Retailers, manufacturers, hospitals, federal agencies and other organizations planning to use radio frequency identification (RFID) technology to improve their operations should also systematically evaluate the possible security and privacy risks and use best practices to mitigate them, according to a report issued today by the National Institute of Standards and Technology (NIST). Guidelines for Securing Radio Frequency Identification (RFID) Systems (Special Publication 800-98), 154 pages. Available on-line here (PDF).

Source: ITP
Cybercrime is on the rise, and what’s more the criminals are fast moving to non-PC devices and unsecured parts of the network. In the second issue of the Global Threat Report, McAfee researchers state that while the crimes themselves are not likely to change much, the mechanisms used to carry out such attacks will evolve to use other technologies.

“The security research being done today uncovers clues to the types of attacks that are likely to become commonplace tomorrow. And today’s infrequent attacks can easily turn into tomorrow’s epidemic,” states the report. The statement continues that some of the major threats coming our way, as digital offenders look beyond the PC, include mobile spam, spoofed VoIP phishing and the infiltration of RFID technology.

McAfee predicts that the growing smartphone market – which is expected to exceed US$250 billion by 2011 – is too lucrative for cyber thieves to ignore. Greater adoption of these devices, coupled with more users accessing personal and financial data on the phones, will lead to increased phishing attacks, spyware and identity theft. Mobile spam also has the potential to explode as spam and Trojan authors develop mobile malware. The report maintains that mobile network operators must adopt risk management measures to stay on top of these developments—not only to prevent costly disruptions but also to enable their environments for new, more secure services.

VoIP – the revenues of which will touch US$20 billion in 2009 according to Infonetics Research – is another ripe messaging medium for spam. Spam over Internet Telephony (SPIT) is predicted to increase as VoIP allows spammers not only to place large volume of calls, virtually for free, but also to forge them. Spoofed VoIP phishing attacks will likely be more successful than their e-mail counterparts, because anti-SPIT technology is far behind that of antispam. In addition to these social engineering attacks, the VoIP technology itself is vulnerable to eavesdropping, recording, and hijacking, which means that attackers can capture confidential information, such as account and PIN numbers as well as personal conversations.

Another emerging technology that poses a significant risk to privacy, as per McAfee’s research, is radio frequency identifications (RFID). Current RFID technology is vulnerable to eavesdropping, recording, cloning, and forgery. RFID readers could contain vulnerabilities that would allow RFID chips to contain exploits to steal information from backend databases. As RFID becomes more widely adopted by corporations and countries for tracking and identifying people and assets, these elements could become prime ground for new-age intruders, adds McAfee’s report.

Source: CNet
At a Monday workshop here, privacy advocates said they were puzzled that come summertime, the U.S. Department of State, in consultation with the Department of Homeland Security, still hopes to begin issuing so-called “passport cards” embedded with radio frequency identification (RFID) chips whose data can be skimmed by readers up to at least 20 feet away.

The technology, which is similar to the passes read by highway tollbooths, is already being used in other U.S. immigration documents and programs, but that doesn’t make it any less troublesome, critics said at the first day of an identification workshop hosted by the Federal Trade Commission. The decision to use such chips in the new passes nonetheless “should be reconsidered,” said Neville Pattinson, a vice president with Gemalto North America, which makes microprocessor chips for so-called “smart cards” that are capable of more sophisticated privacy protections. Pattinson, who also serves on a committee that advises Homeland Security on data privacy and security issues, said the vast majority of some 4,000 public comments that have been submitted in relation to an ongoing rulemaking proceeding about the passes frowned upon the approach.

“Reckless” is the only way to describe the government’s inclination to use a form of RFID designed by the Massachusetts Institute of Technology and industry partners “to track items in warehouses,” said Ari Schwartz, deputy director of the Center for Democracy and Technology. “It was not created for tracking people, and now we’re using it in this way that is a potentially very big risk.”

The passport cards are billed as a response to widespread demand for a lower-cost passport alternative from people who live in border communities and, like all Americans, are expected to be required to begin showing passports at land and sea border crossings beginning next year. (Similar requirements for air travel took effect earlier this year.) The document would be valid for a 10-year period and would require the same application process as a normal passport, but it would physically resemble a credit card rather than a traditional book-format passport.

The idea behind the longer-range read zone for the cards is to let information be extracted from all of the cards in a particular vehicle at once and displayed on a border patrol officer’s computer screen before the cardholder’s vehicle reaches the checkpoint. The government says this will speed up the screening process. In their most recent draft rules issued in October (PDF), government officials said they’re leaning against using a chip that could be read from only a few inches away because it would require vehicles to slow down and hold out cards one at a time for scanning. It was unclear when the final rules would be released.

