Is RFID Really That Scary?

← Back to Stories (view on slashdot.org)

Posted by timothy on Thursday August 19, 2010 @06:54AM from the relaaaaaax-citizen dept.

tcd004 writes "Defcon participant Chris Paget demonstrated his ability to capture RFID data from people hundreds of feet away for the PBS NewsHour. Paget went through the regular laundry list of security concerns over RFID: people can be tracked, their information accessed, their identities comprimised. Not so fast, says Mark Roberti of RFID Journal. Mark challenges Paget to point to a single instance where RFID was successfully used for nefarious purposes. The signals are too weak and the data is too obscure, according to Roberti. So who is right? Has RFID yet lead to a single instance of identity theft, illegal monitoring, or other security compromise?"

265 of 338 comments (clear)

Min score:

Reason:

Sort:

Yes and no by autocracy · 2010-08-19 06:58 · Score: 4, Interesting

Tracking one person around a city with RFID would be a nuisance. You'd need multiple points, signal quality would vary wildly, it'd be painful in a way.
Opposingly, you can get a lot of aggregate data in a semi-closed system. I remember once at a public event I was covering (wearing my journalism hat for a moment) that I thought, "I wish I had an RFID system handy. I could identify all the University students in a moment -- I bet you not a one doesn't have their RFID card on them."
Tracking could be efficiently done in a system such as a mall or subway with exit monitoring.

--
SIG: HUP
1. Re:Yes and no by morari · 2010-08-19 07:02 · Score: 5, Insightful
  
  My bank switched their debit cards over to ones with "PayWave". It's an RFID chip that allows me to just magically wave my card around in the air and pay for stuff at the checkout line. I immediately bought an RFID blocking wallet. I'm a lot more concerned about being tracked by the stores and the bank, being marketed to by telescreens on the sidewalk, etc. than I am about cyber-thieves.
  
  --
  "He who can destroy a thing, controls a thing." --Paul Atreides, Dune
2. Re:Yes and no by CyberLord+Seven · 2010-08-19 07:03 · Score: 4, Informative
  
  It seems to me you are assuming that the RFID is the only method being used to track someone. I don't track people but it seems trivial to me that a device that identifies a single person out of a mob would be extremely useful.
  Instead of setting my head on a swivel and looking around suspiciously I need only keep my gaze directed at my open book (hiding my tracking device) while I walk around keeping track of my subject.
  Yes, alone, the device is useless; however, people in the business might find plenty of uses for it that you and I cannot imagine.
  
  --
  We have always been at war with Eurasia!
3. Re:Yes and no by oodaloop · 2010-08-19 07:07 · Score: 1
  
  I was thinking of the Starbucks next door. Probably hundreds of defense contractors with their access badges walk through there every day, probably more than a few with their RFID passports and other IDs too.
  
  --
  Tic-Tac-Toe, Global Thermonuclear War, and relationships all have the same winning move.
4. Re:Yes and no by pdboddy · 2010-08-19 07:07 · Score: 1
  
  You are tracked by your bank and CC company every time you use your card anyways.
  
  Being spammed by advertising, that's a more legitimate concern in my eyes.
  
  --
  Julie Moult is an idiot.
5. Re:Yes and no by Dancindan84 · 2010-08-19 07:13 · Score: 1
  
  Because reading a book while you walk through a crowd is less suspicious than looking around while walking through a crowd?
  
  --
  "Always forgive your enemies; nothing annoys them so much." - Oscar Wilde
6. Re:Yes and no by sjames · 2010-08-19 07:17 · Score: 4, Funny
  
  Wow. If we thought butt dialing was a problem, just wait until butt-buying starts.
  In soviet america, ass bankrupts you!
7. Re:Yes and no by MozeeToby · 2010-08-19 07:19 · Score: 1
  
  If you can feel where the RFID chip is in the card you can crush it (assuming it is the only chip that your card has of course). I've done this accidentally with my ID card at work, a simple pair of pliers should do the trick and you'll never have to worry about it again.
8. Re:Yes and no by Gazoogleheimer · 2010-08-19 07:20 · Score: 2, Funny
  
  at my dormitory, my absolute favorite way to open the locked door (magnetic strike) controlled by a RFID reader is to open the door with my ass.
9. Re:Yes and no by KiloByte · 2010-08-19 07:25 · Score: 1
  
  These days, it will be a smartphone.
  
  --
  The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
10. Re:Yes and no by Critical+Facilities · 2010-08-19 07:36 · Score: 1
  
  at my dormitory, my absolute favorite way to open the locked door (magnetic strike) controlled by a RFID reader is to open the door with my ass
  So nice to see the fruit of higher education.
11. Re:Yes and no by veganboyjosh · 2010-08-19 07:40 · Score: 2, Interesting
  
  I keep seeing this argument being brought up, in all kinds of contexts. (Facebook targeted ads, web history, etc.) I think one of the major turnoffs for me about mass market advertisiing is that it's so off base as to be annoying. I'm not in the market for a car, so to be subjected to ads for cars while I watch tv is a waste of my time. I don't eat at fast food restaurants, so billboards for big macs are just a scourge on the landscape. If the billboard was advertising something I was interested in, then I believe I might find it less intrusive and less annoying. When I do see ads for music, movies, etc, that I'm interested in, I truly do look forward to seeing new ads from these companies.
12. Re:Yes and no by Monkeedude1212 · 2010-08-19 07:44 · Score: 1
  
  I heard that once RFID's are in place, the only things that need to upgrade are the actual reading technology, not the signal emission. The RFID itself doesn't need to broadcast any further than a couple meters - its the scanners who pick up the stuff that need improving.
  So - right now, we have those issues with signal quality and and obscurity - but thats only going to improve. Would you want to adopt this kind of technology solely on how its going to be used now or are people going to start thinking long term and consider the ramifactions of this a few years down the road.
13. Re:Yes and no by bmw · 2010-08-19 07:47 · Score: 2, Funny
  
  Pelvic thrust is the way to go.
14. Re:Yes and no by men0s · 2010-08-19 07:47 · Score: 1
  
  It also depends what data is contained on the card. Suppose all that it held was a student number. Well, that's fine and dandy and I suppose you could create fake student IDs to get discount software, check out books at the library, and take advantage of other Uni perks. But - of course - that means you'd be committing identity theft.
  
  For example, the State of Michigan started issuing enhanced drivers licenses with an RFID chip in them to allow passport-free travel between the US and other WHTI countries. Supposedly, the only thing on them is a unique key. So if you want to walk around Detroit with an RFID reader and "track" people, good luck: the only thing you're tracking is the unique keys. You'd need access to whatever database in order to tie that unique key to a specific person.
  
  I'm not saying that identity theft wouldn't happen - it would - just that you'd have no idea who you were trying to impersonate and that spoofing a drivers license has a whole lot of potential for misuse than some college kid's ID.
15. Re:Yes and no by Anonymous Coward · 2010-08-19 07:50 · Score: 3, Funny
  
  ...ass bankrupts you!
  The anthem of divorced men everywhere.
16. Re:Yes and no by Volante3192 · 2010-08-19 07:50 · Score: 1
  
  These days people NOT looking at smartphones constantly are the suspicious ones
17. Re:Yes and no by DriveDog · 2010-08-19 07:51 · Score: 1
  
  Nuisance for an individual, not for a large organization, especially when combined with other data (from streetside cameras, license plate-scanning squad cars - elsagnorthamerica.net, etc).
18. Re:Yes and no by camperslo · 2010-08-19 07:51 · Score: 1
  
  Tracking one person around a city with RFID would be a nuisance.
  For people driving, it could be pretty automatic using the RFIDs in your tires. They have all had them for some time now. It doesn't seem like it'd be that hard to add the ability to read those through the sensor systems that input into traffic-light controllers.
  There are already places using RFID to allow prepaid drivers through highway toll-gates.
  Integration with your cell, On-Star system, and facial/plate recognition through traffic cams at no extra charge.
  Speaking of exit monitoring... That sweater you bought has an RFID chip the size of a grain of sand, and a thread for an antenna. Thanks your using your shopping bonus buy loyalty membership card. Did the flu shot hurt a little more than usual? Gotta chip on your shoulder? Not exactly, but you're getting warm...
  Thank you for shopping with us, and enjoying the milk. Our cows trust us with our oxytocin linked hormones, and so will you...
  Yes, there seem to be medications getting into the water supply, but don't worry, we've optimized them. When you get your new remotely read digital water meter, we'll be able to optimize by address.
  Thank you for putting on that tin-foil hat, we've found the resonant frequency and it helps us track you... by detecting incidental phase modulation of microwave signals reflected from it, we can hear what you hear.
  Please get that TV/monitor with 240 Hz refresh. It's so much better for flashing subliminal messages... uhhh I mean WoW explosions and digital artifacts.
  Don't worry... none of this is real. It's all a dream. Unfortunately that means you aren't real either. Oh well... you can wake up now
19. Re:Yes and no by The_Wilschon · 2010-08-19 07:55 · Score: 1
  
  You could set up a directional RFID scanner, and set it rotating, then get a radar like display for direction, distance (delay), and strength of the echoes. Shouldn't be too difficult to do, really.
  
  --
  SIGSEGV caught, terminating
  
  wait... not that kind of sig.
20. Re:Yes and no by i.r.id10t · 2010-08-19 07:56 · Score: 4, Funny
  
  But *only* after a jump to the left and a step to the right
  
  --
  Don't blame me, I voted for Kodos
21. Re:Yes and no by MozeeToby · 2010-08-19 07:58 · Score: 4, Insightful
  
  It's hardly vendors that I would be concerned about. Given the increase in skimmers for magnetic readers at ATMs and cash registers how long do you really think before the concept spreads to RFID skimmers?
22. Re:Yes and no by nabsltd · 2010-08-19 07:58 · Score: 4, Insightful
  
  I think one of the major turnoffs for me about mass market advertisiing is that it's so off base as to be annoying. I'm not in the market for a car, so to be subjected to ads for cars while I watch tv is a waste of my time.
  And targeted ads are even more annoying, because they still don't get it right.
  I was in the market for a car and did my research and bought one a week ago. But, I expect that "targeted" ads for cars will keep hitting my monitor and mailbox for at least the next six months, and I expect many of them will be for classes of vehicles that weren't anything I would ever consider.
  Two years ago these ads would have been a minor bother, and 2-12 months ago they might have been helpful, but for the next 5-10 years they'll be both wasteful and a major annoyance.
23. Re:Yes and no by HungryHobo · 2010-08-19 07:59 · Score: 1
  
  In reality unless you're an actual government agent this isn't an issue.
  have a cell phone?
  Well anyone with enough clout to ask the cell company for it's logs can track you easily.
  A student at the local uni disappeared, the phone logs revealed that the last known position of his phone was a bridge in the city popular for suicides.
24. Re:Yes and no by tophermeyer · 2010-08-19 07:59 · Score: 1
  
  So if you want to walk around Detroit with an RFID reader and "track" people, good luck: the only thing you're tracking is the unique keys. You'd need access to whatever database in order to tie that unique key to a specific person.
  Assuming everyone only carried a drivers license, that would be great!. Unfortunately a lot of people will also be carrying credit cards (some with RFID), and maybe an RFID equipped passport.
  Plus with a little bit of social engineering you could very easily get someone's name or other less secure personal information while scanning their unique key.
  Putting RFID tech into state issued ID's seems like a dangerous idea. If a CC holder wants one with an RFID chip to make their purchasing simpler than they should feel free. Setting up a system where everyone has a unique identifier that is available to anyone nearby just seems dangerous.
25. Re:Yes and no by debile · 2010-08-19 08:02 · Score: 1
  
  The problem will be that for security systems you're gonna be the "guy that doesn't have a chip" and you will get much more attention that regular people.
  Just like we associate drug dealer with someone that would pay a laptop cash for when it's perfectly legal and you could have legitimate reasons to do so.
26. Re:Yes and no by dkleinsc · 2010-08-19 08:02 · Score: 1
  
  Forget the being tracked, how about someone waving something in your general direction and having it automatically pay for their stuff instead of your stuff?
  In general, though, I'm considering the source. Do you think a guy writing for RFID Journal would state that RFID is a dangerous tool that should never be used for personally identifying information? This seems to be a case of Sinclair's Law: "It is difficult for a man to believe something when his salary depends on not believing it."
  
  --
  I am officially gone from /. Long live http://www.soylentnews.com/
27. Re:Yes and no by rwa2 · 2010-08-19 08:03 · Score: 2, Informative
  
  DC metro turnstiles went smartcard + RFID a few years back. It's actually pretty nice to be able to open the gates by sidling up to the sensor while your arms are full.
  All the same, I keep a traditional disposable magstripe card that I bought with cash in my wallet, in case I need to go somewhere without being tracked. Haven't really used it yet other than for guests, but I'm sure someday I'll be trying to dispose of a body and I'll curse it for not being able to use the ass trick.
28. Re:Yes and no by HungryHobo · 2010-08-19 08:03 · Score: 1
  
  Please elaborate, I was under the impression that a signal simply powers the card and induces a response from the card.
  No processing or challenge response unless it's a really expensive card.
  In which case anyone walking past you could read the card without you knowing.
29. Re:Yes and no by AndrewNeo · 2010-08-19 08:11 · Score: 1
  
  Bah. Left cheek, right cheek!
30. Re:Yes and no by ffreeloader · 2010-08-19 08:14 · Score: 4, Insightful
  
  Being tracked when you use your card, because that is required just because you used it, and being tracked just because you walked past a checkout counter are two separate and distinct things.
  
  --
  "while democracy seeks equality in liberty, socialism seeks equality in restraint and servitude." de Tocqueville
31. Re:Yes and no by suomynonAyletamitlU · 2010-08-19 08:15 · Score: 1
  
  I did the same. And since I was playing D&D a lot at the time, I called it a "Buttch attack"--you don't have to do any damage, just touch the target with your butt.
  My roommate gave me funny looks over it, though. Moreso after he learned of the name.
32. Re:Yes and no by fedos · 2010-08-19 08:18 · Score: 1
  
  I would love targeted ads that are based on my past buying habits. Unfortunately, Borders sends my ads for romance novels and CVS gives me coupons for lipstick; I don't buy these products. I have a loyalty card with both these stores and they're tracking my transactions, why don't they put that data to use send send me coupons and deals for stuff that I would buy?
33. Re:Yes and no by thepotoo · 2010-08-19 08:21 · Score: 3, Funny
  
  I immediately bought an RFID blocking wallet.
  
  You mean you lined it with tinfoil? Yeah, me too. I've also got a stylish hat and matching suit made of the same material. The underwear is a little itchy at times, but you'll get used to it.
  
  --
  Obligatory Soundbite Catchphrase
34. Re:Yes and no by alvinrod · 2010-08-19 08:23 · Score: 2, Insightful
  
  You don't even need tracking to do something nefarious. You could easily gather RFID information about people congregating in a certain area, say a political protest. Now you've got a computer creating a dossier on you because you may be some kind of radical seeking to bring down the government. A government like China could easily use a system like this to track dissidents. They don't even need to have anyone physically monitoring the people. Just find out where they meet and start grabbing information on anyone who comes to the site.
  
  You could also determine when a group of people are not around their home and use this information to decide when to rob their house. If all of the residents and their nearest neighbors have all been scanned at movie theaters, clubs, or restaurants in the last half hour you could break-in with the expectation that no one would be around to catch you in the act for a certain period of time.
  
