RFID: Passport to Insecurity

It's not the technology, it's lack of respect

While we're on the theme of governmental incompetence, I saw this piece on the fundamental insecurity of the passive RFID chips now being embedded in US (and a few other) passports. While I don't think most of us have much to worry about in terms of personal physical security while abroad (being kidnapped in the south of France but technologically-sophisticated terrorists? I don't think so...), such is, well, OK, possible. Rather, the problem here is the continuing and fundamental disregard and disrespect for the rights of individuals. That's a huge tragedy in and of itself that could lead to all kinds of lesser but still irritating (at best) outcomes, like ID theft.

As I've argued before, personal information should belong to the individual and should be released to a third party, any third party, only with explicit permission - meaning that the user should be required to take an action to cause the sensitive or otherwise protected information to be transmitted or otherwise communicated. This would render a chipped passport inert until such time as the holder explicitly authorizes the release of any stored data. So, at US Customs, you'd key in your PIN and voila, the data is communicated only at that time. Skimming, scanning, whatever wouldn't work. Too complex? I don't think so. How much is personal information security and integrity really worth?

There's an obvious and very similar problem with credit cards as well. In an effort to counter fraud, the issuers put a printed (not embossed) CVV/CV2/CSC2/etc. on the card. This adds another layer of authentication, sure, but it's useless in electronic transactions as once the recipient has the code it's now compromised and fraud is again a possibility. How about this: you give the merchant your card number and expiration date, and then the credit card issuer verifies CV2/whatever out of band, via a Web page, secure e-mail communication, whatever. Too much, again, trouble? OK, again, how much is personal information security and integrity really worth?

The answer in all of the above cases is: not much. And people complain about wireless being insecure? It ain't the channel that's the problem here.


Copyright © 2009 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022