Patty Cogswell, acting associate director for Homeland Security’s Screening Coordination Office, downplayed the privacy risks. She said the government intends to issue the cards in a sleeve that would block data from being read off the chip. Beyond that, the data that would be read from an exposed card would only be a single number “that doesn’t mean anything. It’s not a number that can be generated from anything specific; it’s truly a random number issued by our system,” Cogswell said. CDT’s Schwartz said he wasn’t consoled by the fact that the number would be randomly generated because it would ultimately be tied to an individual and used as an identifier. “The only positive thing that could possibly be said about the pass cards is that it is a voluntary system,” he said.

Source: SF Gate
The California Department of Motor Vehicles could not issue driver’s licenses that used radio waves to transmit motorists’ personal information if legislation approved Monday by the state Senate becomes law. The bill would prohibit the DMV from using radio frequency identification technology, commonly known as RFID, in driver’s licenses or identification cards before Jan. 1, 2011.

Sen. Joe Simitian, D-Palo Alto, called his legislation a “look before you leap approach” that would give officials time to ensure that any technology adopted by the DMV would not violate privacy rights. Simitian has introduced several bills over the last few years to control use of RFIDs, saying the information contained in them could be used for improper purposes, including by stalkers and identity thieves. “Do we really want to be in the situation where the state will require more than 20 million Californians to carry government identification documents that broadcast their personal information without their knowledge or consent?” Simitian asked. “Most of the people I talk to tell me absolutely not.” Mike Marando, a spokesman for the DMV, said the department had no plans to use RFID technology. But Simitian said federal law requires states to develop driver’s licenses with some form of “common machine-readable technology.”

“That might or might not include this (RFID) technology,” he said. “We’re trying to send the clear message that until we address privacy and security concerns, this is an inappropriate technology. Right now, there’s no limit on what information could be there and no requirements that information be protected, even on the most basic level.” He said the state could meet the federal identification requirements for driver’s licenses by using bar codes or magnetic strips on the licenses. A 31-6 vote sent the bill to the Assembly.

Source: The Register
Science minister Malcolm Wicks suggested that such tagging technology, which is already used to track convicted criminals on early release from prison, could also help a family caring for an elderly relative. He told the BBC: “This is about dignity and independence in old age,” and said that far from making someone a prisoner in their own home, such a device could give a dementia sufferer the “freedom to roam around their communities”. Wicks said that permission from the individual concerned should be sought before using such a device.

Kate Jopling of Help the Aged told the BBC: “Although when we first hear this it smacks of ‘Big Brother’, we shouldn’t dismiss the possibility of some new technologies to help us in providing better care for people with dementia”. Tagging was introduced by the UK Home Office in 1999 as part of its home detention curfew scheme, which came about in an attempt to help reduce prison overcrowding. Such a surveillance device, which is attached to a person’s ankle, uses radio frequency identification (RFID) technology. The tag communicates with a base station that is hooked up to a telephone line. If the person wanders out of range it sets off an alert.

But other technology options could also be considered, including GPS tracking. “Let’s use satellites and satellite technology to tackle some real important social issues that worry many families,” said Wicks. Symptoms of dementia, for which there is no cure, can often include memory loss and confusion, making thre sufferer more vulnerable to wandering off. According to the Alzheimer’s Society, there are currently 700,000 sufferers of dementia in the UK of which the majority are elderly people.

Source: Daily Californian
Huddling around a computer, a group of students stared as several numbers appeared on the screen after someone flashed their Cal 1 Card in front of a radio frequency identification scanner. “It’s like a stalker’s dream,” said art practice doctoral candidate Joe McKay, who was at the table.

The table display, which also included informational literature, was part of an effort by the American Civil Liberties Union and a handful of graduate students from the Boalt Hall School of Law and the School of Information to raise awareness about radio frequency identification technology and how its different applications raise concerns about potential privacy violations. Radio frequency identification uses radio waves to identify people or objects that contain radio frequency identification tags, according to the RFID Journal Web site. The tags contain numbers or information that may be used for tracking and identification.

Students in charge of the table in front of Kroeber Fountain yesterday said they feel a need for public discussion about the issue. “People are setting up for these things and not realizing the potential problems that can come out of it,” said Boalt Hall doctoral candidate Alison Watkins, an ACLU intern who helped organize the display. The technology is currently used in Cal 1 Cards to unlock doors in buildings across campus, said Reggie Nance, manager of the Cal 1 Card office. Nance said the technology is not used as a tracking device, but was implemented to secure the campus by controlling access to facilities. Watkins said consumers often choose convenience in exchange for giving up their privacy, and students are the most susceptible to any potential problems with the technology because they use it most often.

Some, like art professor Greg Niemeyer, said the tags can be useful if those who use them are informed. Nance said that although the Cal 1 Card office does not use the term “RFID,” students are told their cards provide access to facilities on campus. Wallets, passport holders and card holders that protect cards from radio frequency identification scans are being sold by the group to fundraise money for a fellowship that will assist law students in summer internships, said Boalt Hall doctoral candidate Larisa Mann.