  There are plenty of other creative abuse cases for RFID other than tracking.
35. Re:Yes and no by pnewhook · 2010-08-19 08:23 · Score: 1
  
  So RFID presents a no different security threat than magnetic stripe.. Someone can always duplicate your card if you let them have it, or are not watching.
  
  --
  Tesla was a genius. Edison however was a overrated hack who liked to torture puppies.
36. Re:Yes and no by breakfastpirate · 2010-08-19 08:25 · Score: 1
  
  Chicago uses a very similar system. I'm really glad I'm not the only person who does a running jump slamming my ass on the RFID reader to unlock the turnstile...
37. Re:Yes and no by jijacob · 2010-08-19 08:26 · Score: 1
  
  Amazon does this. I can't count the number of times I've done research and bought something, and then the next day received targeted advertising by Amazon to my email. Funny thing is it doesn't bother me terribly much since I am usually interested in hearing what Amazon recommends (when it is something I'm actually interested enough in to buy).
38. Re:Yes and no by MozeeToby · 2010-08-19 08:35 · Score: 2, Informative
  
  You actually have to pull your card through a magnetic strip skimmer in order for it to work and even a cursory glance can generally spot them. An RFID skimmer on the other hand can be out of sight, even inside the actual reader itself if there is enough room.
39. Re:Yes and no by blueZ3 · 2010-08-19 08:41 · Score: 4, Insightful
  
  I think you're making a mistaken assumption that ads are intended to drive you to make an immediate purchase. While that's one reason they're aired, another is brand recognition and familiarity. If you happen to be in the market for a car three years from now, it's likely that at least some of what those car companies have communicated in their ads will stick with you.
  This is especially true for less-well-known brands. Compare a Toyota ad ("We're having a sale this weekend") to a Hyundai ad ("Our cars are reliable and have feature x). Toyota expects you to already know and recognize the value of a Toyota, they're trying to get you into the showroom now, now! NOW! As a relative newcomer, Hyundai is working to get you comfortable enough to consider their car.
  
  --
  Interested in a Flash-based MAME front end? Visit mame.danzbb.com
40. Re:Yes and no by Sigmon · 2010-08-19 08:41 · Score: 4, Funny
  
  But do you have to put your hands on your hips?
41. Re:Yes and no by SnarfQuest · 2010-08-19 08:47 · Score: 1
  
  It's an RFID chip that allows me to just magically wave my card around in the air and pay for stuff at the checkout line.
  What's to prevent someone from setting up a hotspot in a park that will charge people who just happen to walk by? You may only get away with it for a day, but in a city like New York, you could rake in huge $$'s before running to a foreign country.
  
  --
  Who would win this election: Andrew Weiner vs Andrew Weiner's weiner.
42. Re:Yes and no by Caerdwyn · 2010-08-19 08:58 · Score: 1
  
  I Why don't they put that data to use send send me coupons and deals for stuff that I would buy?
  Because you're already buying it, without coupons. Why would they discount something you're already paying full price for?
  
  --
  Everybody gets what the majority deserves.
43. Re:Yes and no by vadim_t · 2010-08-19 09:06 · Score: 3, Interesting
  
  Are you sure?
  The problem with targeted ads is that they can be creepy, inappropiate and unaware of context.
  For example, imagine you're walking on the street with your friend/boss/old fashined grandmother. Suppose you're into manga/anime. Would you want a billboard to switch to an ad for Miyuki-chan in Wonderland due to your past purchase of the Chobits manga?
  There are lots of things for which you'd really hate to see a targeted billboard ad for in the presence of the wrong people, or any people at all. Just for instance: certain kinds of anime/manga (or anime/manga at all, if you're unlucky to be stuck with people convinced that it's all tentacle porn), hygiene products (buy our incontienence pads!), the wrong kinds of magazines or games, music by an artist you'd rather people not know you listen to, and so on.
  Be careful with what you wish for. There is no guarantee the advertiser will make any effort not to display anything that could be embarrassing, and even if they try there's no guarantee that they'll succeed. I got a few rather odd recommendations from Amazon and am rather glad they don't pop up on the street at just the wrong moment.
44. Re:Yes and no by camperslo · 2010-08-19 09:07 · Score: 1
  
  You could also determine when a group of people are not around their home and use this information to decide when to rob their house.
  They can also sniff media access control (MAC) addresses to target the most popular premium laptops.
45. Re:Yes and no by sconeu · 2010-08-19 09:25 · Score: 1
  
  Yeah, it'll really drive you insane.
  
  --
  General Relativity: Space-time tells matter where to go; Matter tells space-time what shape to be.
46. Re:Yes and no by Quiet_Desperation · 2010-08-19 09:26 · Score: 1
  
  In soviet america, ass bankrupts you!
  Er... implying that somewhere (Soviet Russia?) you bankrupt your ass?
  I really don't want to know, do I?
47. Re:Yes and no by pokraka · 2010-08-19 09:28 · Score: 2, Informative
  
  Tracking could be efficiently done in a system such as a mall or subway with exit monitoring.
  That's already the case in Brussels public transport. We have to use RFID cards to check in before stepping in a bus, tramway or metro, and the STIB/MIVB (the Brussels public transport service) said they could handle the date to the police if they wanted to know where some people was at a certain time.
48. Re:Yes and no by autocracy · 2010-08-19 09:36 · Score: 1
  
  Not making that assumption at all. In my post, I pointed out that I could identify students from a local college based on the card's code (they all have the same prefix).
  Feeling like taking an overly keen interest in whether your employees are at a particular protest? Same technique...
  
  --
  SIG: HUP
49. Re:Yes and no by Anonymous Coward · 2010-08-19 09:38 · Score: 2, Insightful
  
  No, it works like that in regular America, too.
  Hot pieces of ass bankrupt people all the time.
50. Re:Yes and no by sjames · 2010-08-19 10:01 · Score: 1
  
  People with a drug habit often let it bankrupt their ass.
51. Re:Yes and no by HungryHobo · 2010-08-19 10:10 · Score: 1
  
  I was under the impression that cheap passive RFID chips were completely incapable of any kind of encryption and only more expensive ones on the order of 20 times the price could handle even rudimentary encryption never mind anything really solid like private key crypto.
  You could probably fit a reasonably small RFID reader in a backback, ever paid any attention to someone brushing past you with a backpack?
  Several seconds? Even the door swipes in the library take a fraction of a second to scan.
52. Re:Yes and no by Americano · 2010-08-19 10:22 · Score: 2, Funny
  
  Maybe they're trying to tell you something, and you should listen - a little color and shape to your lips might just be what you've been missing. :)
53. Re:Yes and no by 7-Vodka · 2010-08-19 10:48 · Score: 3, Insightful
  
  How fucking stupid are you?
  You're implying that you would like to see ads for things you are interested in. Well fucking wake up mate. There are lies, damn lies and then there are advertisements. Whatever useful information contained in an ad is completely outweighed by the bogus fucking lies they will tell you with the intent on selling you. And if that's not enough, they're obviously going to leave out anything that would encourage you to not buy their shit.
  Worst of all, have you ever even watched an ad? If any ads were reality, then chosing the right toothpaste would make you FUCKING HAPPY AS BLISS and using the right condom would get you laid by a supermodel and drinking the right liquor would make you a million dollars.
  Seriously, if you are clueless enough to ever even contemplate that you might benefit or enjoy watching an ad; you're already sold mate.
  
  --
  Liberty.
54. Re:Yes and no by rhook · 2010-08-19 10:50 · Score: 3, Informative
  
  No it is not, your RFID equipped credit card could be skimmed when you simply walk by a hidden reader. I wouldn't be hard for someone to walk around a city with a RFID skimmer in their backpack and read cards all day long. If you read the title you'd know that you can do this from over 100 feet away.
55. Re:Yes and no by P0ltergeist333 · 2010-08-19 10:57 · Score: 1
  
  Tracking one person around a city with RFID would be a nuisance. You'd need multiple points, signal quality would vary wildly, it'd be painful in a way.
  My problem with the whole concept of: "They're secure now," is that technology often makes leaps. Especially when such a system becomes more widespread and people have more reason to develop, for example, a long distance surreptitious reader. What's painful and impractical today very well might not be so tomorrow. How many systems have seemed secure in a controlled environment and then get cracked shortly after release into the wild?
  
  --
  One of these days I'm going to cut you into little pieces. - PF
56. Re:Yes and no by Anonymous Coward · 2010-08-19 11:01 · Score: 1, Informative
  
  Regardless, you need to have the card less than 4 inches away from the reader and held there for several seconds to read it.
  ""Defcon participant Chris Paget demonstrated his ability to capture RFID data from people hundreds of feet away for the PBS NewsHour."
  Maybe the readers that are in common use have a limited range of 4 inches. But that doesn't mean the 'bad guys' equipment won't be better.
57. Re:Yes and no by dr2chase · 2010-08-19 11:15 · Score: 3, Funny
  
  Clearly, the plan is to link an advertising identity for most-embarrassing stuff to an RFID chip, and then surreptitiously tag people with that RFID tag.
58. Re:Yes and no by cj_nologic · 2010-08-19 12:03 · Score: 1
  
  You are tracked by your bank and CC company every time you use your card anyways.
  That's acceptable - you want your bank to check it is you using your card, not someone else, right? The bigger issue is being tracked when you are not using your card ...
59. Re:Yes and no by dgatwood · 2010-08-19 12:04 · Score: 1
  
  So if you want to walk around Detroit with an RFID reader and "track" people, good luck: the only thing you're tracking is the unique keys. You'd need access to whatever database in order to tie that unique key to a specific person.
  Fundamental flaw in your logic: you assume that the person doing the tracking does not already know who they are tracking. Consider a private investigator finds the person that they are trying to follow. The investigator already knows who the person is, and merely needs to walk near that person to obtain the RFID token. At that point, the investigator can use that token to uniquely track that person all around Detroit.
  Not all identity theft is untargeted.
  
  --
  Check out my sci-fi/humor trilogy at PatriotsBooks.
60. Re:Yes and no by Anonymous Coward · 2010-08-19 12:08 · Score: 1, Informative
  
  Disclaimer: I used to work in the RFID card payment industry
  RFID skimmers have been around and demonstrated for over a decade. They're now cheap and unobtrusive, and are being used by crooks world-wide. The scary thing about RFID skimmers is that they can use a really tiny repeater station which communicates with a higher powered device hidden safely away at a distance. There's nothing to detect, as it's the target machine that activates the antenna and facilitates the broadcast of data; this profile isn't going to change when the skimmer is placed nearby, and the skimmer is totally passive.
61. Re:Yes and no by apoc.famine · 2010-08-19 12:25 · Score: 1
  
  I was wondering reading this if it would be possible to build an RFID repeater in a wallet. You go to pay, kick on your repeater, and see if you can pick up any chips from outside the 6" or whatever the normal radius they read from is. If anyone else in line behind or on either side of you has an unshielded chip, bam, they just paid for you.
  
  --
  Velociraptor = Distiraptor / Timeraptor
62. Re:Yes and no by hedwards · 2010-08-19 12:27 · Score: 2, Interesting
  
  That's true, however it's not anywhere near as strong an effect as it used to be. The web has done wonders for democratizing marketing. While you don't know who it is that's writing anything, it's a lot harder for companies to hide poor quality when anybody can write a review, and you can typically get a pretty decent idea of the general situation from the various subject specific fora out there.
  
  The ad might get them a bit of mindshare, but if they haven't created some brand loyalty amongst owners they can really quickly run out of word of mount advertising.
63. Re:Yes and no by hedwards · 2010-08-19 12:31 · Score: 2, Informative
  
  That's a solid point. My credit union has its ATMs designed so that it's a bit of a challenge to slip a skimmer onto them. Basically the slot isn't straight across like they used to be. It's got a curved bit of translucent plastic. Makes it a bit more of a challenge to attach a skimmer without making it really obvious. Now with RFID, they could place the device near the slot, but would likely be able to better camouflage it than at present.
64. Re:Yes and no by owlstead · 2010-08-19 12:58 · Score: 1
  
  What, I don't benefit to see an ad: Whiskey: 25% off? And should not enjoy the add where a guy is trying to get a discount for a holiday standing right at the counter of the hotel?
  Most of it is bunk. Most advertising is annoying. Generalizing that every commercial is bogus and irritating is a gross overstatement.
65. Re:Yes and no by rwa2 · 2010-08-19 13:31 · Score: 1
  
  Heh, no, I just use the handicapped turnstile, which is mounted on the side rather than the top and is actually a bit below waist level. So while you probably look awesome doing a power slide over the top, we're all bent down over our knees grinding our buttocks over the smart reader's erogenous zone until the extra wide orange appendages part for us.
66. Re:Yes and no by TheLink · 2010-08-19 15:34 · Score: 1
  
  > For example, imagine you're walking on the street with your friend/boss/old fashined grandmother.
  > Would you want a billboard to switch to an ad for Miyuki-chan in Wonderland due to your past purchase of the Chobits manga?
  
  Doubt that particular scenario would be a problem. Given that the ad would be "Safe for Public", Grandma might even think the ad is for her e.g. trying to get her to buy some cartoon for her grandchildren...
  
  Old fashioned grandma might even make a comment comparing the ad artwork with the good old "Walt Disney" stuff.
  --
  
  Too many replies beneath your current threshold
67. Re:Yes and no by LBt1st · 2010-08-19 16:37 · Score: 1
  
  I drilled a hole through mine. Makes less of a mess of the card when your done :)
68. Re:Yes and no by vadim_t · 2010-08-19 16:57 · Score: 2, Interesting
  
  You can find a perfectly PG ad that would have embarrassing implications to any observers quite easily.
  For instance, with anime:
  If you try to project an image of being a cultured man, you probably don't want billboards suggest you would be interested in gory things like Elfen Lied, Fist of the North Star or Ninja Scroll.
  If to your friends you try to appear like a "real man", you probably won't like seeing an ad for things like Ponyo and Chi's Sweet Home.
  If you know crazy religious people of the kind that have an issue with Harry Potter because it's "witchcraft", ads for Slayers or Fullmetal Alchemist could be a problem.
  Perhaps you'd rather not admit to being a huge fan of Dragon Ball Z who collects all available material on it.
  And so on. Particularly in the realm of music and movies there's hardly anything guaranteed to be safe. To some people, knowing you like anime by Studio Ghibli just implies you like watching the classics. To others it means you're a creepy nerd who's failed to grow up and still watches kids' cartoons.
69. Re:Yes and no by theshowmecanuck · 2010-08-19 17:30 · Score: 2, Interesting
  
  The gist of the naysayer in the article is that it is better to close the gate AFTER the horses get out than before. Typical human behaviour that has existed since time immemorial.
  
