The Consequences of Convenience

By Mary Catherine O'Connor



Jan. 2, 2006—The holiday season is about reuniting with family. It's about the joy of giving. And it's about the drudgery of waiting in line—at the airport, the post office, the mall and everywhere else you go.

Right now, companies are inserting RFID inlays into credit cards, key fobs and cell phones to speed transactions. Meanwhile, merchants are adding RFID interrogators to their point-of-sale systems and accepting RFID payments, hoping to trim those lines by getting more consumers in and out of their stores more quickly. Many privacy advocates and technologists worry that convenience could come at the cost of our privacy if—or, as some say, when—a nefarious party were to find a way to use an RFID interrogator (reader) to snatch others' names and payment information, such as credit card or bank account numbers.


In mid-December, about 45 California state legislative staffers gathered at an event held in Sacramento to learn about emerging technologies—mainly RFID and biometrics—and their potential effect on privacy and identity theft (as well as laws to protect that privacy). Roxanne Gould, senior vice president of California public and legislative affairs for the American Electronics Association (AeA), spoke in favor of the use of RFID and biometric technologies in credit cards. She said companies are deploying these technologies to make consumers safer, because they can authenticate the consumer or have safeguards that prevent payment devices from being counterfeited.

These authentication and anticounterfeiting features exist, and will be effective until someone finds ways around them. However, I don't completely agree that they make consumers' privacy more secure, or that safety is the reason RFID and biometric technologies are being deployed. The bigger motivation, from the point of view of the credit card associations, banks and merchants, is increasing throughput—more transactions, completed more quickly. Or, to use a term that looks better in marketing materials, increased "consumer convenience."

The organizations that have developed RFID payment devices are using long-standing and robust cryptography to protect the account information on the RFID tags. And the ISO air-interface protocol the devices follow require that a tag be within about 10 centimeters (4 inches) from the reader. These protections make RFID payments a very tough nut to crack—for counterfeiters, and also for those seeking to steal RF data from the devices. Nothing, however, is impossible.

The traditional magnetic stripe credit card can be counterfeited, and someday RFID credit cards will likely face the same problem. Ditto for RFID-enabled passports. Of course, what sets old-school credit cards and passports apart from their RFID-enabled analogs is the very thing that has so many people creeped out: RF communication. And the discovery of a weakness in the encryption of data in Texas Instruments tags used for Mobil's Speedpass payment device proves that data is secure only until someone figures out how to hack into it.