My concern is about tag cloning. Although the ISO 15963:2009 standard strives to control the issuing of TIDs by assigning prefixes to chip vendors, there are a growing number of vendors, and obviously nobody can force them to comply with the requirements. So the remaining option for ensuring tag authenticity is to use the tag’s digital signature capability, as in EPCglobal’s Gen2v2 RFID standard. How secure is this?
It depends on your definition of “secure” and “trusted.” The TID is burned into the chip by the silicon wafer fabrication company and is un-changeable, but there is no central authority to ensure that all TIDs are unique. So a company could request tags with specific TIDs that could be used for counterfeiting other tags. I am not sure that any reputable fabrication company would do this, but it is possible.
—Mark Roberti, Founder and Editor, RFID Journal