  --
  -- I ignore anonymous replies to my comments and postings.
70. Re:Yes and no by dave420 · 2010-08-19 22:50 · Score: 1
  
  "Would buy" != "Already buy".
71. Re:Yes and no by vampyretech · 2010-08-20 00:58 · Score: 1
  
  Yes you do. While you bring your knees in tight.
72. Re:Yes and no by Gkeeper80 · 2010-08-20 01:03 · Score: 1
  
  Unfortunately, when you need it you'll find that the weak magstipe has been erased and that you have to buy a whole new card anyway.
  At least that's what's happenes to me over and over again. Not sure if it's the contact with credit cards or the fact that I keep my RFID office key in there too and everything in my wallet gets a dose of RF when I unlock the door.
  Either way, I end up with a stack of unusable cards that I eventually have to go out of my way to bring to Metro Center, where they won't let you exchange more than 3 cards at a time and refuse to give you change (their replacement cards only come in $1, $3 & $5 denominations).
  Metro wins again
73. Re:Yes and no by pnewhook · 2010-08-20 01:07 · Score: 1
  
  o it is not, your RFID equipped credit card could be skimmed when you simply walk by a hidden reader.
  Even if they could what would they get? It's encrypted and requires a challenge response..
  
  If you read the title you'd know that you can do this from over 100 feet away.
  If you actually looked at the article you'd see the antenna he used was about 8 feet long and required a lot of transmit power to do this. Hardly able to fit ion a backpack.
  
  --
  Tesla was a genius. Edison however was a overrated hack who liked to torture puppies.
74. Re:Yes and no by pnewhook · 2010-08-20 01:08 · Score: 1
  
  What data did he get? Was it useful? Could it in any way be used to identify the person or purchase merchandise? I think not.
  
  --
  Tesla was a genius. Edison however was a overrated hack who liked to torture puppies.
75. Re:Yes and no by KlaymenDK · 2010-08-20 02:10 · Score: 1
  
  Well, yes, brand recognition. But they're going about it wrong. At least around here, ads are of the amazingly annoying variety, so any brand recognition would end up manifesting itself as "oh yeah, Brand X, that's them with those annoying ads. What else you got that does the same thing?".
  
  --
  "Good news, everyone!"
76. Re:Yes and no by morari · 2010-08-20 02:58 · Score: 1
  
  It is true, and the exact reason that I do largely use cash. My paycheck itself is direct deposited however, so I have to have the debit card to at least make withdraws. Besides, sometimes it is more convenient.
  
  --
  "He who can destroy a thing, controls a thing." --Paul Atreides, Dune
77. Re:Yes and no by Eraesr · 2010-08-20 03:04 · Score: 1
  
  And then I wonder where the use is in such technological advancements. Yes, RFID does have it's practical uses, but it doesn't belong in a debit card. From a user's point of view, all it does is save me from taking it out of my wallet and swiping the card through a reader or inserting it in a chip reading slot. In all cases I still have to enter a PIN code or something like that I assume. So is the marginal increase in usability really worth the risk of someone hacking my RFID chip? Are we really becoming that lazy?
78. Re:Yes and no by justthinkit · 2010-08-20 07:24 · Score: 1
  
  (1) Make a +1 comment
  (2) Add four f-words
  (3) Get a +5 insightful mod
  
  --
  I come here for the love
79. Re:Yes and no by xiong.chiamiov · 2010-08-20 09:22 · Score: 1
  
  My statement is still valid. you hand someone your card to pay for gas, they can go in and duplicate it very easily with a magnetic stripe just by swiping it through a reader.
  You go inside to pay for gas? I just use the cardswipe/pinpad on the gas pump, which I thought was pretty standard practice these days.
  
  --
  have you read the Moderation Guidelines Addendum?
80. Re:Yes and no by mpeskett · 2010-08-20 11:10 · Score: 1
  
  And yet, annoying advertising still works. Call it a psychological flaw, but most people will prefer a brand name that seems sort of familiar, even if their association is "that annoying ad" over a brand name they've never heard of. They really have to be very conspicuously annoying with their advertising before there's going to be a negative effect, even if there are some of us making a point to remember who they are and pointedly avoid buying from them.
  Makes sense in a way; if a company's managed to advertise well enough that I recognise their name, they're probably big enough to not be complete crooks or outright screwing over their customers. Well... mostly.
81. Re:Yes and no by Jah-Wren+Ryel · 2010-08-20 11:12 · Score: 1
  
  The problem with targeted ads is that they can be creepy, inappropiate and unaware of context.
  Like constantly advertising diet books and weight-loss programs to anorexics, or even worse, to recovered anorexics.
  That's precisely the kind of thing targeted advertising does and its not just inappropriate, it can be harmful.
  
  --
  When information is power, privacy is freedom.
82. Re:Yes and no by niftymitch · 2010-08-20 13:59 · Score: 1
  
  Spot on... but like the business that sells on line preferences collected via cookies and beacons could quickly morph to the equivalent at the door of any merchant.
  The individual would be identified by the "set of RFID tags" some left in shoes, leather jackets and other trackables. A trackable need not be expensive like a leather jacket. It might be inexpensive because it is painful to inventory and count small things.
  This door service could be tied to inventory to track the egress of inventory as well as profile the individuals.
  Expect it to be a big business....
  
  --
  Truth is stranger than fiction, but it is because Fiction is obliged to stick to possibilities; Truth isn't. Mark Twain.
83. Re:Yes and no by pnewhook · 2010-08-20 14:37 · Score: 1
  
  You go inside to pay for gas? I just use the cardswipe/pinpad on the gas pump, which I thought was pretty standard practice these days.
  Actually I use an RFID FOB. If I come across a station that doesn't let me pay at the pump, I wont use it. But they still exist.
  
  --
  Tesla was a genius. Edison however was a overrated hack who liked to torture puppies.
84. Re:Yes and no by AmiMoJo · 2010-08-21 00:50 · Score: 1
  
  I expect that "targeted" ads for cars will keep hitting my monitor and mailbox for at least the next six months, and I expect many of them will be for classes of vehicles that weren't anything I would ever consider.
  That's kind of the point of most advertising though. Change your opinion of a brand by bombarding you with ads for it over a long period of time and try to make you want things you were not previously interested in.
  The iPhone is a good example. If you heard nothing about Apple products until the day you decided you wanted a new phone then their brand and overall marketing reality-distortion field would have little influence on you. A lot people didn't know they wanted one until they saw the ads either, often because their more basic phone did everything they needed.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
85. Re:Yes and no by autocracy · 2010-08-22 10:31 · Score: 1
  
  Well, the question was, "How scary is this?" Now if you asked me, "How secure is RFID?" I'd simply answer, "It isn't."
  
  --
  SIG: HUP
It's like a vaccination... by Anonymous Coward · 2010-08-19 06:58 · Score: 2, Insightful

Prevention is a better method of addressing an identified legitimate security concern than "waiting to see what happens."
I view it like vaccinations. I don't plan on getting measles this month, but I still had my MMR...
1. Re:It's like a vaccination... by Peach+Rings · 2010-08-19 07:27 · Score: 2, Interesting
  
  Yeah the other guy is basically saying: "There haven't been known cases of identity theft from RFID use, therefore the system is secure and we should expand it!" despite being shown conclusively that it is not secure and widespread use of RFID could be a disaster.
2. Re:It's like a vaccination... by ArcherB · 2010-08-19 07:48 · Score: 1
  
  Yeah the other guy is basically saying: "There haven't been known cases of identity theft from RFID use, therefore the system is secure and we should expand it!" despite being shown conclusively that it is not secure and widespread use of RFID could be a disaster.
  There HAVE been case of cash and credit cards being stolen and/or duplicated. Should we do away with all forms of cash and credit? After all, it seems that these are more insecure than RFID since they have already been breached. Hell for that matter, homes have been broken into and things stolen and people killed. Should houses be banned?
  Seriously, just because something has been or could be used for nefarious uses doesn't mean it should be avoided. Just be careful with it and keep it monitored (if possible).
  
  --
  There is no "I disagree" mod for a reason. Flamebait, Troll, and Overrated are not substitutes.
3. Re:It's like a vaccination... by HungryHobo · 2010-08-19 08:12 · Score: 1
  
  when a bad system is being rolled out and there are better alternatives there's nothing wrong with complaining.
  Credit cards are a great example of that, it should be almost trivial with modern crypto to make a payment system vastly harder to exploit that the current CC system.
  yet they don't because it would cost slightly more per card.
4. Re:It's like a vaccination... by nahdude812 · 2010-08-19 08:16 · Score: 1
  
  Of course the problem with RFID is that its information can be obtained without the owner of that information being reasonably able to detect it (http://tv.boingboing.net/2008/03/19/how-to-hack-an-rfide.html).
  I don't actually know of any reasons RFID is better for certain applications (eg, use in credit cards), so in the absence of some obvious benefit, it seems like a major reduction in security for no reason.
  
  --
  Slay a dragon... over lunch!
Not really. by willyd357 · 2010-08-19 06:58 · Score: 1

If you're really that worried about it, they do make wallets that block RFID signals. As to how effective they are I couldn't say, but there is much to be said for the placebo effect.
1. Re:Not really. by oodaloop · 2010-08-19 07:09 · Score: 2, Informative
  
  I've got one. I put my RFID badge in it, and it still scanned at the same distance I always hold it in the same time (1 to 2 seconds). I've half a mind to line it with aluminum foil.
  
  --
  Tic-Tac-Toe, Global Thermonuclear War, and relationships all have the same winning move.
2. Re:Not really. by rubycodez · 2010-08-19 07:22 · Score: 1
  
  also try an anti-static bag and let us know how it goes. most geeks have loads of those we're saving
3. Re:Not really. by oodaloop · 2010-08-19 07:27 · Score: 1
  
  Nah, I'll just wear one of those wrist thingies.
  
  http://xkcd.com/649/
  
  --
  Tic-Tac-Toe, Global Thermonuclear War, and relationships all have the same winning move.
4. Re:Not really. by mcgrew · 2010-08-19 08:25 · Score: 1
  
  You don't need to buy a new wallet, aluminum foil wrapped around the card will do the trick.
  
  --
  Free Martian Whores!
5. Re:Not really. by willyd357 · 2010-08-19 08:38 · Score: 1
  
  People have been telling me the same thing about my cranium for years. :^)
6. Re:Not really. by rubycodez · 2010-08-19 08:46 · Score: 1
  
  a wrist thingie can actually be a very effective contraceptive, if wrapped around the appropriate appendage and cinched tight enough.
7. Re:Not really. by dgatwood · 2010-08-19 12:23 · Score: 1
  
  Or if the girl sees you wearing it, even on your arm.
  
  --
  Check out my sci-fi/humor trilogy at PatriotsBooks.
8. Re:Not really. by rubycodez · 2010-08-20 02:40 · Score: 1
  
  but wear a few and it's a bondage-chick magnet
Just like many other things of this nature... by Pojut · 2010-08-19 06:58 · Score: 2, Insightful

RFID really is something that needs to have an eye kept on, but sensationalist headlines make it seem worse than it is.
Of course, if you're really worried about it, there are options depending on what you need to protect.

--
Living With a Nerd
1. Re:Just like many other things of this nature... by WrongSizeGlass · 2010-08-19 07:02 · Score: 1
  
  but sensationalist headlines make it seem worse than it is.
  OGM!! Facebook now has RFID!!
2. Re:Just like many other things of this nature... by dwye · 2010-08-19 07:36 · Score: 2, Funny
  
  Both those RFID-blocking wallets are out of stock. Are you just a dupe of the Vast RFID Conspiracy, or was that deliberate disinformation? Wait, ThinkGeek is related to SlashDot, too, so Cmdr Taco must be in on it, too! And I ran out of aluminum foil in my kitchen, just last night. Oh, God! I must be in on it, too! We're all doomed!
  Ah, paranoia. The Delusion of the Gods!
3. Re:Just like many other things of this nature... by hAckz0r · 2010-08-19 07:44 · Score: 1
  
  I would not laugh too loud. Facebook is adding 'location information', so the next step would naturally be 'verifying' that location. That wont be hard once your drivers licence, credit cards, and other 'store convenience cards' all have RFID embedded for their own brand of convenience.
  I can see a hypothetical situation now:
  
  Officer: "No need to sign any traffic ticket Son, we know who you are, and you can find your ticket and licence info on the departments facebook page for the County's "Deadbeats, Speeders, and Delinquents" until the posted amount is paid in full."
  
  They might even just forget that traffic court could possibly find you 'not guilty', and hope that you just pay the fine to get off that facebook page. That would save them a heap of money if you just pay the fine and don't show up in court to fight the charges.
4. Re:Just like many other things of this nature... by pbrooks100 · 2010-08-20 06:55 · Score: 1
  
  Wow! Sold out already...
Re:first by NevarMore · 2010-08-19 06:59 · Score: 3, Funny

AC used RFID to steal my first post!
Hmm by MobileTatsu-NJG · 2010-08-19 07:00 · Score: 1

I dunno if RFID isn't something to be worried about, but there is definitely a misunderstanding around here about how trackable it is.
It wasn't all that long ago that there was a story on Slashdot about how school uniforms were going to have RFID tags embedded in them and there were +5 comments about how pedophiles were going to sit in their van with a little screen showing the position of where each child in the city is. There's some impression that RFID tags broadcast their GPS co-ordinates into space or something. False.

--

"I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)
1. Re:Hmm by GiveBenADollar · 2010-08-19 07:10 · Score: 1
  
  Yes and no. If the technology was invasive enough it could potentially track your location by what reader you were near. My work is currently testing a scheme to monitor the movements of personnel based on their RFID badges. I don't count it as an invasion of privacy because I don't expect privacy at work, but If the government/businesses tried to do the same thing with my visa card it would be grounds for carrying cash. The potential for abuse is there. Also, the potential range is much greater than advertised.
2. Re:Hmm by GiveBenADollar · 2010-08-19 07:24 · Score: 1
  
  Pretty sure that's been debunked. It's due to the iron in the ink, not an RFID transmitter. If it were true then the treasury has some of the most advanced and cheapest RFIDs on the planet.
3. Re:Hmm by MobileTatsu-NJG · 2010-08-19 07:25 · Score: 1
  
  Yes and no. If the technology was invasive enough it could potentially track your location by what reader you were near.
  You say that as if that's a trivial thing to do. If we were talking about one entity rolling out RFID readers across the country and tying those to something you're likely to carry, sure, be afraid. Just remember to stop carrying a cell phone and credit cards, those are betraying you RIGHT NOW.
  
  --
  
  "I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)
4. Re:Hmm by ElectricTurtle · 2010-08-19 07:31 · Score: 2, Insightful
  
  That is an urban legend. There are metals in the paper that induct microwaves and heat (even burn/explode), but these are not RFID chips.
  
  Figures that somebody whining about capitalism and libertarians in their sig would spread such FUD.
  
  --
  I support the Slashcott and will not be reading or commenting from 2/10/14 to 2/17/14. Beta is steaming pile of dog shit
5. Re:Hmm by MobileTatsu-NJG · 2010-08-19 07:33 · Score: 1, Troll
  
  Dozens of RFID detectors that do broadcast GPS coordinates into space will be responsible for that part.
  You mean the RFID's with huge batteries that need constant charging and aren't called "RFID"s anymore?
  