Source: Computerworld
As expected, North Dakota has become the second state in the U.S. to ban the forced implanting of radio frequency identification (RFID) chips in people. The two-sentence bill, passed by the state legislature, was signed into law by Gov. John Hoeven last Wednesday. Essentially, it forbids anyone from compelling someone else to have an RFID chip injected into their skin. The state follows in the steps of Wisconsin, which passed similar legislation last year.

“We need to strike a balance as we continue to develop this technology between what it can do and our civil liberties, our right to privacy,” Hoeven said in an interview. He emphasized that the law doesn’t prohibit voluntary chipping. Military personnel who want an RFID chip injected so they can be more easily tracked will still be allowed to get a chip. There are also potential uses for the technology in corrections or in monitoring animals, he noted. Marlin Schneider, the state legislator who sponsored the Wisconsin law, said he is glad to see an antichipping legislation trend. However, such statutes don’t go far enough to curb the ability of private sector retailers and manufacturers to “implant these things into everything we buy.”

Ultimately, with RFID tagging systems, corporations “will be able to monitor everything we buy, everywhere we go and, perhaps as these technologies develop, everything we say.” But Michael Shamos, a professor who specializes in security issues at Carnegie Mellon University in Pittsburgh, believes the law is too vague to do much good. For instance, it only addresses situations where a chip is injected, even though RFID tags can also be swallowed. And it doesn’t clearly define what a forced implant really is; someone could make chipping a requirement for a financial reward.

“Suppose I offer to pay you $10,000 if you have an RFID [chip] implanted?” he asked. “Is that ‘requiring’ if it’s totally voluntary on your part?” The idea behind the law isn’t bad, but “it looks hastily drawn and will have unpredictable consequences,” said Shamos.

Source: Berkeley Daily Planet
The use of radio frequency identification (RFID) technology at the Berkeley Public library has been a flashpoint since its inception more than two years ago, enraging some patrons, who say the identifiers allow “Big Brother” to track what people read and where they are if they’re carrying library books, and upsetting some library workers who say the system doesn’t work as it is supposed to and is devouring library funds better spent elsewhere.

At the March Board of Library Trustees’ meeting, Lisa Hesselgesser, Service Employees International Union 535 shop steward, presented a list of 24 concerns library workers have about the technology. The system “is not working at all on CDs,” Hesselgesser told the Daily Planet in an interview on Tuesday. “It’s a scandal—the donut tags [used on CD cases] are really expensive.” Checking out books with the RFID system is mixed, she said. “Sometimes the tags fail; sometimes the equipment fails.”

With the RFID system, a patron or a library staff member was supposed to be able to place a stack of books on the equipment and check the books out all at once. This would mean that a library worker would not have to pass one book at a time through the system all day long, thus reducing repetitive stress injuries to workers. Because the system does not consistently function properly, Hesselgesser said repetitive stress injuries are up, something of which Library Director Donna Corbeil says she is unaware.

Source: The Register
A group of Dutch researchers at Vrije Universiteit in Amsterdam, led by PhD student Melanie Rieback, is building RFID Guardian, a personal RFID firewall to allow individuals to monitor and control access to RFID tags.

Rieback presented the latest results of the project to build the prototype at last week’s Emerging Technology conference. The idea was inspired by a comment from Katherine Albrecht, Spychips author and long-time campaigner against loyalty cards and RFID tags. To wit: that she doesn’t want people to be able to read through her clothes what kind of bra she is wearing.

The project aims to create a platform that will handle all types of RFID chips and allows individuals to create their own personalised security policies and enforce them using features already built into the tags such as cryptography and kill commands along with newer ones such as automatic key management. When it’s finished, RFID Guardian is intended to be a portable, battery-operated device incorporating an RFID reader that will tell users when new RFID tags appear (for example, when you buy a tagged item), when they’re being read, and who owns them.

The prototype so far has focused on one subset of RFID, the 13.56 ISO 15693 tags that are typically used in credit card and smart card applications. More detail is available from the group’s paper here (PDF).

Source: WorldNetDaily
The state of Washington announced a pilot project to introduce a driver’s license “enhanced” with a radio frequency identification, or RFID, chip that would encode personal information and possibly serve as a passport-alternative if approved by the Department of Homeland Security.

Democratic Gov. Christine Gregoire signed a bill March 23 allowing Washington residents to apply for the $40 voluntary driver’s license beginning in January. Gregoire spokeswoman Kristin Jacobsen told WND in an e-mail the enhanced license is intended to be an alternative way of complying with the Western Hemisphere Travel Initiative mandated by the Intelligence Reform and Terrorism Prevention Act of 2004.