Researcher: Misunderstandings surround RFID in use today
When asked how RFID worked, a group of novices responded to a recent academic survey with "witchcraft" and "magic."
In a talk Monday at USENIX Usability, Psyschology and Security Conference (UPSEC) 2008 in San Francisco, Andrew McDiarmid of the University of California, Berkeley, shed light on how ordinary people perceive RFID-enabled cards in their day to day life. He said while novices and intermediates were familiar with times when RFID-enabled smart cards such as work access cards or transit cards didn't work, they couldn't explain it. On the other hand, advanced users knew enough to keep their RFID-enhanced credit cards sheathed in a mini "Faraday cage" so the cards could not be read by others.
Speaking before a room of about 45 fellow researchers, McDiarmid reported on exploratory research conducted in 2007 with Jennifer King, also at U.C. Berkeley. Based on feedback from this initial sample group, the two hope to open the survey to a much larger audience of novice, intermediate, and advanced users during 2008. They will also narrow the focus to two specific RFID-enhanced items: e-passports and contact-less credit cards.
Perhaps most surprising among the data was the assumption of audio or visual feedback among all three groups. McDiarmid said that the use of contact-less credit cards is impersonal; often there is no confirmation of a transaction, such as you had when a clerk handed your card back at the end of the purchase. "Customers want feedback," he said.
Another misconception revealed by the survey is that cards can only be read by specific readers. That is not true, said McDiarmid. Thus, he wasn't too surprised that only two individuals in his survey group knew to sheath their contact-less credit cards.
In a paper released at the conference, McDiarmid and King expressed concern over how the government and commercial interests are assisting the typical end user with the new technology.
McDiarmid said on Monday that although the State Department provides a brochure describing the features of the ePassport, and companies like Visa offer videos describing the features of its PayWave contact-less credit cards, the general public still doesn't understand the basic concepts behind RFID, and therefore do not understand the inherent risks.
As CNET's resident security expert, Robert Vamosi has been interviewed on the BBC, CNN, MSNBC, and other outlets to share his knowledge about the latest online threats and to offer advice on personal and corporate security. Listen to his podcast at securitybites.cnet.com or e-mail Robert with your questions and comments. 
There would be no danger at all if these companies would just, plain and simple, not put RFID in credit cards to begin with.
I mean, just how stupid can they be? Just because you CAN do something, doesn't mean you SHOULD.
A credit card that is dangerous until you sheath it is just idiotic.
Now they will have to come out with laws making sure the companies explain to John Q Public Idiot just how the cards work, how and why it's important to sheath them, and just how much trouble you can get into if you don't.
Why not just come out with t-shirts with your credit card info printed on both sides? Then ANYONE LOOKING AT YOU could get your credit card info. That would be just about as safe as using RFID.
In closing, if I ran an insurance company, I would tell the credit card companies and their customers that they will not be covered if the data from these RFID cards is stolen.
Let the morons causing the problem pay for the consequences.
DUH!
A card's RFID might be deactivated (that is, completely isolated from the exterior world) until you press a button or flip a switch (flat switches that can be embedded in cards have existed for long). The switch might be spring loaded so it only works while you hold it.
Or the card might have a pin embedded, which you must enter for the card to respond at all. The card might even show info on the transaction before you accept.
Current magnetic stripe cards are not secure at all. Just swipe your card at a store and your card is theirs: they have all the info they need to impersonate you. Smart cards are the only known solution. They can be contact or contactless. Implemented well, both alternatives are fine.
- Why not put an on-off switch
- by califalcon April 17, 2008 12:10 PM PDT
- Man, people never stop amazing me, just freaking allow the user to turn on/off their own RFID chip, that would solve alot of trouble.
- Like this Reply to this comment
-
(4 Comments)Did you know that you can even be targeted in foreign countries because of the chip in your passport? Someone could make a bomb that only goes off if it receives a signal from a US password RFID chip for example, 21st century smart bomb! Just sick, no way in hell I am carrying one of those, I rather be without documents.