What’s the (RFID) Frequency Kenneth?

Radio frequency identification (RFID) has officially arrived and seems destined to remain. This fairly new yet ubiquitous technology is integrated into payment cards, livestock tracking and myriad other places. However, several current and proposed uses have raised security and privacy concerns with consumers and businesses alike.

Are there obvious and/or hidden threats we are ignoring or may not even be aware of? My response is an unequivocal “yes.”

Tracking Commuters

Several RFID applications are being used on toll roads and for public transportation. “EZ-Pass” devices allow cars to move more quickly through toll booths via a quick RFID chip read. This chip is linked to the driver’s banking account, and the driver is billed based on his/her road usage (i.e. chip reads).

Boston recently rolled out an RFID system for its MBTA train system. Commuters carry a card, with an RFID chip embedded, which they tap against a reader to gain entrance to the train stations. The card is linked to a prepaid account which works like a debit system.

The risk? There is a theft problem here. If a thief takes an RFID reader for a train ride during rush hour or strolls through a parking lot, he or she can acquire enough information to clone a particular RFID card. This clone or dummy card would afford the intruder access to the train station or the toll road—all on the victim’s tab.

The solution? Some RFID implementations use a challenge-response system rather than having the chip in the card always broadcast the same signal. In this system, the response from the card is based partially on the signal from the reader and the information on the card, which allows the reader to identify the card but hinders a thief from cloning the card. This happens because the response from the card will change with each read rather than remain constant. As a result, the thief cannot copy and echo an ever-changing card.

Tracking Products

Many retailers are experimenting with RFID to track in-store purchases. The ability to produce low cost RFID tags allows retailers to easily manage inventory and potentially deter theft.

The Risk? There is a privacy issue here due to the fact that these tags are not disabled after the customer leaves the store. A reader located in the parking lot can detect exactly what the customer had purchased. Let’s take this scenario one step further. Consider the common case when you leave your bags in your car as you continue your errands. Even if you hide your bags from view, a thief needs only an RFID reader to determine which car contains the most lucrative goods.

The solution? One potential solution in this space is a “zombie” chip. This chip works while in the store but is deactivated outside the store perimeter. The zombie chip can be reawakened by a special process, hence the moniker. This is useful in the case of a consumer returning an item, which the store will need to rescan to validate the return.

Tracking Children

Some schools, and even public places such as Legoland, have begun using RFID tags as an effective means to track abducted and wandering children.

The risk? This advantage can be lost since by a criminal targeting a particular child, say the son or daughter of a politician or celebrity. He or she could use this same RFID technology to keep tabs on that child and determine the optimal spot for an attack.