Re: RFID Flap Silences Security Researchers

["Robert Green" <ROBERT_GREEN1963@xxxxxxxxx>]

"Bill Kearney" <wkearney-99@hot-mail-com> wrote in message
news:HcudnWtGwvzQYmTYnZ2dnUVZ_hGdnZ2d@xxxxxxxxxxxxxxxx
> > RFID devices used in more public places
> > might be easier to compromise, given the
> > right hardware and know-how.  But those
> > used for single-family residential access
> > control should be relatively safe from this
> > sort of compromise.
>
> What's troubling about RFID entry systems is the reduction in physical
> effort necessary to compromise a wide range of facilities.

The "Pay Pass" has been around for a while - now it's down to credit card
size.  It  doesn't even have to be swiped through a reader, just passed near
it.  The problem with these sorts of systems is that it's probably pretty
easy for some dweeb to put a second reader, hidden nearby, that also scans
the card and captures the information.

There would be little chance of snatching hundreds of RFID codes from
passers-by out of thin air with known technologies, AFAIK.  But I also know
hackers are ingenious - as evidenced by hardware like cantennas - and it may
be quite possible to build a longer-than-normal range device that would
allow you to set up a covert reader near a "funnel point" like a subway
turnstile where 1,000's of people pass with the wallets and pocketbooks at
very much the same height and distance.

You might not even need s super reader if you could locate your hijacking
reader quite near a legitimate one.  I can also easily see a hacker
designing a very small, easy to conceal device that would record every RFID
that was used in the reader that had been tapped.   This is a well-known
criminal technique.  I read sometime back that some gang of criminals had
figured out how to add a vampire tap to a plain old POTS credit card
authorization machine that provided them with the card data from every card
that was swiped through the reader in the restaurants they targeted.

Hackers are ingenious.  I remember people making 1,000's of long distance
phone calls for free way back when with the:

http://www.jetcityorange.com/CapnCrunchWhistle/


Maybe we'll all need some sort of pro-active technology to carry with us:

http://www.mindfully.org/Technology/2006/RFID-Master-Card10apr06.htm  says:

<<A German group called FoeBud, which describes itself as a civil-rights
group for the digital age, is featuring an array of RFID-busting products in
the organization's online store. Items include "deactivator nippers," which
look remarkably like a common hole-punch, priced at about $7. The most
popular item in the store has been a copper bracelet with a red light that
blinks when it is near an RFID scanner, says Rena Tangens, FoeBud's founder.
The store claims to have sold about a thousand bracelets so far at about
$18. "People think this is a cool gadget," Ms. Tangens says.>>

There's also some interesting information about "blocking tags" here that
"spam" readers that try to scan your wallet without the proper
authentication:

http://www.rsa.com/rsalabs/node.asp?id=2060

More interesting to me was:

<<Some techies in Germany figured out how to make a Zapper by modifying a
disposable camera. When you hit the switch, instead of taking a picture, it
emits a burst of electromagnetic energy that fries any nearby electronics.
They have posted an extensive description of their project on the Internet.
Several technology experts contacted say it should work, but the developers
did not respond to emails requesting comment.>>

I recall reading that Wal-Mart wants to be able to track shoppers' movements
throughout the store, and then use a computer system to compare it to sales.
That would give them data on which sales displays were more effective than
others and other information about people's shopping habits.  Those narrow
anti-shoplifting detectors they use now are probably close enough to be able
to extract RFID data from the wallets of customers entering and leaving the
store.

Look at how determined on-line vendors are to track people's every
move through cookies, 0 bit GIF's and the like.  Brick and mortar vendors
are equally as obsessed with having that same sort of data on their
customers.  Eventually, all Americans will have an RFID chip inserted right
after birth.  It will be just like the Social Security number which was
legislated never to be a national ID but became one anyway.  Try getting a
new doctor to even say hello to you without an SSN and a photo ID today.

Eventually, without your RFID implant you won't be allowed to board a plane,
get medical treatment or perhaps even make a credit purchase.  It won't be a
government mandate.  It will occur just the way credit and debit cards have
taken over.  Try to book a hotel or rent a car without a credit card.  Big
Business will make it so uncomfortable for the non-implants that they'll
have to give up or live like monks in caves.

--
Bobby G.