RETURN ON TECHNOLOGY: RFID security not as secure as you think it is

May 29, 2006

I work in a building that makes me use a cardkey to get into the building's back stairway. I can't even use a physical key. I must use the card I was issued. I fumble for the thing every morning.

One morning, to my astonishment, I noticed that if I pushed hard enough on the door as I opened it, it would hit the end of its travel and thereafter stand open by itself. The first person through in the morning could leave the entry wide open for any reprobate who wanted to sack and loot the place. So much for security.

Later, after researching cardkeys a bit, I found out that, if I were a thief, I wouldn't even need the cardkey if I had the right burglar's tools: a laptop, a coder box and a coil of wire. An article in the May edition of Wired magazine made me look at my cardkey a lot more ruefully (www.wired.com).

The article told of a security consultant who stole an executive's cardkey code just by brushing up against the executive in a crowd and wielding a small, handheld sensor that sent out a quick pulse of interrogatory signal into the cardkey in the executive's pocket, then recorded the answering

electromagnetic squeal from the cardkey's tiny RFID chip. That RFID code was all the consultant needed to get past the card reader at the executive's door.

RFID chips are appearing everywhere. They're in clothing tags, library books, pharmaceuticals, car locks, and, yes, in cardkeys and other security devices. The Brittan School District in California tumbled into a controversy last year for making seventh- and eighth-graders carry ID cards with RFID chips in them, which were detected at bathrooms and classrooms. They're even in

some people's bodies.

The New York Times

(www.nytimes.com) reported in a February article on several people who had the tiny, rice-grain-size RFID chips shot into the muscles of their hands so they can carry their security tags with them everywhere. Many research facilities and hospitals are thinking about putting RFID tags on cadavers so they can be more easily tracked.

To this, RFID's critics decry the inevitable loss of privacy, the marking of the individual in a rapidly dehumanizing society. To my mind, though, the major problem with RFID mania is a smug reliance on the chip as a good identification method. They're too easy to fake, as demonstrated by the security consultant grabbing the executive's code with a single brush pass.

Some RFIDs are more secure, being encrypted. But encrypting costs more, and it's rarely foolproof, anyway. Unencrypted RFIDs can be had for a buck or so, while encrypted ones go for several times that. Most RFIDs in the foreseeable future will probably be unencrypted. Although they seem to the uninitiated to be highly secure, in reality they're pathetically easy to get around, just like the door into my building. If nothing else, somebody can just come up behind me, smile nicely at me, and go right on in after I've unlocked the door. An RFID coupled with a PIN is supposed to be more secure, but still wouldn't solve the problem of holding the door for a grateful, smiling crook.

In fact, a major security breach involving RFID and PIN codes has already recently occurred in the United Kingdom (news.bbc.co.uk). There, the government is working hard to replace the familiar system of credit-card-and-signature with what they call "chip and PIN," an RFIDequipped card and your own memorized PIN code taking the place of the signature, just as it would at the ATM.

The government has touted the drop in fraud cases since it began phasing in chip and PIN, but petrochemical giant Shell recently found that over 1 million pounds had been stolen from customers, presumably through the chip-and-PIN payment system. Shell suspended chip and PIN at some 600 stations throughout the UK until the affair is sorted out.

Identity theft from an RFID can be fast and tantalizingly easy. One "black hat" strolling the mall could steal hundreds of codes. If only a few turn out to be valuable, it would be enough to keep a sharp technology thief in Mountain Dew and new gadgetry for quite some time.

The owner would have no inkling his identity had been lifted until the bills arrived or his car disappeared. There are no credit cards to drop, no wallet to mislay. The compromised card would still be snugly tucked into a pocket, giving no hint that its essence had been stolen.

Often, the best security is simple human paranoia. When you come to my building, expect to be given a searching look if you enter right after me.

Altom is a senior business consultant for Perficient Consulting. His column appears every other week. He can be reached at timaltom@sbcglobal.net.
Source: XMLAr04200.xml

Recent Articles by Tim Altom

Comments powered by Disqus