Is this something we should worry about?
Good question. Unfortunately, there is no simple answer.
In most cases, the information that a tag transmits to a reader is not encrypted, though some systems do support this. In general, RFID systems were designed with the idea that you would be reading tags on things within your own company, so there was little need for security. Over time, uses of RFID emerged that do require security. Tags are now used in passports, on vehicles and to authenticate high-value goods. For these applications, you need to be sure that the tags cannot be easily counterfeited. RFID is also used for payments, including Apple Pay, so you need to authenticate the device performing the payment and also ensure that the transmission cannot be intercepted as data travels from the tag to the reader.
The ISO 14443 air-interface protocol used in payment systems allows for encryption of the data being transmitted from the tag to the reader. NXP Semiconductors recently introduced its Ucode DNA RFID tag chip—a passive ultrahigh-frequency (UHF) chip based on the Electronic Product Code (EPC) protocol—which provides cryptographic authentication. By using a dynamic password that changes with each read event, and by requiring the verification of each password from a server, the Ucode DNA chip is designed to prevent eavesdropping and tag cloning (see NXP Releases IC for Secure Encrypted UHF Reads).
There are also third parties that offer encryption that can be added to RFID transponders, but it is important to use an industry-standard means of securing the software used in your RFID system, the database and other features. Security is not just about the data on the tags, but about the entire system.
—Mark Roberti, Founder and Editor, RFID Journal