  --
  
  "I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)
6. Re:Hmm by GiveBenADollar · 2010-08-19 07:39 · Score: 1
  
  Trivial, perhaps not, but how long until we have targeted advertisements based on personal information gleaned from your RFID credit cards? It's a lot easier than any other identification method, and it's just the thing marketers would use. The point isn't that they contain personal information, but that they broadcast it to the world. When I use my credit card it goes into a database, that's fine I control when I use it, with an RFID card I lose the control over who can read that information. That's the difference.
7. Re:Hmm by sjames · 2010-08-19 07:42 · Score: 1
  
  The standard reader certainly can't get coordinates, but there is absolutely no reason the RFID tags can't be used like a radar transponder. Use a directional antenna to send out the needed signal and use the response time to get distance. There's no need for it to send GPS coordinates.
  That may be going a bit far considering the range is currently only proven out to 100 feet or so (still a long way for a "proximity device") but it's not technically impossible.
8. Re:Hmm by MobileTatsu-NJG · 2010-08-19 07:43 · Score: 1
  
  The point isn't that they contain personal information, but that they broadcast it to the world.
  No, they broadcast it about 20 feet.
  
  When I use my credit card it goes into a database, that's fine I control when I use it, with an RFID card I lose the control over who can read that information. That's the difference.
  You don't take the card with you, then. Heck, wrap it in a small faraday cage. From a practical standpoint you haven't saved yourself much.
  
  --
  
  "I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)
9. Re:Hmm by MobileTatsu-NJG · 2010-08-19 07:51 · Score: 1
  
  That may be going a bit far considering the range is currently only proven out to 100 feet or so (still a long way for a "proximity device") but it's not technically impossible.
  From what you just said, it is technically impossible. Heh.
  
  --
  
  "I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)
10. Re:Hmm by MobileTatsu-NJG · 2010-08-19 08:13 · Score: 1
  
  You mean the RFID's with huge batteries that need constant charging and aren't called "RFID"s anymore?
  Whoever modded my post as troll should look up how RFID actually works then try to work out a practical way for the AC's suggestion to work.
  
  --
  
  "I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)
11. Re:Hmm by sjames · 2010-08-19 08:51 · Score: 1
  
  Only if you read what I said in a mirror while standing on your head. Otherwise what I said suggests an approach to be used and then uses what has already been proven as a worst case lower bound.
12. Re:Hmm by MobileTatsu-NJG · 2010-08-19 09:04 · Score: 1
  
  Only if you read what I said in a mirror while standing on your head.
  Do you live in a city that's 100 feet in diameter?
  
  --
  
  "I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)
13. Re:Hmm by sjames · 2010-08-19 09:23 · Score: 1
  
  Do you know what a WORST case LOWER bound is?
14. Re:Hmm by MobileTatsu-NJG · 2010-08-19 09:30 · Score: 1
  
  Do you know how RFID works?
  
  --
  
  "I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)
15. Re:Hmm by lwsimon · 2010-08-19 09:54 · Score: 1
  
  I always assumed that there was simply some iron in there, so that a large stack of bills would set of an interferometer.
  
  --
  Learn about Photography Basics.
16. Re:Hmm by BlueStrat · 2010-08-19 11:08 · Score: 1
  
  You mean the RFID's with huge batteries that need constant charging and aren't called "RFID"s anymore?
  Whoever modded my post as troll should look up how RFID actually works then try to work out a practical way for the AC's suggestion to work.
  No, sorry. You should have read the post you were replying to.
  OP: Dozens of RFID detectors that do broadcast GPS coordinates into space will be responsible for that part.
  Although I would have modded you "Offtopic" or "Overated", not "Troll" as you weren't trolling.
  Strat
  
  --
  Progressivism (aka US 'Liberalism'): Ideas so good they need a police/surveillance-state to enforce.
17. Re:Hmm by MobileTatsu-NJG · 2010-08-19 11:20 · Score: 1
  
  Fair enough, I concede.
  
  --
  
  "I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)
18. Re:Hmm by hedwards · 2010-08-19 12:36 · Score: 1
  
  Personally, I'm skeptical that the range is what is sometimes suggested, however even a range of a half foot is enough to cause serious trouble. I think the transit passes around here were designed to be readable from 3" away. The fact that you could potentially skim a card from somebody's pocket without having to take the wallet is something which is worth being deeply concerned about. Rather than needing to have the skill and personnel to pull of pickpocketing, you could just go skimming people. Most major cities have somewhere that you can go and be pressed right up against other people legitimately.
Just because you don't know... by woboyle · 2010-08-19 07:00 · Score: 3, Interesting

Just because you don't know for sure that something has happened, that doesn't mean it hasn't. The problem with RFID "scraping" is that you will never know that it has occurred. My instinct tells me that it has been going on for some time. As for RFID in identity cards, passports, etc. I think that their security is mostly, to put it in the words of Bruce Schneier, just theater.

--
Sometimes, real fast is almost as good as real-time.
1. Re:Just because you don't know... by jellomizer · 2010-08-19 07:51 · Score: 2, Insightful
  
  From my understanding RFID usually don't carry that much data except for a unique identifier. Ok so I se a Hex value. However you may not know what type of RFID it is is for. Eg. Is it for your credit card or is it just that book you got out of the campus book store. Perhaps it is for your medical history that you got implanted in you skin. Maybe it is your Dogs virtual ID Tag implanted.
  Say if I dropped a Passord of a vital system in the Middle of New York City and you pick it up. And that password is for only one system what is the chance you will find the system and get in.
  That said we should be sure that RFID for say on Credit Cards and on other major checking systems should have additional checks to it. However for say Inventory and automatic checkouts it should be ok.
  
  --
  If something is so important that you feel the need to post it on the internet... It probably isn't that important.
2. Re:Just because you don't know... by think_nix · 2010-08-19 07:55 · Score: 1
  
  Just because you don't know for sure that something has happened, that doesn't mean it hasn't. The problem with RFID "scraping" is that you will never know that it has occurred. My instinct tells me that it has been going on for some time. As for RFID in identity cards, passports, etc. I think that their security is mostly, to put it in the words of Bruce Schneier, just theater.
  Yes , and this has been demonstrated before.
  http://it.slashdot.org/article.pl?sid=09/02/04/1320223
3. Re:Just because you don't know... by woboyle · 2010-08-19 08:12 · Score: 1
  
  More complex RFID devices are already in broad use. The ones in passports include your picture as well as other data. I have one used for public transit in Chicago and that keeps more than just an ID. Yes, the simple ones used in most retail products such as DVDs and such are very simple. But others are not so constrained. And then there are the active RFID devices, such as the transponders used for toll roads across the US. They can be read from hundreds of feet away at very high speeds. In Illinois, you drive through the toll lanes at 70-80 mph and their frequency of failed reads is minuscule. Anyway, I also have passive RFID badges used by major corporations that keep a picture, employee/contractor ID, description, authorizations, etc. These are similar to the devices used in US passports, and I can tell you that they are NOT secure!
  
  --
  Sometimes, real fast is almost as good as real-time.
4. Re:Just because you don't know... by halcyon1234 · 2010-08-19 08:18 · Score: 1
  
  Has anyone tried to quantify this? If you put all your RFID into a contained that has a receiver, it can detect each time the RFID is interrogated. You might not know who is grabbing the data, but at least you'll know how many times a day you're "detected" just by walking around.
  
  --
  UTF-8: There and Back Again
5. Re:Just because you don't know... by nahdude812 · 2010-08-19 08:33 · Score: 1
  
  RFID on credit cards carry your name, address, and card number, among other details.
  RFID on passports contain this and a lot more information (including a JPEG photo of you).
  
  --
  Slay a dragon... over lunch!
6. Re:Just because you don't know... by appleguru · 2010-08-19 19:32 · Score: 1
  
  From my understanding RFID usually don't carry that much data except for a unique identifier. Ok so I se a Hex value. However you may not know what type of RFID it is is for. Eg. Is it for your credit card or is it just that book you got out of the campus book store. Perhaps it is for your medical history that you got implanted in you skin. Maybe it is your Dogs virtual ID Tag implanted.
  Say if I dropped a Passord of a vital system in the Middle of New York City and you pick it up. And that password is for only one system what is the chance you will find the system and get in.
  That said we should be sure that RFID for say on Credit Cards and on other major checking systems should have additional checks to it. However for say Inventory and automatic checkouts it should be ok.
  Even just a unique identifier is enough to cause a *huge* privacy concern. Not only that, but most tags do give you additional data, including their manufacturer, what kind of chip they are, and what commands if any they respond to (Some give all of this just in their ATR (Answer to Reset, which nearly all tags respond to). The biggest problem with the current implementations of RFID is that extracting data is a silent process. There's no beep, no light, no counter, nothing to indicate to the end user that their RFID tag(s) have just been read.
  While US passports are actually pretty secure and do not give out any unique information without the proper MRZ data from the inside page, US passport cards are not secure at all. They're just standard UHF EPC Gen 2 tags with unique identifiers. Similarly, paypass/wave/blink/whatever RFID credit cards aren't secure at all; anyone with the proper reader can dump your card holder name and card number (though Expiration date and CVV code are not present in the RFID data iirc).
  It would be trivial (and until laws are setup otherwise, legal in most places) to build a network of High gain RFID readers around a city. Not only would this let you "track" people around the city, but it would also let you build up a profile on people. You could, for example, keep a database with every tag read at a specific instance and correlate that to different data gathering points you have set up. You could then have a person object with various tag UUIDs associated with it (and if they have a credit card on them, even a name associated with it!).. Couple this with a camera that takes a picture of the people who's tags you're reading, and you have a picture too! Boom, picture, name, credit card number and unique profile of everyone that walks by your antennas, along with the time of day they walked by and their exact location. Try and tell me that's not valuable data?
  I highly doubt there *aren't* companies out there doing this.. In fact, so long as it stays legal, I'm going to start up a company that does exactly this! Think about the possibilities for targeted advertising! FWIW, because the "public" at large remains mostly ignorant to all this, and companies/governments get what they want out of it nothing is going to change... ...In the case of the passport card, its even more worrisome.. Say someone sets up a checkpoint outside a border crossing with a long range UHF antenna and a camera... Boom! They now have everything they need to make a legitimate fake passport card! (This scenario is outlined by Chris Paget in his talk at Shmoocon V (http://video.google.com/videoplay?docid=-282861825889939203 ), as well as by several researchers for RSA (http://www.rsa.com/rsalabs/node.asp?id=3557).
  
  --
  appleguru.org
Yes and no... by BobMcD · 2010-08-19 07:02 · Score: 4, Interesting

Is RFID, as described in the article really all that scary? No, not really. E.g.

30 to 40 million people carry RFID tags on their windshields to allow them to cross bridges, and more carry them in their wallets, and there is not a single example of anyone who had their privacy infringed because of the tags.
So the fear that the government would use RFID to gain data that they already have is likely debunked. Also the tracking is largely moot. They can do that in all sorts of other ways...
This is the part that scares me:

Taken as a whole, Roberti asserts, the benefits of RFID tags -- to track merchandise and packages, and keep track of drugs and food -- far outweigh any downside.
Where I bought my specific pair of shoes for today likely is not in a database anywhere. With RFID it wouldn't need to be. You just scan the tag and ask the shoes. This potential privacy issue also lacks an implementation, but still represents more information than anyone specifically needs to have. I fear the unintended (or secretly-intended) consequences of all this consumerist stuff in our lives suddenly having a history.
1. Re:Yes and no... by Lord+Ender · 2010-08-19 07:20 · Score: 1
  
  The tags are in the tags, not the shoes. Do you leave your tags on your shoes? And how often do you walk across networked RFID transceivers, anyway?
  
  --
  A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
2. Re:Yes and no... by Anonymous Coward · 2010-08-19 07:25 · Score: 1, Interesting
  
  Is RFID, as described in the article really all that scary? No, not really. E.g.
  
  30 to 40 million people carry RFID tags on their windshields to allow them to cross bridges, and more carry them in their wallets, and there is not a single example of anyone who had their privacy infringed because of the tags.
  So the fear that the government would use RFID to gain data that they already have is likely debunked. Also the tracking is largely moot. They can do that in all sorts of other ways...
  This is the part that scares me:
  I read an article awhile back about the ability to steal the information coming from the RFID Tags on cars.Then modify a RFID tag to store that data. So when the person went through the bridge or w/e the other person was charged instead.
  -Clinton Hood
3. Re:Yes and no... by BobMcD · 2010-08-19 07:33 · Score: 1
  
  The tags are in the tags, not the shoes.
  Maybe at present, but not always. They put them in tires, do they not? And tires have stickers, not tags. Further this could change at any time with the simple excuse of 'sometimes tags fall off', so I'm not seeing that as a meaningful rebuttal.
  
  And how often do you walk across networked RFID transceivers, anyway?
  Not very often. Not yet, anyway.
4. Re:Yes and no... by nabsltd · 2010-08-19 08:14 · Score: 1
  
  They put them in tires, do they not?
  Only sort of, in the sense that the tire-pressure monitoring system is "inside" the tire after the tire is mounted to the wheel.
  Generally, TPMS systems are part of the wheel, not the tire, at least for the tubeless tires that are used on the vast majority of smaller vehicles.
5. Re:Yes and no... by trb · 2010-08-19 08:34 · Score: 1
  
  I read an article awhile back about the ability to steal the information coming from the RFID Tags on cars.Then modify a RFID tag to store that data. So when the person went through the bridge or w/e the other person was charged instead.
  Then the theft victim reports the spurious use of the Electrion Toll Collection (ETC) RFID tag to the bridge keepers who add the RFID to their "stolen" list. Then the bridge keepers review the photo of the thief, his car, and its license plate (which the bridge keepers do keep, to detect ETC scofflaws), and catch the thief red-handed. That's why you never hear about people stealing ETC tags from car windshields. Using a stolen ETC tag would be like carrying a big sign that says "I'm a thief, come arrest me. You can detect me from hundreds of feet away."
  I guess this is a reason why RFID tags are scary, at least if you're a thief.
6. Re:Yes and no... by nahdude812 · 2010-08-19 08:37 · Score: 1
  
  I found an RFID under the collar of a shirt I had worn and even washed a few times. If being used as a theft deterrent system, it would behoove manufacturers to hide them on the clothing our outright put them in a part of the item which you can't find it at all without destroying it (such as inside the soles of shoes).
  
  --
  Slay a dragon... over lunch!
7. Re:Yes and no... by Rutefoot · 2010-08-19 08:42 · Score: 1
  
  This potential privacy issue also lacks an implementation, but still represents more information than anyone specifically needs to have.
  
  If those shoes were found to contain pieces of jagged metal as a result of a manufacturing issue, then a quick RFID scan could give a company the details it needs to issue a recall with as narrow a scope as possible. Perhaps less an issue with shoes, but for things like food, this information would invaluable. If they narrowed down an issue to one particular manufacturing line using RFID they could limit their recall to hundreds of items instead of tens of thousands. As it stands food companies try to cram as much information into some cryptic codes on their packaging, but RFID would allow even more information to be stored on the product in a way that would be much easier to decipher (with the aid of a reader that is).
8. Re:Yes and no... by Qzukk · 2010-08-19 08:43 · Score: 3, Interesting
  
  there is not a single example of anyone who had their privacy infringed because of the tags.
  Other than the cases of people's tags' movements being used against them in divorce proceedings and stuff? http://www.msnbc.msn.com/id/20216302
  Oh wait, as long as the privacy goalposts can be moved at a whim, there is not a single example of anyone who had their privacy infringed because of the tags.
  
