Information technology experts warn that lingering security issues are making Radio Frequency Identification, or RFID, another uncontrolled tool for identity theft. RFID is an old inventory control technology that is quietly being deployed throughout business and industry to track everything from pets to people and products. This technology is helping optimize inventory and business systems and is making consumers’ lives more convenient.
Recent advances in RFID technologies have created new opportunities for cost reductions and productivity improvements. However, they also have raised the drum beat that its use in consumer channels now poses increased risks of personally identifiable information being used for tracking and surveillance purposes.
Adopters of RFID must look for a balance of security, privacy, trust, value and convenience, according to some developers of this technology. That goal, however, is not yet being reached.
Lessons to Be Learned
“Lessons have to be learned from the experiences of early adopters. Right now the complexity of the technology is a big issue,” Rebecca J. Whitener, director of EDS Privacy Services, told CRM Buyer.
That message is being echoed by Ari Juels, principal research scientist for RSA Security Laboratories.
“We need to apply the lessons learned from the current flaws in Internet security that are causing the identity theft problems,” Juels said, “so we don’t repeat them as RFID is deployed.”
Juels is not warning idly that the security sky could soon be falling when he talks about current RFID technology. He and his RSA Security Lab scientists have already shown evidence of just how vulnerable this technology is.
One of RSA’s big worries lies in the ease with which the personal data contained in RFID tags can be acquired. Researchers from RSA Laboratories and Johns Hopkins University recently scanned the information on RFID chips in car keys and on ExxonMobil SpeedPass tags. They were able to collect enough information to crack the encryption codes on the tags.
The researchers discovered the security flaws while studying the Texas Instruments Registration and Identification System, according to news reports. The low-power radio-frequency security system they cracked is used worldwide. The Texas Instruments system is only one of a number of RFID systems on the market.
Those with criminal intentions with the same knowledge of how to breach RFID tag security layers could steal the cars or buy free gas. RSA sees examples such as this as a sign that the backers of the RFID industry are being short-sighted by trying to roll out more uses for RFID devices before their security and privacy issues are addressed.
According to RSA Security researchers based in Bedford, Mass., the industry has a terrific opportunity to build this technology securely from the start. What is needed, they said, is the adoption of basic controls so no one’s privacy is breached.
Consumer Attitude Counts
One way to do this is to have an RFID reading device required to prove its identity/legitimacy to an RFID tag before the tag will give up its data. The tags could be set to only give up data to certain types of readers.
A study conducted in late 2003 shows that consumers were not aware of what Radio Frequency Identification means and how it already exists in equipment they use. However, once consumers became educated about its existence, they supported its use, provided their personal data was not at risk.
The Netherlands technology consulting firm Capgemini worked with SmartRevenue, a Ridgefield, Conn.-based research firm, to survey consumers’ awareness and support for current and future RFID technology. The study found that RFID adopters will have to develop ways of understanding what consumers think about RFID. This can help ensure that companies are in a position to leverage the technology’s full potential and gain return on their investment, the report noted.
That conclusion is important as the industry prepares to integrate RFID devices to track merchandise and consumers within retail environments.
“The two opposing views of convenience and security involving RFID comes together with the consumer. Those lingering security problems can be solved over the next few years,” said Ard Jan Vethman, RFID leader of Global Sector Manufacturing for Capgemini, from his office in The Netherlands.
He agreed that the survey unveiled some consumer concerns over safety issues. However, he said that consumers would put pressure on retailers to prevent abuses with their personal information once merchandise tags with RFID chips left the stores.
Vethman said that his company always urges its industry clients to be very clear about how it uses RFID and what consumer information is involved.
“The industry itself needs to be proactive now about these issues. More secure technology is coming into use,” Vethman said.
RFID Security Primer
Different aspects of RFID technology is used in various devices. Because there is a spectrum of hardware in use, consumers can easily become confused with the terminology. An RFID tag used to track personal data on credit cards or passports, for instance, is different from RFID chips used in car keys and gasoline passkeys.
For instance, wireless bar codes form the low end of the spectrum. These devices are typically found in merchandise tracking tags in warehousing operations. They do not contain data encryption but will not be introduced into retail use for a few years.
“That makes them less of an immediate threat as long as merchants disable the RFID tags at the point of sale,” RSA’s Juels said.
Wireless smartcards and smart bar codes form the high end of the RFID spectrum. Such devices can provide data encryption for stronger security.
“These devices can pose tracking risks,” Juels said. “We have to think about safety first. We can’t brush aside security concerns.”
As an example of the potential risks involved with such high-end RFID devices, consider how smart bar codes are used now in the pharmaceutical industry to track products during the manufacturing and shipping processes, Juels suggested.
“These tags can be easily counterfeited. It’s easy to scan the bar code and lift the data from them,” he said.
Tougher Passport Security
Perhaps one of the most sensitive uses of RFID technology will be its deployment in identification cards such as passports and driver’s licenses. Governments in Europe and the U.S. are working together to adopt secure standards with smartcards, according to Eli Basson, vice president of products for SuperCom. His company manufactures proximity smartcards and fingerprint readers.
“Electronic ID cards are an entirely different ball game,” Basson told CRM Buyer.
RFID devices used for secure passports will use three levels of security, he said.
The first level is the physical ability of the card reader to see a shielded security code on the RFID chip. The second level uses encryption logic algorithms placed on the RFID chip in the passport smartcard. The security key code is stored on the first two lines of the chip and will signal it to turn off its shielding. This makes the password accessible only to specific card readers.
The third security level rests in a unique RFID chip number assigned to the personal identification card. This chip number is encrypted so that even if someone could break through the first two security layers, he or she would not be able to decode the encrypted chip to access the personal information it contains.
Education Is Key
Industry watchers see RFID technology developments as a gradual adoption process. They view consumer education as an essential step in gaining a balance among productivity, convenience and security.
“RFID adoption will not be quite an uphill battle. But we will continue to see hesitation as a changeover occurs from legacy methods to these new innovations,” said Whitener of EDS.
“If the consumer is going to see the practical uses for RFID, the first big issue is educating the consumer. The guiding principle for eliminating privacy concerns will be to give the consumers options,” she said. “Merchants will have to be accountable for the terms of their security and privacy statements.”