Monday, October 30, 2006

First-generation RFID tags not secure enough

At least, that was the general takeaway from this report from a group calling themselves the RFID Consortium for Security and Privacy Group. As Evan at StorefrontBacktalk notes,

The group tested about 20 samples from various contactless credit cards and concluded that "the cardholder's name and often credit card number and expiration are leaked in plaintext to unauthenticated readers" and "our homemade device costing around $150 effectively clones one type of skimmed cards." Perhaps of greatest concern is the report's conclusion that "RFID-enabled credit cards are susceptible in various degrees to a range of other traditional RFID attacks such as skimming and relaying."
Of coruse the most immediate implication is that a nearby data thief could simply use such a radio device to steal credit card information that could then be used to make online purchases (where you don't need an ID, physical card, etc.). However, Evan also notes that identity thieves could utilize name data from RFID tags even if the credit card number was encrypted (which is how things are heading).

I don't think I'd ever want my name to be broadcast in plain text for anybody with an RFID reader to see. Creepy scenes from Minority Report keep coming to mind, though admittedly wrapping my contactless payment cards in some kind of RFID-proof material is a lot easier (and less painful) than having my eyeballs plucked out.

Past articles on RFID include:
Bookseller uses item-level RFID and kiosks to lower costs, boost sales
Using RFID to improve the customer experience

Tags: RFID, encryption, security, retail media, contactless payment

No comments: