[LINK] EPIC: Criticism of RFID Security, Privacy

Fri Nov 17 13:50:45 AEDT 2006

Volume 13.22                                            November 1, 2006
             http://www.epic.org/alert/EPIC_Alert_13.22.html

========================================================================
[1] Two Reports Criticize Security, Privacy Holes in RFID Technology
========================================================================

The federal government has increasingly required radio frequency
identification (RFID) tags for identity documents, even though an expert
panel has opposed the adoption of the wireless technology. The draft
report has yet to be finalized for official release. In another report,
researchers revealed serious security vulnerabilities in RFID-enabled
credit cards that would allow for fraud.

RFID technology is a part of several federal identification documents.
The Department of Homeland security last year began using RFID-enabled
I-94 forms in its United States Visitor and Immigrant Status Indicator
Technology (US-VISIT) program to track the entry and exit of visitors.
This year, the State Department started issuing RFID-enabled passports
to U.S. citizens. The State Department also is proposing to use RFID in
its "PASS card," an ID card for people entering the United States from
certain countries in North, Central or South America.

In the draft report, the Department of Homeland Security Data Privacy
and Integrity Advisory Committee warns against using RFID in in
identification documents. "RFID appears to offer little benefit when
compared to the consequences it brings for privacy and data integrity,"
the report says. Many have criticized the security and privacy problems
inherent in RFID. Recently, the European Commission announced it is
considering legislation to ensure privacy safeguards in the use of RFID
technology.

EPIC has previously explained that, in the absence of effective security
techniques, RFID tags are remotely and secretly readable. RFID-enabled
ID cards would allow for clandestine tracking of individuals,
"skimming," and "eavesdropping." Skimming occurs when information from
an RFID chip is surreptitiously gathered by an unauthorized individual.
Eavesdropping occurs when an individual intercepts data as it is read by
an authorized RFID reader.

Researchers at the University of Massachusetts and RSA Labs skimmed
RFID-enabled credit cards to reveal security vulnerabilities. In tests
on 20 cards from Visa, MasterCard and American Express, they found that
the cards are transmitting the cardholder's name and other data in plain
text and without encryption. The researchers gathered the information
from the cards with small device made out of commercially available
electronic components. The researchers were able to use the stolen data
to buy products online.

Department of Homeland Security Data Privacy and Integrity Advisory
Committee: The Use of RFID for Human Identification (pdf):

       http://www.epic.org/redirect/dpiac1106.html

Research Paper: Vulnerabilities in First-Generation RFID-enabled Credit
Cards (pdf):

       http://prisms.cs.umass.edu/~kevinfu/papers/RFID-CC-manuscript.pdf

EPIC's Spotlight on Surveillance: "Homeland Security PASS Card: Leave
Home Without It":

       http://www.epic.org/privacy/surveillance/spotlight/0806

EPIC's Page on RFID:

       http://www.epic.org/privacy/rfid/

========================================================================

-- 
Roger Clarke                  http://www.anu.edu.au/people/Roger.Clarke/

Xamax Consultancy Pty Ltd      78 Sidaway St, Chapman ACT 2611 AUSTRALIA
                    Tel: +61 2 6288 1472, and 6288 6916
mailto:Roger.Clarke at xamax.com.au                http://www.xamax.com.au/

Visiting Professor in Info Science & Eng  Australian National University
Visiting Professor in the eCommerce Program      University of Hong Kong
Visiting Professor in the Cyberspace Law & Policy Centre      Uni of NSW