  --
  If I have been able to see further than others, it is because I bought a pair of binoculars.
9. Re:Yes and no... by BobMcD · 2010-08-19 08:59 · Score: 1
  
  If those shoes were found to contain pieces of jagged metal as a result of a manufacturing issue, then a quick RFID scan could give a company the details it needs to issue a recall with as narrow a scope as possible.
  Okay, stop right there. I don't need protection from my own shoes, beyond the legal remedies that already exist. This kind of thinking makes this issue MORE scary, not less.
10. Re:Yes and no... by tophermeyer · 2010-08-19 09:00 · Score: 1
  
  I found an RFID under the collar of a shirt I had worn and even washed a few times. If being used as a theft deterrent system, it would behoove manufacturers to hide them on the clothing our outright put them in a part of the item which you can't find it at all without destroying it (such as inside the soles of shoes).
  Retailers would benefit too. It's fairly easy to steal items of clothing from a big box retailer and attempt to "return" it back to another store for cash or store credit. Having those clothes tagged with a hidden RFID tag would help defeat that.
11. Re:Yes and no... by drinkypoo · 2010-08-19 10:09 · Score: 1
  
  The tags are in the shoes themselves, they are used for inventory purposes. They are allegedly in the uppers but checkpoint systems designed tags specifically to be installed in soles.
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
12. Re:Yes and no... by hedwards · 2010-08-19 12:39 · Score: 1
  
  The problem with RFID is sort of like the problem with Facebook, it's new and there hasn't yet been an adjustment made to figure out how to properly handle it. But a big problem is that it's getting to the point where the consumer isn't being given the chance to opt out. I don't personally mind having it on my transit pass because I keep that in a solid metal wallet anyways and it's designed to be read from about 3" away. But, there aren't yet rules in place to give me confidence that there's not something lurking around the corner that's unexpected and problematic.
13. Re:Yes and no... by Rutefoot · 2010-08-20 01:20 · Score: 1
  
  I was just trying to stick with the shoes mentioned in the original post. Poor example, I agree.
  
  And it really has little to do with protection of the customer and more to do with limiting losses and easier quality control.
Not yet attacked != not attackable by betterunixthanunix · 2010-08-19 07:03 · Score: 1

Just because criminals have not yet taken to attacking RFID does not mean that it is beyond the realm of possibility that they will do so. I propose another question, though: what problem does RFID actually solve? In particular, why put it in credit cards and other cards that really do not benefit from RFID? Are those problems really worth the risks, particularly since RFID cards are hard to make secure (because of power constraints)?

--
Palm trees and 8
1. Re:Not yet attacked != not attackable by jd · 2010-08-19 07:19 · Score: 3, Insightful
  
  Ummm, we can't be sure if nobody has attacked RFID. I seem to remember an international incident, not too long ago, where 50+ passports were successfully cloned - including those from countries implementing RFID on passports. At this time, there is zero information on whether the cloning was someone compromising the primary databases of the respective countries or whether it was done more directly by lifting information from passports in the open. It is extremely doubtful that we will ever be given that information, as no government is going to want to admit that people can access secure databases OR admit that the security on their passports is useless. (It has to be one of the two.)
  Since we cannot know where the vulnerability was, it is prudent to assume that ANY part of the chain could be broken. Only a complete fool would do otherwise. This means that whilst we cannot be certain RFID has been compromised, we MUST believe that it might have been. To assume, blithely, that of course it couldn't be RFID is stupid. Why? Because that results you in only looking at facts that meet your theory. A very bad practice, and one that no reputable journal would be caught dead doing. Of course, a trade magazine isn't really a reputable journal. No trade magazine is ever going to question the assumptions of those who both pay for the advertising and then pay for the journal afterwards.
  (Those familiar with certain works of Jeremy Brett may be familiar with the cry of "Data! I cannot work without data!")
  
  --
  It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
2. Re:Not yet attacked != not attackable by TheVelvetFlamebait · 2010-08-19 10:26 · Score: 1
  
  Not yet attacked != not attackable
  But:
  Not yet attacked == not attackable - been in the wild for so long
  Well, not necessarily, of course, but after so long, we'd have to start concluding that our initial fears are no longer valid.
  
  --
  You know, there is a difference between trolling and pointing out the flaws in your reasoning. Just saying.
3. Re:Not yet attacked != not attackable by jd · 2010-08-20 08:00 · Score: 1
  
  Nah. That won't happen until the 25th century, when all the decent Sherlock Holmes stories have been wiped. (Why do you think Data always uses the over-the-top theatrical garb of earlier TV adaptations?)
  
  --
  It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Unpossible! by Khue · 2010-08-19 07:03 · Score: 1

You mean security is weak on Barcode 2.0? Oh t3h n0ez!
Drive By Charging by fadethepolice · 2010-08-19 07:07 · Score: 1, Interesting

What is to stop an eastern european gang to outfit mules in western nations with mobile "pay wave" clone devices that siphon small transactions off of peoples credit cards as they walk through large crowds in train stations, concerts, and sporting events and channel that payment towards bank accounts in a similar way that they clone debit cards and siphon money from atm's now?
1. Re:Drive By Charging by jklovanc · 2010-08-19 07:34 · Score: 1
  
  Completely different scenario. In the current situation the cloned card submits information to a valid terminal. That valid terminal then talks to a server to complete the transaction. In the second RFID instance a valid card submits information to an invalid terminal. This terminal then has to talk to a server to complete the transaction. The crux is that the invalid terminal must be validated by the server before it will be able to submit information. Even if they could get a merchant id and password it would be closed down pretty fast.
2. Re:Drive By Charging by nahdude812 · 2010-08-19 08:42 · Score: 1
  
  The information on the card contains the plain text card number (the same one which can be used to perform online purchases): http://tv.boingboing.net/2008/03/19/how-to-hack-an-rfide.html
  You're right, if a merchant account gets lots and lots of fraudulent charges against it, it's going to get shut down pretty quick. But they can steal that information and submit it to valid terminals for nefarious purposes.
  
  --
  Slay a dragon... over lunch!
Re:Great Idea by aurispector · 2010-08-19 07:07 · Score: 4, Insightful

RFID isn't a security concern NOW. If they start putting them on, say, driver's licenses it's another story. Why would anyone think RFID is a good idea when every other system that can be abused IS abused? The new barcode like scanning squares (WTF are they called?) can hold plenty of information and can only be read when the cardholder deliberately presents the card for scanning.
What is the advantage of RFID?

--
I have mod points. The reign of terror begins now.
The signals are too weak... by gandhi_2 · 2010-08-19 07:07 · Score: 2, Insightful

The signals are too weak and the data is too obscure
Both of which are solvable with ingenuity, time, work, and people. Some things both-colored hats have in ample supply.

--
THL phish sticks
1. Re:The signals are too weak... by twidarkling · 2010-08-19 07:52 · Score: 1
  
  Depends on how you're looking at it. Since we're talking about a physical object, a ..."hat"... as it were... it would need to be dyed. That would require black dye, which is a colour, then, it being the means to colour an object. White would require bleach, or a similar substance to strip colour from the hat, so that it reflects ALL colours. Since you can't negate a property by having more of it, white is simply all colours. If it's all colours, it's still a colour.
  I believe you've just been out-pedanted.
  
  --
  Canada: The US's more awesome sibling.
2. Re:The signals are too weak... by Unkyjar · 2010-08-19 08:40 · Score: 1
  
  Unless the hat is from prior to the 1930's when the world was black and white.
  http://www.reoiv.com/images/random/dadbandwandcolour.jpg
wow by Anonymous Coward · 2010-08-19 07:08 · Score: 1, Interesting

I really like this post
Not a defense. by Dayta · 2010-08-19 07:08 · Score: 1

The argument by Roberti is not one of defense, meaning that Chris or others are wrong, it is one of problem-stating. Yes, these issues exist, but you simply target your attack/interest to deal with them.
The data on my mandated RFID passport isn't obscure and if you want it, you need only wait at the airport for me. Personally, I have an RFID-shielding wallet, but many don't.
Even for obscure information, there can be places where many people with such RFIDs come together - whether at the subway, shopping centre, airport, school, workplace etc.
Once you know where people will be, short range is a lot less of a problem.
Other applications by CDOS_CDOS+run · 2010-08-19 07:08 · Score: 1

The must be some sort of way to use RFID technology to enhance the pr0ns, in that case it's all good otherwise it's downright evil.
That's not the point... it's that it can be easily by CodePwned · 2010-08-19 07:08 · Score: 2, Insightful

The point that's being made about RFID is that the encryption method is not good enough for most uses when it comes to private information. If it becomes mainstream someone could EASILY begin to collect this information using a remote reader and collect it later without every touching the device again.
Imagine someone takes a small box about the size of sandwich. It could hold enough battery power to collect every single RFID scan for quite some time and then come by perhaps the next day with a laptop and receive it remotely as to never touch the device again in case it was found and being watched.
RFID tags are GREAT to identify you by an ID #... not hold SS # or other private information. Keep that stuff in a more secure manner. I'm no alarmist, and not even a hacker. But this is something someone with almost no tech experience could do... and make bank.
Here's a better Defcon RFID story... by bradorsomething · 2010-08-19 07:10 · Score: 5, Interesting

A few years ago a gentleman calling himself Major Malfunction decided to do a proof of concept at Defcon on the dangers of RFID. He set up a table with a box doing RFID queries. When the box got a return and found usable data, it snapped a picture.

Many Federal agents walked by the table. They were not pleased when they found out the nature of the experiment. The data was destroyed, but the point was made. RFID protective wallets sold *real* well that year...
1. Re:Here's a better Defcon RFID story... by CFBMoo1 · 2010-08-19 07:35 · Score: 1
  
  Almost sounds like last year at DefCon according to this article. Or someone didn't get the memo from the earlier incident your talking of.
  
  https://www.infosecisland.com/articleview/616-Feds-at-DefCon-Alarmed-After-RFIDs-Scanned.html
  
  --
  ~~ Behold the flying cow with a rail gun! ~~
2. Re:Here's a better Defcon RFID story... by ElectricTurtle · 2010-08-19 07:37 · Score: 1
  
  But... but... Mark Roberti says it hasn't ever been successfully misused! How is this possible?!?! Could it be that he doesn't know shit and is just shilling for an industry he effectively represents and serves?
  
  --
  I support the Slashcott and will not be reading or commenting from 2/10/14 to 2/17/14. Beta is steaming pile of dog shit
3. Re:Here's a better Defcon RFID story... by ElectricTurtle · 2010-08-19 07:40 · Score: 1
  
  That guy should honestly receive an honorary "I spotted the fed!" t-shirt at every DefCon for the rest of his life.
  
  --
  I support the Slashcott and will not be reading or commenting from 2/10/14 to 2/17/14. Beta is steaming pile of dog shit
4. Re:Here's a better Defcon RFID story... by Anonymous Coward · 2010-08-19 08:00 · Score: 1, Informative
  
  The Wall of Sheep (wallofsheep.com) at defcon did it (minus the camera) a the year after that and even had a warning near it... but then a subpoena got the hard-drives removed from the machine and wiped.... They (WoS) got free RFID wallets/card holders for their troubles though from a vendor who sold them like hotcakes (again)....
5. Re:Here's a better Defcon RFID story... by Ancient123 · 2010-08-19 08:06 · Score: 1
  
  Similar incident happened the year before that. Only staff wasn't told and it was done in the vendor area. (Which is generally a bad idea) Last year was at the wall of sheep tables and I believe there was a notice by it informing people who walked by but it still got shut down and data was destroyed.
6. Re:Here's a better Defcon RFID story... by Jack9 · 2010-08-19 08:13 · Score: 1
  
  > A few years ago a gentleman calling himself Major Malfunction decided to do a proof of concept at Defcon on the dangers of RFID. He set up a table with a box doing RFID queries. When the box got a return and found usable data, it snapped a picture
  I'm not sure why this story is interesting. What's the difference in this scenario vs if he snapped a picture of everyone walking by? everyone with a phone? wearing red? I don't get it.
  
  --
  
  Often wrong but never in doubt.
  I am Jack9.
  Everyone knows me.
7. Re:Here's a better Defcon RFID story... by KeithJM · 2010-08-19 08:17 · Score: 1
  
  Well, that sounds kind of scary when you imply he build a "Federal agent detector." But in fact, he likely got pictures of anyone who walked by his desk with a federal ID, a passport, a gas station card, a metro (subway) card, a company ID used to unlock doors, a very recent car key, or carrying a bag from Walmart. That isn't actually useful information. All you can tell is that they are carrying an RFID. If you were looking for Federal agents at Defcon, you'd have a much better hit rate if you just took pictures of guys in suits.
8. Re:Here's a better Defcon RFID story... by Blakey+Rat · 2010-08-19 08:19 · Score: 1, Troll
  
  When the box got a return and found usable data, it snapped a picture.
  Uh... so what?
  Maybe the hotel they were staying at used RFID keys. Nothing here implies "if a RFID card has usable data, IT'S A SUPER-TOP-FEDERAL-CIA-SECRET-OMG!!!" He was just snapping photos of people with bus passes and hotel keys... retarded.
  
  --
  Comment of the year
9. Re:Here's a better Defcon RFID story... by Qzukk · 2010-08-19 08:57 · Score: 1
  
  Gee whiz, wonder what that usable data might be usable for? Perhaps telling the different kinds of RFID apart? Maybe?
  
  --
  If I have been able to see further than others, it is because I bought a pair of binoculars.
10. Re:Here's a better Defcon RFID story... by myowntrueself · 2010-08-19 09:07 · Score: 4, Insightful
  
  Ok how about this.
  US passports contain RFID tags.
  1. Is it possible to detect, from the RFID tag, at a distance, the presence of a US passport and to distinguish a US passport from other passports fitted with RFID tags?
  2. Is it possible to determine roughly how many US passports are within range?
  3. Is it possible to engineer such an RFID tag detector into the detonator of an explosive device while keeping said explosive device small enough and low powered enough to be easily concealable? (ie doesn't need mains electricity nor obvious antenna).
  I am just asking the question, I have no wish to see US passport holders blown to bits; but there *are* people who *would*.
  
  --
  In the free world the media isn't government run; the government is media run.
11. Re:Here's a better Defcon RFID story... by blueZ3 · 2010-08-19 09:08 · Score: 1
  
  It seems to me though that people are trying to have it both ways, but that's not an option. Either RFID could never be used for tracking people and this is all just FUD, or there are ways it could be done and we should be thinking about mitigation before everything from your underwear to your laptop contain them.
  The interesting thing about this is that it means that those IDs were now tied to a photo. Which means that the IDs are no longer anonymous (one of the original arguments against RFID scraping being useful). In other words, I now know that tag 123456789 belongs to a person who matches this particular picture. Throw in facial recognition technology and off you go to Big Brother.
  I agree that _at this moment_ there's little danger from RFID. But as it becomes ubiquitous and reader technology becomes cheaper and more accurate that may change. Doesn't it make sense to think about that now, instead of following the traditional strategy of trying to close the bard door _after_ the horse is loose?
  
  --
  Interested in a Flash-based MAME front end? Visit mame.danzbb.com
12. Re:Here's a better Defcon RFID story... by Blakey+Rat · 2010-08-19 09:09 · Score: 1
  
  Well, if the story were told as: "People passing by the table whose RFID identified them as scary federal agents were photographed..." then I'd be a little more impressed.
  As-is, he's pretty much just photographing everybody.
  
