I wonder if you ever heard about RFID. It is a technology in which data can de transferred wirelessly from a tag or a transponder, allowing passive or active identification of a device.
The amount of possible implementations of the technology is HUGE. From inventory control, facilitating tracking and logistics, to automatic tellers in supermarket and even wireless credit card transactions. IBM is investing on the technology and even put some commercials on TV about it:
While this type of solutions can severely reduce costs for companies that deal with logistics, we must be careful when using it in personal level. A lot of privacy issues come around, for example: an eavesdropper can identify you remotely by scanning your RFID tag. The scenario I am imagining is something like the one pictured on the film Minority Report, when Tom Cruise is targeted by a series of personalized commercials when iris scanners identify him while passing through a shopping mall. In RFID, this can be done reading your credit card information.
Some might say that the information can be encrypted; more than that it WILL BE encrypted even to avoid fraud. The bad news is that the first generation of RFID credit cards is out, and the encryption, apart from what the banks say, seems not to be there.
A group of scientists have been studying the topic and founded the RFID ConsurtiUm For Security and Privacy, which aims “to make RFID safe for consumers by conducting open research and educating the next generation work force that will develop, deploy and maintain secure RFID infrastructures”. The fact is that these guys conducted a series of tests on RFID credit cards and the result was not good. An interesting video came out showing the tests they conducted.
While the video can’t be conclusive, the technical reports on their webpage show that we are far away from a reasonable level of security on financial RFID implementations. If we think about the selection of SDA cards over DDA cards on the Chip and Pin technology I mentioned in a previous article, seems obvious that again the security is available for the technology (crypto is there, as long as the computing power for the devices to work), but no one wants to invest the money to have a product that protects the customer. It is not about a cost x benefit calculation but a matter of completely ignoring the risk. I congratulate the guys at the RFID CUSP for their work and let’s hope that initiatives like that pressures the manufacturers and companies that want to implement the technology to have a decent level of security in their systems.
Keep on eye for that technology… 😉