The Consequences of Convenience

By Mary Catherine O'Connor

RFID payment devices might mean we'll spend less time in lines, but will they strengthen or weaken our privacy protections? That remains to be seen.


The holiday season is about reuniting with family. It’s about the joy of giving. And it’s about the drudgery of waiting in line—at the airport, the post office, the mall and everywhere else you go.

Right now, companies are inserting RFID inlays into credit cards, key fobs and cell phones to speed transactions. Meanwhile, merchants are adding RFID interrogators to their point-of-sale systems and accepting RFID payments, hoping to trim those lines by getting more consumers in and out of their stores more quickly. Many privacy advocates and technologists worry that convenience could come at the cost of our privacy if—or, as some say, when—a nefarious party were to find a way to use an RFID interrogator (reader) to snatch others’ names and payment information, such as credit card or bank account numbers.

In mid-December, about 45 California state legislative staffers gathered at an event held in Sacramento to learn about emerging technologies—mainly RFID and biometrics—and their potential effect on privacy and identity theft (as well as laws to protect that privacy). Roxanne Gould, senior vice president of California public and legislative affairs for the American Electronics Association (AeA), spoke in favor of the use of RFID and biometric technologies in credit cards. She said companies are deploying these technologies to make consumers safer, because they can authenticate the consumer or have safeguards that prevent payment devices from being counterfeited.

These authentication and anticounterfeiting features exist, and will be effective until someone finds ways around them. However, I don’t completely agree that they make consumers’ privacy more secure, or that safety is the reason RFID and biometric technologies are being deployed. The bigger motivation, from the point of view of the credit card associations, banks and merchants, is increasing throughput—more transactions, completed more quickly. Or, to use a term that looks better in marketing materials, increased “consumer convenience.”

The organizations that have developed RFID payment devices are using long-standing and robust cryptography to protect the account information on the RFID tags. And the ISO air-interface protocol the devices follow require that a tag be within about 10 centimeters (4 inches) from the reader. These protections make RFID payments a very tough nut to crack—for counterfeiters, and also for those seeking to steal RF data from the devices. Nothing, however, is impossible.

The traditional magnetic stripe credit card can be counterfeited, and someday RFID credit cards will likely face the same problem. Ditto for RFID-enabled passports. Of course, what sets old-school credit cards and passports apart from their RFID-enabled analogs is the very thing that has so many people creeped out: RF communication. And the discovery of a weakness in the encryption of data in Texas Instruments tags used for Mobil’s Speedpass payment device proves that data is secure only until someone figures out how to hack into it.

It has also become apparent that exploiting a weakness within encryption algorithms is not the only way to compromise an RFID payment device. More than one researcher has discovered a means of essentially fooling an RFID interrogator into thinking an RFID-enabled credit card (or, perhaps, a building access card, or some other type of payment device, such as a Speedpass key fob) is within the required read range, when in actuality, the tag is up to 150 feet away. This type of attack is called a relay, and it involves placing two devices between a tag and an interrogator.

One device, a ghost or proxy, is placed within the read range of a legitimate interrogator deployed in a store. The ghost relays the interrogator’s signal to a second device, a leech or mole, held within 4 inches of the credit card’s RFID tag. The leech then picks up the tag’s responding signal and relays it to the interrogator by means of the ghost. The decryption of the data takes place in an interrogator linked to the POS system, as it would if the tag was being held up to the reader. In other words, this kind of attack compromises an RFID system without actually breaking the encryption.

“With a relay attack, the protocol [between the card and interrogator] is still taking place. All that’s changing is the perception of the distance of the tag from the reader,” says Ari Juels, manager of applied research at RSA Laboratories. “There are questions around how easy or difficult it would be to launch [a relay attack] on an RFID system in the real world. Once RFID savvy becomes more pervasive, hackers will be able to create the devices needed for the relay systems, but how sophisticated they’ll be able to make them is still to be seen.”

To be successful, Juels says, a relay attack would also likely require the cooperation of an employee to okay the transaction in the point-of-sale system since the person supposedly purchasing the item would not be able to present an RFID-enabled credit card to the interrogator. For this reason, using the relay attack with an RFID-enabled vending machine would be easier.

Should my mailbox be graced with an RFID-enabled credit card one of these days, I probably would not reject it. Still, I would keep a closer eye on my bill every month, and I might just wrap it in tin foil so that it couldn’t be skimmed (read surreptitiously) while inside my wallet. Would this kill all the convenience? I don’t think so. It’s still easier than using the mag stripe, which sometimes just won’t read.

If relay attacks were to become a real problem, or if hackers found a way to reverse-engineer the security protocols used to protect my account information encoded to my RFID credit card, I’d probably stop using it. But right now, I believe we have more cause for concern about database security systems that are supposed to protect personal information, such as credit card account numbers or Social Security numbers, held by credit card companies. Concerns over skimming personal data from an RFID tag without the carrier’s knowledge exist mostly in theory at present, but identity theft via more traditional routes—such as through database security breaches, or just from riffling through someone’s garbage cans—happens all the time.

As RFID, biometrics and other information-based technologies become incorporated into such every-day items as credit cards and passports, there will be more ways in which our privacy could be compromised. Because of this, we as consumers and citizens should be aware of how our personal information is shared and protected. It’s important for retailers, banks, governments and any other entities using RFID technology to disclose exactly how and why they’re using the technology.

For companies using EPC technology to track goods, EPCglobal has published a list of guidelines that users of EPC technology should follow to ensure consumers are aware of where and how the technology is being used. There’s already a large and growing public awareness about the use of RFID technology in consumer products, and merchants who fail to disclose the use of RFID will likely be called out for it—in fact, they might even suffer significant blows through lost patronage.

The good news—just as with transactions made with via magnetic stripe, consumers who make payments via RFID or biometrics are not held financially responsible for purchases they have not made. Whether RFID and biometrics will make payments more or less secure, however…only time will tell.

Mary Catherine O’Connor is the associate editor of RFID Journal. If you would like to comment on this article, click on the link below.