When asked how RFID worked, a group of novices responded to a recent academic survey with "witchcraft" and "magic."
In a talk Monday at USENIX Usability, Psyschology and Security Conference (UPSEC) 2008 in San Francisco, Andrew McDiarmid of the University of California, Berkeley, shed light on how ordinary people perceive RFID-enabled cards in their day to day life. He said while novices and intermediates were familiar with times when RFID-enabled smart cards such as work access cards or transit cards didn't work, they couldn't explain it. On the other hand, advanced users knew enough to keep their RFID-enhanced credit cards sheathed in a mini "Faraday cage" so the cards could not be read by others.
Speaking before a room of about 45 fellow researchers, McDiarmid reported on exploratory research conducted in 2007 with Jennifer King, also at U.C. Berkeley. Based on feedback from this initial sample group, the two hope to open the survey to a much larger audience of novice, intermediate, and advanced users during 2008. They will also narrow the focus to two specific RFID-enhanced items: e-passports and contact-less credit cards.
Perhaps most surprising among the data was the assumption of audio or visual feedback among all three groups. McDiarmid said that the use of contact-less credit cards is impersonal; often there is no confirmation of a transaction, such as you had when a clerk handed your card back at the end of the purchase. "Customers want feedback," he said.
Another misconception revealed by the survey is that cards can only be read by specific readers. That is not true, said McDiarmid. Thus, he wasn't too surprised that only two individuals in his survey group knew to sheath their contact-less credit cards.
In a paper released at the conference, McDiarmid and King expressed concern over how the government and commercial interests are assisting the typical end user with the new technology.
McDiarmid said on Monday that although the State Department provides a brochure describing the features of the ePassport, and companies like Visa offer videos describing the features of its PayWave contact-less credit cards, the general public still doesn't understand the basic concepts behind RFID, and therefore do not understand the inherent risks.
Update on February 22, 2008, at 3:20 p.m PST: This blog has been updated to include a response from American Express.
WASHINGTON D.C.--Adam Laurie, an RFID security expert, used the Black Hat DC 2008 conference here, to demonstrate a new Python script he's working on to read the contents of smart-chip-enabled credit cards.
As part of his presentation Wednesday, Laurie asked for someone from the audience to volunteer a smart card. Without taking the card out of the volunteer's wallet, Laurie both read and displayed its contents on the presentation screen--the person's name, account number, and expiration clearly visible.
Demonstrations like that show the potential misuse of RFID technology in the near future. Without touching someone, a thief could sniff the contents of an RFID-enabled credit card just in passing. The same is true for embedded RFID chips in the human body, work access badges, some public transit cards, and even the new passports in use in more than 45 countries.
As a disclaimer, Laurie said he spoke to American Express, the company that issued the volunteer's card. Laurie said that American Express told him: "We are comfortable with the security of our product." Laurie added that the company told him the number he displayed on the presentation screen was not the account number printed on the card, which Laurie proved by opening the wallet and comparing.
"The alias number on American Express' ExpressPay cannot be used for online transactions," said Molly Faust, American Express' Public Affairs representative, in an e-mail to CNET News.com. "ExpressPay has multiple security mechanisms. As the payment host, American Express would not verify/authorize an online transaction using just the alias account number. There are several other security mechanisms that would be required in order for payment authorization to take place."
The credit card industry has argued that use of the RFID-enabled cards will save customers time when processing payments.
An extreme example can be found in Spain. Laurie said a public beach there encourages visitors to have RFID tags injected into their bodies. The point? Merchants along the beach scan your wrist to obtain a unique ID from which they can debit your account. The advantage? You won't have to go to the beach with your wallet, which might get stolen.
Laurie, who has an injected RFID-tag, showed how easy it was not only to read the tag, but also to re-write the tag. During his demo, he used the coding sequence reserved for animal tagging to have his RFID chip declare him an animal.
On his RFIDiot Web site, Laurie offers the Python scripts free of charge and also sells the hardware necessary to read and write to RFID tags and cards.
- prev
- 1
- next