  --
  Comment of the year
13. Re:Here's a better Defcon RFID story... by Ponga · 2010-08-19 10:07 · Score: 1
  
  Yup. All Govies carry around a CAC, or Common Access Card, which among others things has an RF interface. The difference between this and US passports, for example, is that the passorts come with a handy booklet shield, that when closed, blocks RF. The CAC card has no such thing, unless suplemented with aftermarket holders, etc. Though, I don't believe much information can be gained as the CAC is a smart card - though I would imagine that you would at least have the knowledge of what it was you detected, but probably nothing further. --ponga
14. Re:Here's a better Defcon RFID story... by anonymous+cupboard · 2010-08-19 20:45 · Score: 1
  
  The answer in short is - yes. A lot of the data on a passport is not encrypted at all because any country with a reader should be able to use it and the formats are well documented. At places like Defcon, most people do not have their passports with them so a demo is hard (except for the Feds) but it would be trivial in Asia or the Middle East where foreigners are obliged to carry them. Note that if you are trying to hack multiple RFIDs at a range, you probably will need a bit more power. RFIDs are powered by the interrogation signal.
15. Re:Here's a better Defcon RFID story... by thejynxed · 2010-08-23 02:00 · Score: 1
  
  Every laptop built from 2002 on, already has them. Business class and high-end gaming desktops have them. Cell phones, many PMPs, etc, are essentially giant RFID tags to start with.
  As for the rest, it's coming if we like it or not. Mitigation for me involves a pair of pliers or a hammer applied directly to the offending part. The TPMS in tires is rather innocuous at least - besides facilitating tire-pressure monitoring, it stores information like manufacturing date, batch code, plant number, etc. in case of tire failure/recall. Implemented after the Firestone/Bridgestone fiasco a few years back by more than a few manufacturers of tires.
  As for the kooks who say we get injected with them via our shots, I say bollocks - the exit hole of the needle is smaller than a grain of sand, and nano isn't far enough along yet to produce viable RFID that small. Give it another 20 years maybe. Witness the volunteers (and millions of pets) who get/got chipped. It's more than just a needle-shot.
  
  --
  @Mindless Drivel: 100% of Twitter posts ever Tweeted.
Potential by ddillman · 2010-08-19 07:12 · Score: 3, Insightful

Just because it hasn't already been used for nefarious purposes (and we don't know that for certain, do we? We just haven't seen public reports of it...) doesn't mean it can't and won't be done in the future. That guy's argument is as bogus as the "If you've done nothing wrong, you have nothing to hide" crap spouted by those who want to spy on everyone.

--
Little girls, like butterflies, need no excuse. -- L. Long
1. Re:Potential by jayme0227 · 2010-08-19 08:14 · Score: 1
  
  But just because it has a worst case scenario, should we abandon it altogether? There are many tools in the world that can have catastrophic consequences in the wrong hands, do we outlaw most of them outright? No.
  I think the most important issue is information. As long as the information about how these devices may be abused is readily available, I don't see an issue. The knowledgeable will take the proper precautions and the ignorant won't. It's the same as anything else. Some people still walk down dark allies at night and others drive drunk. That doesn't mean that we need to implement a curfew and ban alcohol.
  
  --
  But then I realized the cable was blue, so I only gave it one star. I hate blue.
2. Re:Potential by ddillman · 2010-08-23 13:54 · Score: 1
  
  There are many tools in the world that can have catastrophic consequences in the wrong hands, do we outlaw most of them outright? No.
  Tools with those sorts of consequences also carry much more stringent checks and balances. The way everyone keeps trying to deploy RFID solutions has virtually no security and lacks any transparency that could be used to check and balance potential abuses of power/control.
  
  --
  Little girls, like butterflies, need no excuse. -- L. Long
Re:What about short distance? by oodaloop · 2010-08-19 07:12 · Score: 1

I think the bigger risk is cloning the signal and making false IDs. Many places simply require you swipe your badge to enter. If you could clone the signal from someone's badge, how hard would it be to make a fake one to gain entrance to where they work? Same goes for your passport, keyfob for buying gas, etc.

--
Tic-Tac-Toe, Global Thermonuclear War, and relationships all have the same winning move.
Re:Great Idea by siriuskase · 2010-08-19 07:12 · Score: 1

Are you talking about the 2D barcode on drivers licenses? The one they scan when you go into vote?

--
If you must moderate, please moderate as irrelevent, not something bad, because I'm sure someone will find this interest
My Challenge for Mark by RingDev · 2010-08-19 07:12 · Score: 3, Insightful

Mark challenges Paget to point to a single instance where RFID was successfully used for nefarious purposes
I challenge Mark to point to a single instance where Intercontinental Ballistic Missiles with Nuclear Warheads were successfully used for nefarious purposes.
Nothing?
Well then, I guess we can just stop all this silly nonsense about non-proliferation, missile defense shields, and international nuclear arms reduction treaties.
-Rick

--
"Most people in the U.S. wouldn't know they live in a tyrannical state if it walked up and grabbed their junk." - MyFirs
1. Re:My Challenge for Mark by BobMcD · 2010-08-19 07:43 · Score: 1
  
  Mark seems to live in a world where,
  "Guns don't kill people - no one does".
2. Re:My Challenge for Mark by damien_kane · 2010-08-19 08:05 · Score: 1, Insightful
  
  Mark challenges Paget to point to a single instance where RFID was successfully used for nefarious purposes
  I challenge Mark to point to a single instance where Intercontinental Ballistic Missiles with Nuclear Warheads were successfully used for nefarious purposes.
  August 1957 - present.
  Nuclear-tipped ICBMs used as a deterrent to keep enemy states at bay. This is them being used.
  
  Have the commies taken over the world yet? No? This is them being successfully used.
3. Re:My Challenge for Mark by dmneoblade · 2010-08-19 08:45 · Score: 1
  
  Tiger Team, Episode 2. Penetration testers use an RFID skimmer to clone the passcard of the owner of a jewelery company, then use the skimmed data to spoof the card reader to get into his office. From there, they crack the safe, and take a picture of themselves wearing all the jewelery that was in said safe.
  Tiger Team was very interesting to watch, I'm sad it got canceled.
  
  --
  Warning, knife is sharp. Please keep out of children.
4. Re:My Challenge for Mark by Quiet_Desperation · 2010-08-19 09:31 · Score: 1
  
  Yeah. RFID. ICBM. Perfectly logical analogy.
  (facepalm)
5. Re:My Challenge for Mark by SleazyRidr · 2010-08-19 10:14 · Score: 1
  
  Well, they're both 4 letters.
  
  --
  Is 1563649 a prime number?
6. Re:My Challenge for Mark by TheVelvetFlamebait · 2010-08-19 10:32 · Score: 1
  
  And I suppose that the only reason why potential identity thieves don't use RFID is because then others will steal their identity with their RFID chips!
  I'm sorry, but did you just completely ignore the reason why ICBMs have never successfully used for nefarious purposes? You put it front and centre in your analogy, so it's kinda hard not to see the gaping hole.
  
  --
  You know, there is a difference between trolling and pointing out the flaws in your reasoning. Just saying.
7. Re:My Challenge for Mark by Z8 · 2010-08-19 13:56 · Score: 1
  
  I challenge Mark to point to a single instance where Intercontinental Ballistic Missiles with Nuclear Warheads were successfully used for nefarious purposes.
  Some people have the inkling that there is something wrong with your analogy, but no one has analyzed it in monotonous detail yet, so I'll give it a shot.
  When quantifying the danger in something, it's important to consider both the probability of harm and the magnitude of that harm. Something may be a significant risk because it causes minor harm frequently (e.g. a neighbor playing their music too loud) or because it could cause severe harm (e.g. nuclear missile).
  In the case we are talking about, someone stealing someone's RFID card is an instance of a relatively minor harm. Thus if it happens relatively infrequently, it's relatively safe. The "fact" that it hasn't happened so far is evidence that it happens relatively infrequently.
  On the other hand, a nuclear missile can cause extreme harm. Thus, they are dangerous even if they cause harm only infrequently. The fact that millions of people haven't died due to an ICBM may be evidence that the missiles don't kill people frequently. However, this fact is very poor evidence against the idea that ICBMs don't pose significant danger.
8. Re:My Challenge for Mark by Quiet_Desperation · 2010-08-19 19:53 · Score: 1
  
  Touche.
I defer to a higher power here... by Dripdry · 2010-08-19 07:12 · Score: 1

Rob:[To Barry]Just come on. What would it mean to you, that sentence: I haven't seen Evil Dead II yet?

--
-
he's right by sjames · 2010-08-19 07:13 · Score: 1

Last week, I removed the blade guard from my saw, taped down the safety lever on my lawnmower and cut the ground pin from all of my power tools and I'm just KZERRRRT!
If only the chips worked! by cruachan · 2010-08-19 07:14 · Score: 3, Informative

I am extremely skeptical of the current generation of RFID tags when used in practice out there in the wild.
About three years back I set up software to support a recycling scheme, whereby every household in a community (ca 10,000) were given a couple of plastic boxes in which to place recycled goods. The boxes where chipped *and* barcoded, and there were scales on the collection lorry to weigh the box and automatically scan the rfid chip at the same time, thus collecting usage data.
Three years on it turns out that the one thing we were not expecting - the rfid chips not to be reliable - has proven a major issue. The failure rate is not high, but we consistently have a score or more boxes needing replacing every month, which is a far higher rate than we were lead to expect. We did think it might be the manufacturer, but we've talked to several people doing similar things now and everyone has similar stories - the chips do fail.
Perversely - the barcodes, which we sealed in transparent plastic but didn't expect to last (hence going with rfid tags as major impact) have given us less than a dozen damaged to the point we can't scan them in the whole three years.
1. Re:If only the chips worked! by Lord+Ender · 2010-08-19 07:22 · Score: 1
  
  Wait: you RFID scan peoples' garbage when you collect it? Do you take photos, too? That would be some really interesting data.
  
  --
  A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
2. Re:If only the chips worked! by cruachan · 2010-08-19 07:33 · Score: 1
  
  The boxes are for particular recyclables - plastic bottles, tin cans, newspaper etc. We record weight against household so we can track who recycles and who doesn't (we give out prizes for participation), and look at it on an are level to see what differences there are and so how we could improve performance.
  Not as fun as snapping garbage :-)
3. Re:If only the chips worked! by niftymitch · 2010-08-21 08:06 · Score: 1
  
  I see chips plural.....
  What is the fail rate if you were to apply multiple RFID tags to your boxes.. What if you were also getting hits and interference from content in the boxes.
  What if the interference or failure problem was fixed.
  What if hits from the content was matched to a list of lost inventory from some (all) big box store in the region. What if the list of stolen/lost inventory was not local but national.
  What if your failure to log and report that hit/ match made you an accomplice and trafficker in stolen goods.
  How many TB of data will you be required to keep and for how long.... at what cost.
  
  --
  Truth is stranger than fiction, but it is because Fiction is obliged to stick to possibilities; Truth isn't. Mark Twain.
Re:Great Idea by Anarki2004 · 2010-08-19 07:17 · Score: 1

Those scanning squares are called "2d bar codes". I think one of the advantages of RFID (at least for financial transactions) is supposed to be ease of use. But as you stated, the bar code is just as easy and far more secure.

--
The teachers will crack any minute, purple monkey dishwasher.
Re:Great Idea by Anarki2004 · 2010-08-19 07:18 · Score: 1

Bah...I forgot to mention in that post that they are also called "matrix codes".

--
The teachers will crack any minute, purple monkey dishwasher.
Re:Great Idea by FooAtWFU · 2010-08-19 07:24 · Score: 1

I dunno. It won't be a big deal in your wallet, but if you're taking it out for a moment anyone could take a picture of it; at least the RFID requires some fancy equipment to exploit.
What would really be secure is some sort of smart electronic device for payments that does, like, real cryptography over RFID. Part of your next-gen Japan-style mobile phone, perhaps. Which is already as trackable as its GSM and 802.11 radios.

--
The World Wide Web is dying. Soon, we shall have only the Internet.
so let me get this straight by waddgodd · 2010-08-19 07:26 · Score: 2, Interesting

Roberti's big thing is that nobody's yet used RFID data in a crime. So the upshot is that as long as people just break it for research, it's still secure. And people wonder why the blackhats make out like bandits on the first breaches of any given protocol, because nobody protected against them when it was merely a subject of research. Good luck with that, tell me how that works out for you.

--
Just because you're paranoid doesn't mean they aren't out to get you
Why is there no link to the article? by jimwelch · 2010-08-19 07:29 · Score: 1

Fixed it: http://www.tombom.co.uk/blog Chris Paget's Blog

--
Never trust a man wearing a coat and tie!
Used improperly? by MrMe · 2010-08-19 07:29 · Score: 1

Is RFID being used when it shouldn't? Is it really that much more difficult to swipe your card than wave it? My US passport really should not be broadcasting anything, it should be swiped since there is no need to read my information from afar. If we limit the use of RFID to tolls and package tracking etc where it makes sense to read information without any human interaction, many of the privacy issues can be prevented.
Compare with a mobile phone by gurps_npc · 2010-08-19 07:31 · Score: 2, Insightful

With a mobile phone you can get far higher grade information. It actively pings the cell tower, so it's detectable range is much greater. It gives identifiable information, that can in obviosuly be used to call that person. People are themselves not likley to 'forget' it.
Conclusion: RFID tagging is less scary than existing privacy intrustions we gladly accept.

--
excitingthingstodo.blogspot.com
1. Re:Compare with a mobile phone by Hatta · 2010-08-19 07:42 · Score: 1
  
  You assume that we accept cell phones. You also forget that cell phones can be turned off.
  
  --
  Give me Classic Slashdot or give me death!
2. Re:Compare with a mobile phone by iceeey · 2010-08-19 08:01 · Score: 1
  
  People don't realize this, but it's technically possible for cell phones to be used as bugging devices for the Government/Cell carriers/whoever else has access. All they have to do is make the phone send microphone data to them even when you're not making a call. They already have walky-talky functionality, it's not like they couldn't switch on the mic when they want to monitor certain people's conversations and they have their cell phone with them. And considering how locked down phones are these days, how would you know? and if you did, they'd say something like "it's for national security purposes". When you think about how many cellphones are out there, along with GPS/triangulated position information, it's like having millions of moving bugs on a map. They could even do this when the phone is "off" (or, appears to be off). It boils down to cheap and easy bugging of anyone in proximity to someone carrying a cellphone. I hope I just didn't give someone an idea....
3. Re:Compare with a mobile phone by gurps_npc · 2010-08-19 08:10 · Score: 1
  
  If you try to get a teen ager to turn off, or worse, convince them to stop using, a cell phone, you will realize that my assumptions are proven true.
  
  --
  excitingthingstodo.blogspot.com
4. Re:Compare with a mobile phone by Hatta · 2010-08-19 08:14 · Score: 1
  
  You didn't say "RFID tagging is less scary than existing privacy intrustions teenagers gladly accept."
  
  --
  Give me Classic Slashdot or give me death!
5. Re:Compare with a mobile phone by gurps_npc · 2010-08-19 09:12 · Score: 1
  
  True, but teen agers grow up. And once you accept something as a teenager, you pretty much accept it for life.
  
