Spychips has just reported that senior executives from American Express, have ‘taken a broadside’ with the discovery of the banking giants plans for people tracking. American Express representatives attended a meeting with CASPIAN (Consumers Against Supermarket Privacy Invasion and Numbering) in July 2011 to review the current situation. Since this meeting, American Express has committed to review its entire patent portfolio ensuring that, “…any people-tracking plans be accompanied by language requiring consumer notice and consent.”
A spokesperson for Spychips reported that American Express had filed a patent application entitled, “Method and System for Facilitating a Shopping Experience.” Spychips have described this patent as, “…a Minority Report style blueprint for monitoring consumers through RFID-enabled objects, like the American Express Blue Card.” Spychips also state the following in respect to the proposed patent:
According to the patent, RFID readers called “consumer trackers” would be placed in store shelving to pick up “consumer identification signals” emitted by RFID-embedded objects carried by shoppers. These would be used to identify people, track their movements, and observe their behavior.
The patent also suggested such people-tracking systems could “be located in a common area of a school, shopping center, bus station or other place of public accommodation.”
Unbranded, anti-skimming, RFID blocking, credit card and e-passport sleeves – at last there’s a UK supplier!!!
Until very recently it seemed impossible to purchase cheap unbranded paper-based Tyvek RFID sleeves from a UK supplier. BUT now multi-packs have arrived on eBay! (These fit all major UK passport, credit, debit, Oyster, transport and similar sized cards.)
This is a great development and certainly the best option for those on a really tight budget.
For those of you that are keen to explore some of the ‘darker’ issues associated with contactless credit, debit, passport, ski-pass and door-entry security systems then the following resources may prove useful. Published here by kind permission of the author, are eighteen objective case studies (in six folders) that present both sides of the argument for RFID technology.
Download each (600KB PDF) by clicking on the associated images below.
If you wanted to reproduce these, I suggest making contact with the author/s.
Abstract: A UK government-backed report that explores certain security flaws in RFID / contactless technology. Well worth a read is this…
Source: http://www.ico.gov.uk – The Information Commissioner’s Office is the UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
“It will be the responsibility of RFID users to prevent any unauthorised access to personal information. One concern is a practice that has become known as “skimming”. Since a transponder’s signal can be picked up by any compatible reader, it is possible for RFID tags to be read by unauthorised readers, which could access personal information stored on them. Users can guard against skimming by using passwords. The EPCglobal Class 1 Generation 2 RFID specification enables the use of a password for accessing a tag’s memory. However, these are not immune to “hacking”.
Most RFID systems require a short distance between tag and reader, making it difficult for “rogue” readers to scan tags but this could nevertheless be done in a situation where people are naturally at close range, for example, on a crowded train. The nominal read range of some tags can also be extended by the use of more powerful readers. It is also possible to read part of a tag’s number by eavesdropping merely on a reader’s communication with a tag. Readers, with a much higher power output than tags, can be read at much greater distances.
While some RFID applications might not need communication between tag and reader to be encrypted, others that process personal and especially sensitive personal data will need an adequate level of encryption to safeguard the data being processed. In most cases “skimmers” would also need a way of accessing the external database containing the personal data, but in some cases inferences might be made about someone from information which in itself does not relate directly to him. If a person leaves a store having purchased items carrying RFID tags that have not been disabled, he carries with him a potential inventory of his possessions. This would enable someone with a suitable reader and knowledge of EPC references to discover what items he was carrying at a given time. Sensitive personal data about a person’s illness, for example, might be unknowingly revealed by him via the EPC referring to the medication in his pocket. An insufficiently secure RFID chip could also be “cloned”. By copying personal data stored on the RFID chip of an identification card, a person could for practical purposes steal the identity of the cardholder. If the information on the database (e.g., a fingerprint) is checked only against the information on the card, rather than directly against the person himself, a criminal would not need to access the information stored on the database.”