it's out of warranty so I'll buy a new one and return the old one" ploy).

    I'll just use cash you say? If you bought anything with your credit card or with you ATM card each of those things is "pinned" to you. Things you get with cash get pinned to you by being associated with things you bought with plastic next time you walk through the door. You will be identified by the cloud of RFID devices one or two in each article of clothing you wear - in each item you carry. (each pinned to you)

    Next time you walk into Wal*mart it's "Welcome Back Pentalive" need more jeans? t-Shirts? Since the data belongs to walmart, the next time you walk into another business that bought the database from WM they also will be "Welcome to McDonald's, Pentalive".

    Hope you -never- go anywhere where you want to be anonymous (or at least never wear anything from WM.)

    Yes we are in public and thus have no expectation of privacy. But is it Wal*mart's business if you have been shopping at Target recently? And if Wal*mart knows where you have been - all the Government has to do is ask nice and they know too. Remember the Government can setup RFID readers too. Then they don't have to ask. You walk through the metal detector at the airport, a loop of wire built right in can read all your RFIDs at the same time.

    Arguments aside of "Well I will just microwave everything" does that really work or do you end up ruining that $100 pair of "Air Jordans" by melting parts? How about the RFID built into that nice laptop or netbook, or cell phone or iPad? Can't microwave those.

    Also if Wal*mart demands RFIDS in everything, perhaps it will just be easier for companies to put RFIDS in any products that might be sold at Wal*mart or might be sold somewhere else? That nice new polo shirt you got at Target, no RFID there right? You sure? They also sell that kind of shirt at WM.

    Iris scanning like Minority Report? Wear dark glasses, turn away from the sensor. RFID cloud? ? ? Wear your tinfoil spacesuit! I suppose it should be "I, for one, welcome my new location-tracking overlords."

No amount of careful planning will ever replace dumb luck.

Working...