Weckert collected 99 used cell phones, loaded Google Maps on each,...
In This Article
Technology is a wonderful thing. It makes our lives easier and more convenient. A wealth of information is just a Google search away. Smartphone apps are totally personalized exactly how you like them. Merchants and service providers can give you what you want, based on your purchase history and your past behavior. And you can buy almost anything with the click of a button or the swipe of a piece of plastic. But all that convenience comes at a price — your privacy.
Radio-frequency identification (RFID) refers to systems that transmit certain identifying data wirelessly, using radio waves. That data might be the serial number of a piece of equipment. Or it might be your personal or financial information. It's stored on a so-called RFID tag, which is attached to or embedded in the object in question. In turn, a reader can retrieve the data from the tag using radio waves, so long as it is in close proximity to the tag. They don't need to touch, nor do they need line of sight. Different types of tags and readers are effective at varying distances.
We'll take a look at how RFID works, how it's used, what risks it poses, and countermeasures that you can take. And we'll take a look at various products you can utilize to help protect your privacy.
RFID is an immensely useful technology. There are many industrial and commercial applications for RFID, allowing companies to easily track and manage inventory, items, animals, and people. For example, manufacturers use RFID tags to track products through an assembly line. Distributors use them to effectively track inventory. Ranchers keep tabs on their cattle and sheep. Hospitals monitor inventory and workflow. Libraries replace bar codes with these tags. Even that access card you use to get into your office building or garage uses RFID.
There are many consumer applications as well. The device affixed to your windshield to let you zip through toll roads and bridges? The chip you had implanted in your Doberman, Fluffy? Your fancy new credit card that allows you to pay for those curly fries with the wave of a hand? That's all RFID technology. Many smartphones are incorporating RFID (referred to as near field communication or NFC for phones) to allow for wireless payment and data transmission. But did you know that your passport may have an RFID tag in it, containing your photograph as well as passport and personal data? Your driver's license might have an RFID chip too. With such personal and financial information encoded in those tags, this raises some very real security, privacy, and fraud concerns.
Tags generally are comprised of at least two parts — an integrated circuit, which is its brain, and an antenna for signal transmissions. There are three main types of RFID tags:
Active: Has an internal power source and may periodically transmit a signal. These are more expensive, but can operate at long ranges, function in difficult conditions, and even record additional data from sensors, such as temperature and humidity. Active tags are commonly seen in industrial and military applications.
Semi-Passive: Has a small battery that is activated when a reader is nearby and powers only the chip, not the antenna. While not as powerful as active tags, these are more sensitive than passive tags and can also perform active tasks such as logging sensor data.
Passive: Does not have any power source, relying on the signal from a reader to provide power. Passive tags are cheap to produce and very compact. They have more limited range, which can be considered a positive attribute from a security standpoint.
We are largely concerned with passive tags, such as those found on credit cards, passports, and driver's licenses.
Readers come in various shapes and sizes, and varying levels of strength. There are the typical point-of-sale terminals that you may have seen at your local fast food chain, intended to be used in close proximity and designed to be affordable and reliable for local businesses. But there are also high-powered readers that have greater range. Hacked and connected to a laptop or other custom circuitry, such a setup could potentially read your RFID tag from several feet away and you'd never know it.
RFID systems are designed to work on various frequency bands, depending on the application and industry standards. Financial institutions, passports, and NFC mobile devices generally adhere to ISO/IEC 14443 standards, stipulating high-frequency systems at 13.56 MHz. There are systems that utilize low frequency as well as ultra high-frequency bands, but those are rare to find in the consumer applications that we are concerned with.
Carrying and using cards or IDs with RFID tags presents a few potential risks:
Skimming: Someone uses a reader to surreptitiously retrieve data from your RFID tag without your knowledge. For example, a criminal might hack a high-powered reader, place it in a briefcase, and run it off battery power. Then by passing by various folks, such as women carrying purses, the reader might pick up data from RFID-enabled credit cards. Later, the criminal loads the data into a computer and uses a blank magstripe card to make a cloned counterfeit credit card.
Eavesdropping: Someone intercepts data that is being legitimately transmitted from your RFID tag to a reader with your consent. This sort of eavesdropping may be possible at greater distances than skimming with specialized equipment, but location and timing is more constrained — since the criminal needs to be near an authorized reader being used for an actual legitimate transaction.
Tracking: Even legitimate use of RFID can leave a trail of data that you might not have thought about. For example, if you regularly use a wireless toll pass like an E-ZPass in your vehicle, have you considered all the information on your travels that it provides? Just two data points with position and time could be used to calculate your average speed, for example. New York state has rolled out a system in several areas that tracks the movement of cars with E-ZPass tags to estimate traffic patterns and travel times — they insist individual data is not stored or used for law enforcement purposes. Does that comfort you? And just imagine the implications for RFID tags that you carry on your person. Again, those are typically passive tags with limited range, but it's still frightening to consider.
If you're reading this magazine, it means that you're already thinking ahead. You have the desire and commitment to take care of yourself and your loved ones. You know that making carefully considered and educated decisions is the way to go — and sometimes that means making the choice to compromise on some conveniences.
For instance, you could avoid potential RFID risks with credit cards by simply obtaining or requesting cards that do not have RFID tags in the first place. How important is it, really, to be able to wave your card at the register to pay for your Slurpee? Keep in mind, though, that you are always subject to good old-fashioned crime. Everything in life is a tradeoff, and one benefit of credit cards with RFID tags is that you needn't actually hand over your card to a cashier — when you do, an unscrupulous individual might steal your info. Fortunately, more and more stores utilize customer-facing terminals that you can swipe yourself.
But you may not have any choice in the matter. If you have a U.S. passport issued after August 2007, it contains an RFID tag with some personal data. Your state (in particular border states) might issue driver's licenses with an RFID chip. So you might not be able to opt-out. But there are a variety of products to help protect your privacy — most provide passive protection by shielding against transmissions while one actively jams them.
You can even make some of your own. While a little less user-friendly than the products in this article, an Altoids tin or several layers of aluminum foil can actually provide protection. Yes, that's right — insert your own tin foil joke here.
As mentioned earlier, the RFID chips that we're worried about use high-frequency bands, making them sensitive to metal and thus able to be shielded by the linings in the various products featured here. Low-frequency bands are more difficult to shield, but fortunately credit cards and the like don't use them. As an experiment, we tested our access badges at the office, which utilize low-frequency tags — all of the products reduced the effective range of the reader, but only a couple actually blocked it (the Access Denied wallet and the Alumawallet). Breaking out the aluminum foil, we had to completely wrap the badge in at least three layers of foil to prevent it from being read.
Finally, you could simply inflict some damage on the RFID chip in question to disable it. You could make surgical cuts with an X-Acto knife or use a hammer to perhaps be more discreet. And it's free (though irreversible). You may have read about using a microwave oven to destroy RFID chips — be wary with this approach as it may scorch or burn the item. However, before you break out your hammer, please do keep in mind that tampering with government documents is illegal. How often do you really need to break out your passport anyway? Surely you have some aluminum foil in the kitchen right now…