  --
  excitingthingstodo.blogspot.com
Little Brother by DevConcepts · 2010-08-19 07:33 · Score: 1

Cory Doctrow had a book that is a very good read in addition to telling how to mess with RFID surveillance if Big Brother happens. Free & CC
http://craphound.com/littlebrother/download/
Sigh, usual bait and switch crap. by DaveGod · 2010-08-19 07:36 · Score: 1

First thing to do when reading someone's defence arguments is to consider if they actually are related to the original complaint. Here we see trade body/corporate/politician PR defence #1: deflect criticism by confusing the public about the original complaint simply by defending something related but different. As long as you can control the conversation, you're always going to come out smelling of roses.
Nobody cares about using RFID to track shipping. The concern is about using RFID to track personal data, like identity documents. The authorities may find use from using a reader to track who is using a bus station, perhaps with the best of intentions, but I'd rather they not be maintaining a record of my travels thanks. Certainly I am not looking forward to the day when I examine a pair of shoes at a shopping mall, decide against it only to receive a text suggestion of another pair l might like, and later hitting the web only to see a Google advert for similar shoes.
I don't even want to consider the potential for it's use illegally. Which, by the way, probably is not being performed much because at present there isn't much RFID use in this area. Remember how secure unpopular web browsers reportedly were, right until they started getting popular and suddenly it's all critical security bugs? Security is about risk, which means not only how weak something is but also how attractive it is as a target.
Credit cards by evilviper · 2010-08-19 07:37 · Score: 1

Do your credit cards come with EZ Pass or similar? Does your bank mail them to you with little metallic stickers affixed to the front of them? What makes you think it's any more secure in your wallet than in an evnelope? Why are banks doing this extra step if there's no security risk?

--
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
1. Re:Credit cards by Ksevio · 2010-08-19 10:05 · Score: 1
  
  Do your credit cards come with EZ Pass or similar?
  No, that'd be a huge credit card, and only useful if I'm trying to jog through toll booths. It does have PayPass though.
  
  Does your bank mail them to you with little metallic stickers affixed to the front of them?
  No it didn't, it had a little paper sticker on the front telling me to activate and sign it.
  
  Why are banks doing this extra step if there's no security risk?
  The card readers need it to be practically touching it to work, I don't think people are mass scanning my mail.
2. Re:Credit cards by evilviper · 2010-08-19 10:16 · Score: 3, Informative
  
  No it didn't, it had a little paper sticker on the front telling me to activate and sign it.
  Yes, some banks don't do so. Most do, however.
  
  The card readers need it to be practically touching it to work,
  An idiotic statement. Mass market RFID readers need to be within about 6 inches. However, there's NOTHING stopping someone from cranking up the power and getting far more distance out of it. How does 11 meters sound? http://www.foodproductiondaily.com/Supply-Chain/Long-distance-RFID-reader
  
  I don't think people are mass scanning my mail.
  With enough money on the line, they will be... Criminals go to great lengths to get credit card numbers with skimmers, fake ATMs, and the like. A tine scanner in a post office would be relatively easy and low-risk.
  
  --
  Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
Cookies readable from orbit. by Fantastic+Lad · 2010-08-19 07:38 · Score: 1

RFID chips need to be right up close in order to charge, (assuming they don't have their own battery, which the ones attached to higher ticket items do), but once they transmit, the read distance is only limited by the sensitivity of your receiver. To me, that means, "From Orbit".
Maybe I'm over-simplifying, but 200 feet with home brew technology is pretty impressive. I have a feeling that the military has invested a few more pennies in radio technology over the years than Chris Paget.
But that's not the point, because when it comes to tracking people, you don't need to do it from orbit. Heck, this page referenced from the article makes it pretty clear that ubiquitous readers and internet communication is on the horizon. Heck, it's almost here.
People worry about being 'chipped', and maybe they will be, but I think it's kind of pointless. Everybody already carries around their wallet wherever they go, and I know when my credit card expires, the replacement will be armed and ready. That just annoys me! They don't need to read my card from orbit, because in order to track me, all I need to do is walk around the city. Past any random RFID machine which happens to be active. You know, like at doorways to every second retail outlet.
I wonder what would happen if I microwave the chip in my card? Would the magnetic strip still work?
Skit the tinfoil hat. I want my wallet lined with silver!
-FL
1. Re:Cookies readable from orbit. by glop · 2010-08-19 08:12 · Score: 1
  
  Well indeed the military and not just them have invested a lot in such radio technology.
  An RFID reader is very similar to a radar. There are 2 important classes of radar and both type kind of apply:
  1) primary radars: blast a lot of energy as radio waves towards a target, the target reflects some of the energy in the radar's direction with is then received and amplified (big antenna, amplifiers and signal processing)
  2) secondary radars: send signals to a cooperative transponder on plane the transponder (which has batteries) decodes the signal and transmits a response back. The radar then receives and decodes the message.
  If you combine both types of systems for RFID long distance reading you can:
  - beam energy to the RFID over a long distance (antenna with narrow beam, emit kilowatts of power with appropriate characteristics to provide power to RFID tag). Primary radars can send megawatts in beams that have a 1 degree width
  - send signal/message over long distance to get the RFID to respond
  - receive RFID response thanks to highly sensitive receivers (primary radars have required a lot of work in that area since the targets don't cooperate and might even use stealth technology). Primary radars can typically receive picowatts of energy and recognize the target.
  If you add this all together, you can track RFID tags miles away and know where they are with some precision (100 feet maybe).
  Also, criminals may really like RFID too: Kidnapping mafia in poor countries could detect passports in cars going on a road, kidnap all Americans (or Europeans) as they are likely to bring a good ransom. Apparently the equipment to do that is dirt cheap. And the security of the RFID tags is lame as there were people who managed to clone RFID tags of passport and such. And if your passport were secure you might still have kept the tag on your bible, DVD, laptop etc.
  Overall, I am not surprised that even Skymall sells wallets that block RFID...
  Of course, one can argue that cell phones are much worse. So you might need quite a bit of tinfoil in the coming years...
signal strength antenna size by RichMan · 2010-08-19 07:48 · Score: 1

If you were on pluto with you cell phone there are antennas on earth that could receive you. Sure the scanner in the store may have a range of a couple of inches. If some black hat wants to hide an antenna in the back of a white van he is going to be able to read RFID tags from across the street.
Arguments about "small signal strength" are only relative. If the information is important enough someone is going to find a way to access it from the distance they need. The problem of isolation of a signal from a cloud of other signals is also then a problem of directionality and local isolation. A highly directional antenna and a line up of people going through a turnstyle make a way to isolate targets.
Criminals could setup a hidden antenna pointed at a turnstyle in subway system.
It will happen when the information becomes valuable enough for the criminals to take the effort.
Irrelevant by Angst+Badger · 2010-08-19 07:49 · Score: 1

The IBM PC first appeared in 1981. It was not until 1986 that the first PC virus appeared. It was not until many years after that before malware aimed at theft of data -- as opposed to mere vandalism -- became widespread. There's often a lag between the existence of a gaping security hole and the day when someone finally drives the first of many Mack trucks through it.

--
Proud member of the Weirdo-American community.
Not yet == never will ? by mike.mondy · 2010-08-19 07:50 · Score: 1

Mark [of the RFID Journal] challenges Paget to point to a single instance where RFID was successfully used for nefarious purposes.
I think I've managed to leave town twice in my life while accidentally leaving a door unlocked. Nothing bad happened. So, I should conclude that I could leave doors unlocked all the time and I'd never see an unlocked door used for nefarious purposes?
I hope not all the logic at the RFID Journal is that bad...
Re:Great Idea by GIL_Dude · 2010-08-19 07:51 · Score: 1

How exactly is it just as easy? With RFID the card can stay in my wallet. It can stay in my Wife's purse (she probably can't even find it in there and it still works). With bar code you have to take the card out and optically scan it. That is not even close to as easy and convenient. I'll agree it is much more secure since it is probably impossible for someone to optically scan your card while it is in you wallet whereas with RFID anyone can try to read the card as long as it is in range and isn't in a "Faraday bag".
taken to the absurd... by Daetrin · 2010-08-19 07:54 · Score: 1

There haven't been any known cases of a private citizen destroying a city with an atomic blast, so free nuclear weapons for everyone!

--
This Space Intentionally Left Blank
Taggants by dpilot · 2010-08-19 08:02 · Score: 1

Taggants are small chips of plastic embedded in all commercial explosives. They basically build up a whole bunch of thin layers of plastic, each layer distinctive. Think of the sequence of layers as a "manufacturing hash" allowing you to inspect the taggants and tell who made the explosives, and some additional information, pehaps some generic and some manufacturer-specific about that explosive. The multi-layered plastic is shredded into tiny pieces and mixed into the explosive.
It's so small and so light that at least some survives the explosion.
But there are those who are concerned that with years of wind, construction use explosions, taggants will be practically everywhere. So check the sight of a criminal explosion, and you have to start quantitatively sifting the debris to figure out which taggants are associated with the immediate problem, especially if there was recent construction nearby.
RFID may wind up the same way. Too many RFID devices, perhaps too little adherence to standards making boku crosstalk problems. It still wouldn't be a problem walking through the short-range theft detectors in a store, but long range RFID snooping might become very difficult, given time and ubiquity.

--
The living have better things to do than to continue hating the dead.
too obscure? by Cajun+Hell · 2010-08-19 08:02 · Score: 1

even if someone could read the tags, they wouldn't get much information.
I'm no RFID-hater, but this is a totally bullshit argument. A hash key is a hash key; you don't need it to contain any meaning in itself. RFID keys are the real-world analog of cookies, and pretty much have the same risks. If you ever tie that meaningless blob to someone, you've got 'em.

--
"Believe me!" -- Donald Trump
Portable RFID chip Killer by mrops · 2010-08-19 08:02 · Score: 4, Interesting

If a microwave isn't available
1) Take a cheap camera flash
2) Replace strobe with AWG14 or 15 coiled about (ummmmmm.. say) 10 times around your finger (remove finger)
3) Charge flash (which isn't a flash anymore) and point to your favorite RFID chip, fire.
4) Enjoy your restored privacy
Disclaimer: Do not point towards your pace maker.
1. Re:Portable RFID chip Killer by camperslo · 2010-08-19 08:18 · Score: 3, Informative
  
  Actually I think you'll need to put that coil in series with the flash.
  IIRC, an inverter charges a capacitor up to a few hundred volts D.C. across the flash which doesn't conduct until it is triggered by a brief higher-voltage pulse from a transformer. That pulse causes the gas to ionize (conduct). If the coil were across the flash, the cap would be shorted and couldn't build up a big charge to release in one high-energy burst. Maybe flash designs have changed, but that's how they've worked in the past.
2. Re:Portable RFID chip Killer by CeruleanDragon · 2010-08-19 08:21 · Score: 1
  
  And then sell the coil. Do you know how much copper is going for at the scrapyards these day? It's almost worth selling your pennies.
  So step 3.5 or 5: Profit!
  
  --
  ad astra per alia porci
3. Re:Portable RFID chip Killer by Anonymous Coward · 2010-08-19 08:31 · Score: 5, Funny
  
  (remove finger)
  Holy shit man, I value my privacy but this seems extreme.
4. Re:Portable RFID chip Killer by blueZ3 · 2010-08-19 08:44 · Score: 2, Insightful
  
  Unfortunately, along with the rest of our debased currency, we've taken most of the copper out of pennies. Eventually I expect plastic penny coins, once the price of zinc goes up.
  
  --
  Interested in a Flash-based MAME front end? Visit mame.danzbb.com
5. Re:Portable RFID chip Killer by lowrydr310 · 2010-08-19 09:20 · Score: 1
  
  Suppose I'm trying to destroy the RFID chip on my credit card. Won't that nifty homebrew device also destroy the info coded on my magnetic stripe, rendering the card nearly useless?
6. Re:Portable RFID chip Killer by MoeDumb · 2010-08-19 10:56 · Score: 1
  
  Alternately, just call up your bank and request an RFID-free card. Chase Bank card's RFID is called "Blink" and they will send you one without it if you ask.
  
  --
  Mod Me Up. You'll make a grown man cry.
7. Re:Portable RFID chip Killer by L3370 · 2010-08-19 11:31 · Score: 1
  
  Someone here is going to forget to remove their finger...
8. Re:Portable RFID chip Killer by dakameleon · 2010-08-19 11:53 · Score: 1
  
  and what about when the oil runs out for producing that plastic?
  
  --
  Man who leaps off cliff jumps to conclusion.
9. Re:Portable RFID chip Killer by jmcharry · 2010-08-19 12:11 · Score: 1
  
  Wooden nickels, of course.
10. Re:Portable RFID chip Killer by camperdave · 2010-08-19 12:12 · Score: 1
  
  Which brings us at last to the moment of truth, wherein the fundamental flaw is ultimately expressed, and the Anomaly revealed as both beginning and end: wooden nickels.
  
  --
  When our name is on the back of your car, we're behind you all the way!
11. Re:Portable RFID chip Killer by Junior+J.+Junior+III · 2010-08-19 14:58 · Score: 1
  
  You gotta do it, or they'll still be able to figure out who you are based on the prints. Don't skimp, remove the whole finger.
  
  --
  You see? You see? Your stupid minds! Stupid! Stupid!
12. Re:Portable RFID chip Killer by Muad'Dave · 2010-08-20 05:13 · Score: 1
  
  It is worth selling your nickels and pennies - or at least melting down pre-1982 (and some 1982) pennies and all recent nickels. Unfortunately the government figured this out and made it illegal.
  I got a 1964 silver quarter in change the other day - it's worth $3.32 today.
  BTW, you can tell a 95% copper penny from a 97.5% zinc one by carefully listening to the sound it makes after being dropped onto a hard surface. The 95% copper one 'rings out', whereas the zinc one goes 'thud'.
  
  --
  Tiller's Rule: Never use a word in written form that you've only heard and never read. You will end up looking foolish.
Re:Great Idea by TrisexualPuppy · 2010-08-19 08:08 · Score: 1

Ju jitsu? I'm gonna learn Ju jitsu.
It's never happened before is a stupid argument. by SecurityGuy · 2010-08-19 08:13 · Score: 1

By the same logic, cancel your life insurance because you've never died before.
Cheat on your taxes because you've never been audited before.
Never use contraception before because you've never impregnated anyone before. Oh, sorry, this is Slashdot. Forget that one.
Give up on getting a girlfriend because you've never had one before. There, that's better.
Every single threat that is real and accepted today was at one point just a theoretical vulnerability. I still remember how we used to laugh at people who thought you could get a computer virus through email, then Microsoft brought us automatic execution of stuff in email, and voila, you could. Brute forcing DES was impractical once. Now it's not. Spamming people's fax machines was once never done. Now I get a couple a week.
Sometimes new technology hasn't been exploited not because it's invulnerable, but merely because it's new.
If someone raises this sort of argument, their either being willfully deceptive, or they're woefully naive.
Yes. by peacefinder · 2010-08-19 08:17 · Score: 1

I recall a demonstration of an RFID card-cloning device from several years ago, where as a proof-of-concept the builder of the clonig device covertly cloned an authorized RFID security card and opened a secured door with it. It was a controlled penetration test against an aware target, but it clearly worked. It was widely publicized. (I'm not sure if this is the same tester - I think so - but there are full build instructions for a cloner available here: http://cq.cx/proxmark3.pl )
It's very difficult to imagine that this attack has never been duplicated as part of a hostile act after so long. It's easy to imagine that such an attack would not be reported, however, because such an attack could actually be very difficult to detect without an independent system monitoring physical access (e.g. cameras) and without evidence of some security breach to spur an investigation into access and camera logs. A strictly information-gathering penetration could be accomplished with hardly a trace.
Just because an exploit hasn't been seen in the wild yet doesn't mean it's not out there.

