craig mathias
Principal

RFID: Passport to Insecurity

Opinion
Jul 23, 20092 mins

It's not the technology, it's lack of respect

While we’re on the theme of governmental incompetence, I saw this piece on the fundamental insecurity of the passive RFID chips now being embedded in US (and a few other) passports. While I don’t think most of us have much to worry about in terms of personal physical security while abroad (being kidnapped in the south of France but technologically-sophisticated terrorists? I don’t think so…), such is, well, OK, possible. Rather, the problem here is the continuing and fundamental disregard and disrespect for the rights of individuals. That’s a huge tragedy in and of itself that could lead to all kinds of lesser but still irritating (at best) outcomes, like ID theft.

As I’ve argued before, personal information should belong to the individual and should be released to a third party, any third party, only with explicit permission – meaning that the user should be required to take an action to cause the sensitive or otherwise protected information to be transmitted or otherwise communicated. This would render a chipped passport inert until such time as the holder explicitly authorizes the release of any stored data. So, at US Customs, you’d key in your PIN and voila, the data is communicated only at that time. Skimming, scanning, whatever wouldn’t work. Too complex? I don’t think so. How much is personal information security and integrity really worth?

There’s an obvious and very similar problem with credit cards as well. In an effort to counter fraud, the issuers put a printed (not embossed) CVV/CV2/CSC2/etc. on the card. This adds another layer of authentication, sure, but it’s useless in electronic transactions as once the recipient has the code it’s now compromised and fraud is again a possibility. How about this: you give the merchant your card number and expiration date, and then the credit card issuer verifies CV2/whatever out of band, via a Web page, secure e-mail communication, whatever. Too much, again, trouble? OK, again, how much is personal information security and integrity really worth?

The answer in all of the above cases is: not much. And people complain about wireless being insecure? It ain’t the channel that’s the problem here.

craig mathias

Craig J. Mathias is a principal with Farpoint Group, an advisory firm specializing in wireless networking and mobile computing. Founded in 1991, Farpoint Group works with technology developers, manufacturers, carriers and operators, enterprises, and the financial community. Craig is an internationally-recognized industry and technology analyst, consultant, conference speaker, author, columnist, and blogger. He regularly writes for Network World, CIO.com, and TechTarget. Craig holds an Sc.B. degree in Computer Science from Brown University, and is a member of the Society of Sigma Xi and the IEEE.

More from this author