Slashdot Mirror
Privacy Threat in New RFID Travel Cards?
DemolitionX9 writes to tell us ZDNet has an interesting article rehashing the problems with privacy in future RFID-equipped travel documents and ID. The piece focuses on a recent speech given by Jim Williams, director of the Department of Homeland Security's US-VISIT program. From the article: "Many of the privacy worries center on whether RFID tags--typically minuscule chips with an antenna a few inches long that can transmit a unique ID number--can be read from afar. If the range is a few inches, the privacy concerns are reduced. But at ranges of 30 feet, the tags could theoretically be read by hidden sensors alongside the road, in the mall or in the hands of criminals hoping to identify someone on the street by his or her ID number."
..think of how this will protect your FREEDOM! and LIBERTY!
Starsucks
...What is to stop someone from "accidentally" bumping into you with their scanner in their pocket?
I don't preview or spellcheck.
- Capture your data.
- Encode to my chip.
- Now I'm you, I can:
- Travel as you.
- Commit various offences as you
- Do whatever I want as you, and hell, the computer can't be wrong.
- (mandatory) PROFIT!
But I'm sure more devious plots will come to other people's minds...If you think imaginary property and real property are the same, when does your house become public domain?
Set off a Bomb when person id code 46465456456489715678984 walks by
There is off the shelf hardware that will allow you to read RFID tags (with varying levels of reliability) from ranges in excess of thirty feet. A collection of RFID tags produces a sort of constellation even if they are not unique. For instance, the guy who has the bottle of scope mouthwash, the bag of fritos flamin' hot, and the #2 philips screwdriver at this intersection is probably the same guy who has the same stuff at the next intersection. This allows you to positively track someone based on checkpoints, even without a unique RFID like your passport will be. Furthermore, even if some of the tags don't scan properly, the percentage similarity can be compared from point to point and you can get a fairly positive match anyway.
With Unique tags, then you don't need to go even that far, of course.
If you cannot imagine why this is a bad thing, then truly, you should read 1984.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
"Ground Beef a L'amerique".
Ingredients:
1 Terrorist.
1 RFID reader.
1 Pringles can.
1 Blasting cap.
1 Pound of boom-boom stuff.
Assemble recipe. Bake in broad daylight on side of road until American tour bus comes by.
And yes, some terrorist groups do have the capability to build custom electronics. You can see examples of IRA custom circuit boards in the Imperial War Museum, London.
How is this any different from someone stealing your passport now?
RTFA.
The 96 digit number would be a key into a database, which would "automatically display the cardholder's picture and other biographic information on the border agent's computer screen."
The agent sees the person who is using the card doesn't match the stored information, and hauls you in.
Finally, according to the TFA, "They're also exploring using a card that would have to be activated by the user, through a fingerprint or some other biometric method, before any information could be read remotely."
Unless the Feds are going to come up with an air-tight encryption scheme, this is a recipe for disaster. This isn't like the EZPass I have on my car, which is only linked to my account and determines if I have enough to pay the toll. These chips will potentially carry a lot of personal and very useful information, especially if you're a crook looking to use somebody's id to get across the border or to create fake identity documents for sale.
Frankly, this whole idea is mainly a panacea. If it works, the bad guys will simply sneak across the thousands of miles of undefended and unmonitored border we have in the US. Others will start turning innocent people into mules by swiping their identities and using them to get things across. Instead of making the borders of this nation more secure, the government is creating even more insidious ways for someone to come into this country. I think it's time to go back to the drawing board.
GetOuttaMySpace - The Anti-Social Network
Why not put a switch in the antenna's path? To use the card, you have to push a contact button to turn it on? That would stop passive scanning, right?
Weaselmancer
rediculous.
Mastercard and their PAYPASS cards? https://mbe2stl101.mastercard.net/hsm2stl101/publi c/login/ebusiness/mobile_commerce/paypass/index.js p/
Its RF also .. The range is about 2 inches... Im able to pull up to a gas pump, swipe my wallet next to the scanner and off im go. heres the documentation on their stuff https://mbe2stl101.mastercard.net/hsm2stl101/publi c/login/ebusiness/mobile_commerce/paypass/document ation/index.jsp/
-- I Dont Deserve A Sig I Have Bad Karma
Remember this gadget?
Who says there won't be a RFID-Sniper in the future?
Let's clear a few things up, because there is a little FUD here... IANAL, but I am in the RFID business for commercial use (inventory management and the like)
1. RDID tags come in a HUGE variety of types. You have to choose the right tag for the job. For example, is the item liquid? Is it metal? Is it a large crate? A small one? Etc. My guess is for a passport, the RFID tag would be a very short range (2-3" read type).
2. There are active (like those attached to your toll tags, or to large pallats & containers). These have batteries in them. A passport won't have a battery in it.
3. There are passive tags. These get charged by the antenna, that makes the circuit work. Think crystal radio here... same sort of concept. It charges the circuit, then the reader reads the tag.
4. The tags generally (although they can) carry only a serial or lookup number. NOT specific information. The more info, the more expensive the tag. Some newer tags CAN carry things (like product expiriation dates, inventory dates, etc.)
5. There are tags that can be both programmed and are read only. Depends on the type of tag. Both active and passive tags can do this. This means the reader can also program the tag.
6. Readers are NOT hard to get. It's a commerical device. However, in most cases, the reader is specific to the tag type. There are SOME standards coming out now with the gen2 tags, but they are not in wide deployment. The readers are NOT CHEAP.
So, here's my guess of what they would (or SHOULD) do:
--very short range passive tag (would require the passport to nearly touch the reader)
--Read only tag
--Tag would only contain some sort of authentication string that would be read, decrypted, and authenticated to see if passport is real.
--Tag would contain some sort of lookup string, which would be read, then queried on the backend systems to make sure the tag matches what's on the passport.
ALL this can be done with protection of privacy, IF DONE RIGHT! It's being done today, specifically in the pharma industry.
At defcon 2005 some guys set a record for reading passive tags at 69 feet. With pics :)
Your sig(k) has been stolen. There is a puff of smoke!
How is this any different from someone stealing your passport now?
Because it's not even necessary to steal your passport, it's not even necessary to touch it. You can walk past someone at 25 feet and copy it. If you have an ordinary passport and keep it in a safe place all the time you can be pretty sure no one takes it without you knowing and if they steal it, you might notice it's missing.
Besides, if the RFID card is designed to be readable at 25 feet, it's probably possible to do so at a much longer distance using special equipment.
This ability would make it well worth these RFID ids being mandated.
Or, as the pedophile official in DHS might say, "Think of the children, 'cause I sure do!"
Similar to the upcoming US election results