US Department of Defense deploys RFID shields to its personnel

US Department of Defense deploys RFID shields to its personnel.

This is an extraordinary article that would appear to suggest that the US military takes the business of ‘skimming’ very seriously, not least in respect of its RFID enabled ID passes; issued to all personnel.  You cannot help but ask the question, “…if contactless technology is 100% bulletproof against unauthorised attack – then why are the US Department of Defense introducing shielding sleeves?”  Go figure!

Advertisements

New Delhi leads the way with RFID vehicle tracking – who’s next?

On Wednesday 27th October, 2010 RFID News broke the following sensational story.

“Government officials in New Delhi will soon make it mandatory for all vehicles to be equipped with RFID cards that will be used to make road toll payments, according to Hindustan Times.  The government accepted the recent proposal and said it will ensure that it is being implemented within 18 months.  Initially it will be used for toll collection on national highways, subsequently it will be used for other purposes also, including toll collection on state highways,” said Kamal Nath, road transport and highways minister. “Commuters can preload whatever amount they want and make the payment when required. Officials have also instructed manufactures that all new vehicles will come with RFID chips installed.”

http://www.rfidnews.org/2010/10/27/rfid-soon-to-be-mandatory-for-all-vehicles-new-delhi?issue=rfidnews_20101028

India is a country that has a clear sense of its own destiny, and one that has always been keen to position itself as a technological innovator.  It used to be the case that Britain transfered its knowledge in the direction of emergent Eastern economies, in return for significant finanicial gain.  Perhaps this article suggests we are at the beginning of a new chapter in the flow of information between countries, since widespread adoption of RFID enabled vehicle tracking in the UK is highly likely in years to come.   Where India is leading on this, we seem likely to follow; which surely begs the question, “…do you want your every movement tracked by the State?  If not, what can be done about this within the scope of our current legislative framework?”

Defend your ski pass from hackers

Ski Pass Security

An RFID secure ski-pass (Image Copyright 2010 http://www.rfidprotect.co.uk)

If you’ve been issued with a new RFID enabled, or ‘contactless’ ski pass then there’s a risk that it may be intercepted, read or skimmed, and without your knowledge. A new generation of ski and lift passes are already being rolled out across US and European resorts, and you may not realise that contained within them is a small passive RFID microchip. This bit of clever kit enables swift access to the slopes, and other services off-piste. Great news!

The not so great news if you don’t want marketers to track your every movement, and transaction, whilst on holiday. Furthermore, it’s well documented that unscrupulous hackers have been able to skim these ‘contactless’ passes using low-cost readers freely available on line. The consequences can be that your personal information and movements can be tracked and exploited for commercial or criminal gain.

  • Keep your personal information safe
  • Shield your data from readers designed to track your movements
  • Have a look about for Ski pass shielding products – there are loads on offer and many reasonably priced

UK Government issues guidance on RFID security

Abstract: A UK government-backed report that explores certain security flaws in RFID / contactless technology.  Well worth a read is this…

Source: http://www.ico.gov.ukThe Information Commissioner’s Office is the UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

“It will be the responsibility of RFID users to prevent any unauthorised access to personal information. One concern is a practice that has become known as “skimming”. Since a transponder’s signal can be picked up by any compatible reader, it is possible for RFID tags to be read by unauthorised readers, which could access personal information stored on them. Users can guard against skimming by using passwords. The EPCglobal Class 1 Generation 2 RFID specification enables the use of a password for accessing a tag’s memory. However, these are not immune to “hacking”.

Most RFID systems require a short distance between tag and reader, making it difficult for “rogue” readers to scan tags but this could nevertheless be done in a situation where people are naturally at close range, for example, on a crowded train. The nominal read range of some tags can also be extended by the use of more powerful readers. It is also possible to read part of a tag’s number by eavesdropping merely on a reader’s communication with a tag. Readers, with a much higher power output than tags, can be read at much greater distances.

While some RFID applications might not need communication between tag and reader to be encrypted, others that process personal and especially sensitive personal data will need an adequate level of encryption to safeguard the data being processed. In most cases “skimmers” would also need a way of accessing the external database containing the personal data, but in some cases inferences might be made about someone from information which in itself does not relate directly to him. If a person leaves a store having purchased items carrying RFID tags that have not been disabled, he carries with him a potential inventory of his possessions. This would enable someone with a suitable reader and knowledge of EPC references to discover what items he was carrying at a given time. Sensitive personal data about a person’s illness, for example, might be unknowingly revealed by him via the EPC referring to the medication in his pocket. An insufficiently secure RFID chip could also be “cloned”. By copying personal data stored on the RFID chip of an identification card, a person could for practical purposes steal the identity of the cardholder. If the information on the database (e.g., a fingerprint) is checked only against the information on the card, rather than directly against the person himself, a criminal would not need to access the information stored on the database.”

http://www.ico.gov.uk/upload/documents/library/data_protection/detailed_specialist_guides/radio_frequency_indentification_tech_guidance.pdf

Google in major privacy breach.

Whoops!

Google has finally accepted that it harvested personal data from wireless networks as its fleet of vehicles drove down residential roads taking photographs for the Street View project.  And yet only a few months ago it would have screamed ‘blue murder’ if anyone intimated that this had happened.

Now it transpires that millions of internet users have potentially been affected.   Google’s acknowledgment of guilt is an interesting U-turn from its earlier assertion that no sensitive personal information had been taken.

Google has now confessed that its, “…vehicles had also gather(ed) information about the location of wireless networks, the devices which connect computers to the telecommunications network via radio waves.”

The Daily Telegraph newspaper reported that, “…Privacy International lodged a complaint with Scotland Yard earlier this year about Google’s Street View activities and officers are still considering whether a crime has been committed.

Google is facing prosecution in France and a class action in the US, with similar lawsuits pending in other countries.”

The full story can be read at: http://www.telegraph.co.uk/technology/google/8083008/Google-spied-on-British-emails-and-computer-passwords.html

Whilst this development does not relate specifically to RFID or contactless technology as such, nonetheless it’s an excellent example of a large multi-national operation initially stating – “guys, what’s the problem – there’s nothing to worry about your wireless internet connection because we’ve ensured that it’s 100% secure” – and then a few months later we arrive at a different place – “…er, you know that technology that we told you was secure, well there’s been a slight issue with it and as a result your email, passwords and other sensitive information are now in the public domain – whoops, sorry about that…”

Therefore it could be reasonably argued that whilst today contactless credit, debit, Oyster, and Olympics 2012 RFID passes are all being sold as 100% safe – tomorrow may bring with it a different view…

Watch this space, and in the meantime can you afford not to protect your biometric details now?

Anti-skimming – a response from British-based company RFID Protect

For UK residents interested in anti-skimming products, we’d suggest making contact with RFID Protect. RFID Protect is a British-based company, and one that offers a full range of RFID sheilding kit, much of which can be custom manufactured to carry a client’s branding.

There’s also an added benefit; this being RFID Protects’ partnership arrangements with law enforcement specialists – evidenced through its work with the Bedfordshire Police Partnership Trust. Both parties are trying to raise awareness about RFID skimming, and strive to help people keep their bio-metric data secure.

For more information visit: http://www.rfidprotect.co.uk