--
With reasonable men I will reason; with humane men I will plead; but to tyrants I will give no quarter. -- William Lloyd
People can use guns to shoot people by bonkeydcow · 2010-08-19 08:18 · Score: 1

Oh really? Has anyone ever seen someone has shot someone with a gun? Well yes. Just because it hasn't happened yet, (if it hasn't) it will happen. Go wave your credit card at the gas pump, while the guy on the other side of the pump grabs your rfid signal and uses it to pay for his gas too.
Re:What about short distance? by gorzek · 2010-08-19 08:31 · Score: 1

Consider the cost involved in a) deploying enough tracking hardware to be meaningful, b) implementing the infrastructure to carry the data, and c) putting enough storage behind it to hold records indefinitely, and it is not hard to conclude that this is a rather impractical, expensive endeavor with very little potential payoff.
Collecting data is a big part of the problem. The US government already collects vastly more data than it can effectively analyze. You basically have two possible approaches: targeted surveillance, which is much cheaper, easier, and reliable; or blind collection backed by advanced data mining, the latter of which is still in its infancy.

--
Check out my world simulator thingy.
You are all too smart for your own good by CeruleanDragon · 2010-08-19 08:32 · Score: 1

Reading Slashdot comments on subjects like this reminds me of a moment in my ancient history that always sticks in my mind. My middle school (Junior High back then, 7th/8th grades) had a special program for students that showed exceptional skills. It was called Mentorship. It was basically designed to give us advanced classes while at the same time encouraging us to tutor others. Students from other classes could come to the Mentorship teachers and ask for a tutor and they in turn would get a volunteer from the Mentorship class to help.
After turning in a writing assignment where we had to create a crime/detective story the teacher was so proud of us that she said this (a little paraphrased, it was 25-odd years ago..)
"You are all so brilliant, every one of you got an A- or better on this paper. I see bright things in your futures. Some of the stories were so clever that I hope none of you ever grow up and get into a life of crime. Any one of you that did would be criminal masterminds and a scourge on this world. I'm sure none of you would do that, but it would be rather scary if you did."
Of course to me all I heard was, "You could be a great criminal genius, go for it!"
But reading through all of your comments makes me realize... there are many (note: I say many, not all) of you that, were you to put your minds to crime, would make the papers pretty quickly, and not in the "got caught doing..." way, I mean in the "is being sought by..." way.

--
ad astra per alia porci
1. Re:You are all too smart for your own good by CeruleanDragon · 2010-08-19 08:33 · Score: 1
  
  And as for those who say RFID hasn't been used for crime yet, wanna place bets that the first person to do it successfully will be an avid Slashdotter? :)
  
  --
  ad astra per alia porci
You could even detect American vs. other passports by tlambert · 2010-08-19 08:34 · Score: 1

You could even detect American vs. other passports

All you have to do is hook a RFID detector up to an explosive device in a populated tourist area. Once the RFID detector senses enough unique RFID passport codes within a certain timeframe, BOOM!
Chris demonstrated country-of-origin detection based on passport RFID values. The same thing works with military IDs.
-- Terry
Security through obscurity by Professr3 · 2010-08-19 08:51 · Score: 1

"The signals are too weak and the data is too obscure, according to Roberti." Hey, AT&T - what did we learn about security through obscurity? Sorry, I can't hear you over the tone coming out of my Cap'n Crunch whistle. Nobody will ever figure out that your long-distance tone is 2600Hz, it's unthinkable! If nobody thinks the system is broken, nobody will fix it. Meanwhile, the rest of technology will improve and adapt, until a significant segment of the criminal population will be able to easily read these weak signals and use them for nefarious purposes. It won't happen overnight, but people have a way of doggedly pursuing an answer until it's found, and it won't matter how obfuscated or "obscure" the data is.
Answer is YES by GameboyRMH · 2010-08-19 08:53 · Score: 4, Informative

RFID-enabled credit cards broadcast all the data on the front of the card in plaintext when energized. So I'd say the answer is YES.
http://www.youtube.com/watch?v=vmajlKJlT3U
Look how old that video is.

--
"When information is power, privacy is freedom" - Jah-Wren Ryel
It should work up to half a mile by thalakan · 2010-08-19 08:54 · Score: 1

Lockheed Martin recently put out a press release about their magnetic communications system (MCS), which works at distances of up to half a mile through solid rock:
http://www.popsci.com/technology/article/2010-08/lockheed-develops-magnetic-communication-mine-safety
Although the MCS probably uses large coils and low wavelengths on both sides to achieve that impressive distance, typical RFID cards have small coils. To make up for this, very strong digitally controlled magnetic fields could be used to couple to a coil from far away. For example, see this implementation of a static 0.7 tesla magnet:
http://www.technologyreview.com/biomedicine/25527/page1/
A strong enough, highly directional magnetic field and a sensitive enough detector could couple all the way to the theoretical maximum distance permitted by the RFID card's frequency. Like the MCS, that distance is one third the wavelength of 125 KHz (1.5 miles), or half a mile.

--
-- thalakan
Re:What about short distance? by Dan+Ost · 2010-08-19 08:56 · Score: 1

Those are usually more sophisticated that a simple RFID. They usually have an actual smart card in them that handles a cryptographic challenge/response from the reader. The challenge/response resists replay attacks, so a simple cloning won't work.

--

*sigh* back to work...
Re:What about short distance? by tophermeyer · 2010-08-19 09:04 · Score: 1

Or what about a retailer tracking people that pass through points of entry or near points of interest. I'm thinking of something like Best Buy keeping tabs on people that go into the store and play Guitar Hero for 15 minutes on the demo machine, then hitting them with a targeted advertisement.
RFID? by magnwa · 2010-08-19 09:12 · Score: 1

It's amusing that people whine about RFID, but go around wearing bluetooth headsets or running with Bluetooth sensors, while carrying cellphones, that operate on wifi radios where wifi points are available.
You were tracked long before RFID came out, and nothing bad has happened. :)
1. Re:RFID? by pentalive · 2010-08-19 11:01 · Score: 1
  
  Lots of things that can be misused and have not been (yet) are present now. But it seems that there is a mindset more and more in government and business that the populace must be tracked and cataloged "for their own good".
It's all about freqency and encryption by Caerdwyn · 2010-08-19 09:22 · Score: 1

The chief concern with RFID tags like this isn't that some passerby can trigger your RFID tag to cough up a number; that's possible but impractical. The risk is that someone can point a directional antenna at a point where the RFID tag is activated by its intended use at a predicable location, and passively collect the transaction. Examples: FastTrax, PayWave, RFID passports
PayWave uses a 13.56 MHz transceiver frequency. This is about a 25 meter wavelength, so a high-gain directional antenna would be pretty obvious (rule of thumb: antenna size is one quarter or one half the wavelength of the frequency in question). The antenna systems used in PayWave are extremely inefficient, but when the range is almost "touch", that's not a bug, it's a feature. Adjacent registers with PayWave won't be interfering with each other or reading each others' transactions. However, RFID systems that use the 900MHz band are another matter. 900MHz has a wavelength of about 33cm/13 inches. A high-gain directional antenna would be about six inches wide, and anywhere from six to twenty-four inches long, producing 12dBd or better of gain for the longer size. It's not hard to conceal something like that in a tree aimed at a 7-11, or in a radio-neutral briefcase in an airport aimed at the passport-checking station at the security point.
So yes, bad guys can easily see the transaction, depending upon the wavelength used. The security is in the encryption of the transaction (or lack thereof). If the RFID device just pukes it's ID when tickled, that's bad. If there is a challenge-and-response cycle, not quite as worrying as you'd need many transactions recorded for a single device to crack it, though with keyless car entry systems, that's already happened (see http://www.cosic.esat.kuleuven.be/keeloq/keeloq-rump.pdf ).
Like almost anything else, it's all about implementation. You can never assume the transport between two devices is absolutely secure, and RFID is most definitely not an exception; indeed, it's the poster-child.

--
Everybody gets what the majority deserves.
How did we go from nefarious purposes to tracking? by thegarbz · 2010-08-19 09:31 · Score: 1

I'm not worried about tracking at all. People who track others can go to great lengths, the government can go to great lengths. If not by some technological means (RFID toll tags, video matching licence plates from continuous speed cameras) then by physical means (spook tailing you on the street). All of this gets them where? To my house? That information they could find in the phone book. Maybe to my gay lover?

Then there's all the talk of marketing. Yeah so what? I'd much rather look at targeted ads from computer stores than the latest and greatest eye-liner from Loreal. Bring on this targetted marketing then maybe I just may take an interest in the ads. Heck I may even learn about a new product.

On the other hand keep RFID out of my passport, and my wallet. This is far more worrying than anything else. There's not a lot of people out there who wish to target and track one specific purpose for nefarious reasons. However as credit card skimming trends are showing, as soon as someone gets their hand on the ability to remotely skim credit card details (and remember this is how Paywave and Paypass work), you can bet your bottom dollar they'll be RFIDing as much as possible. The risk is even lower than with card skimming if they get it working.
The Guy At The Gun Show Said So by tunapez · 2010-08-19 09:55 · Score: 1

And, frankly, I believe him. My passport RFID carries more than just "obscure data", I would suspect. I've heard they're coming/(already here?) included in all ATM/Debit/Credit cards and, I assume, would carry more than obscure data. I don't care if it's being snooped by the guy standing next to me on the rail or a guy sitting on a bench across the store. If it's another weak link in an already jaded defense against ID theft, it should not be implemented in the first place.
I did not buy the RFID-blocking wallet, however. Was meaning to check out instructables one of these days but my tinfoil hat sometimes makes me forget.

--
Imagination drew in bold strokes, instantly serving hopes and fears, while knowledge advanced by slow increments...
The RFID in everything you buy at Wal*mart by pentalive · 2010-08-19 10:51 · Score: 3, Interesting

Why isn't anyone worried about the Wal*mart RFID initiative?
Wal*mart says if a company wants to sell its product in Wal*mart it must have an RFID in it. It also seems that they do not intend to disable these RFIDs once you buy the product - one of the goals is to identify the specific item when you want to return it. (stopping the "My X broke but it's out of warranty so I'll buy a new one and return the old one" ploy).
I'll just use cash you say? If you bought anything with your credit card or with you ATM card each of those things is "pinned" to you. Things you get with cash get pinned to you by being associated with things you bought with plastic next time you walk through the door. You will be identified by the cloud of RFID devices one or two in each article of clothing you wear - in each item you carry. (each pinned to you)
Next time you walk into Wal*mart it's "Welcome Back Pentalive" need more jeans? t-Shirts? Since the data belongs to walmart, the next time you walk into another business that bought the database from WM they also will be "Welcome to McDonald's, Pentalive".
Hope you -never- go anywhere where you want to be anonymous (or at least never wear anything from WM.)
Yes we are in public and thus have no expectation of privacy. But is it Wal*mart's business if you have been shopping at Target recently? And if Wal*mart knows where you have been - all the Government has to do is ask nice and they know too. Remember the Government can setup RFID readers too. Then they don't have to ask. You walk through the metal detector at the airport, a loop of wire built right in can read all your RFIDs at the same time.
Arguments aside of "Well I will just microwave everything" does that really work or do you end up ruining that $100 pair of "Air Jordans" by melting parts? How about the RFID built into that nice laptop or netbook, or cell phone or iPad? Can't microwave those.
Also if Wal*mart demands RFIDS in everything, perhaps it will just be easier for companies to put RFIDS in any products that might be sold at Wal*mart or might be sold somewhere else? That nice new polo shirt you got at Target, no RFID there right? You sure? They also sell that kind of shirt at WM.
Iris scanning like Minority Report? Wear dark glasses, turn away from the sensor. RFID cloud? ? ? Wear your tinfoil spacesuit! I suppose it should be "I, for one, welcome my new location-tracking overlords."
Paranoid by bart416 · 2010-08-19 10:51 · Score: 1

If the government was interested in spying on your daily activities (and that's extremely unlikely if you're the type of person that goes "OH NOES RFID IS EVIL") they'd do it no matter what,they're not going to bother putting RFID trackers every 100 meters to track everybody's location. If you think so you might also want to break out the tinfoil hats. RFID has its applications and it shouldn't be used for transferring extremely sensitive data. Right now most of the arguments are at about the same level of saying a chip card is dangerous cause the data on the chip might not be encrypted and you could lose it and somebody might come along with a card reader. But really I love having to just sweep my wallet past the reader to get my student discount in the cafeteria instead of having to get the card out of my wallet and holding it 5 seconds in front of a bar code reader.
Re:Great Idea by tmosley · 2010-08-19 10:52 · Score: 1

So saying the "data is too obscure" is enough for you? I guess you have your social security number tattooed on your forehead. I mean, it's just an obscure number, right?

How the hell is that offtopic, anyways?
Re:Great Idea by rhook · 2010-08-19 10:54 · Score: 1

Those are the same thing.
London Oyster cards are RFID by citizenr · 2010-08-19 12:43 · Score: 1

Police has access to logs and used them in the past. Proof of RFID being used to spy on people right there.

--
Who logs in to gdm? Not I, said the duck.
Reasons for the RFID failures by Anonymous Coward · 2010-08-19 12:57 · Score: 2, Insightful

The boxes where chipped *and* barcoded, and there were scales on the collection lorry to weigh the box and automatically scan the rfid chip at the same time, thus collecting usage data.

Three years on it turns out that the one thing we were not expecting - the rfid chips not to be reliable - has proven a major issue.
Did you totally ignore the subject of the story and replies to it? Have you considered that maybe some people don't like your tracking (especially if they weren't informed of it and didn't explicitly agree to it) and have found ways to detect and incapacitate your RFIDs?
Re:You could even detect American vs. other passpo by myowntrueself · 2010-08-19 16:19 · Score: 1

Chris demonstrated country-of-origin detection based on passport RFID values. The same thing works with military IDs.
But could the detector be made discrete enough? Ie not require mains power, not require obvious antenna or other detection apparatus?
If so then... surely this is just fucking scary?
Or am I missing something here? Eg a bomb that goes off when theres enough US passport holders nearby. Or UK. Or whoever someone bears a grudge against.
People are going on with worries about identity theft or leakage of personal info via RFID tags and other people are going on about how thats just not a problem and not to worry. But if these things can be used to target specific groups with concealed bombs then takes it to a whole new level.

--
In the free world the media isn't government run; the government is media run.
HGTTG by ThatsNotPudding · 2010-08-20 00:03 · Score: 1

It's an RFID chip that allows me to just magically wave my card around in the air
"Just don't nod your head through this bit"
"And now, let us bow our heads..."
Security's worst nightmare by Aizenmyou · 2010-08-20 07:17 · Score: 1

"The signals are too weak and the data is too obscure" Security through obscurity Typical.
The mind boggles... by niftymitch · 2010-08-21 07:31 · Score: 1

I recently was sent out to purchase a feminine product. Does this mean that billboards will flash other feminine product ads at me. At least I only need to do this once a month.

--
Truth is stranger than fiction, but it is because Fiction is obliged to stick to possibilities; Truth isn't. Mark Twain.