General discussion

Locked

the security flip-side

By Oz_Media ·
For a long time now, the borderline between being aware and secure with personal information vs being paranoid about security, has bobbled back and forth in these forums.

There are some who feel any security cameras, any scanning system and more recently RFID leads to their right to personal privacy being challenged. The argument is that if you have nothing to hide, who cares? The counter argument being, I have done nothing wrong, why are they watching ME?

The flip-side to that is if you AREN'T doing anything wrong, you now have a trail of when and where you were.

There are thousands of people who are improperly arrested and even incarcerated for something they haven't done, and yet circumstantial evidence leads to their arrest and criminal charges.

If you have done nothing wrong, wouldn't it be nice to be able to prove it when falsely accused? Your word can be validated in ways it never could before.

The RFID issue, steel wallets (lol) cracks me up. Another peer, who's claim to fame is security paranoia, seems to feel that I have drunk the RFID sales reps Cool Aid and now I am jaded and unaware of potential personal security risks.

Not true at all, no RFID sales team has EVER pitched me, I am not an end user and have only worked at the development and deployment stages, working to find ways to get RFID to actually READ what it is supposed to. There are a gazillion issues trying to get RFID tags to actually display data properly and yet people who write IT columns try to make it out to be this loose, easily stolen information. If the $60,000.00+ RFID systems are not able to read tags due to the simplest issues, then someone looking to steal such information could not easily do so, especially with some inexpensive, Radio Shack quality scanner. PLUS the information is encrypted to begin with, it doesn't just scan an area and spit out everyone's info aimlessly.

RFID is very young technology and has a long way to go before such data is that easy to capture, at which time the security measures will matire also, much to the endless headache of RFID implementers. This is also why it is not implemented as widely as many feel it is, in fact it has a long way to go before it is really effective beyond the asset and supply chain management capabilities it was designed for.

I worked for many months, with specialists brought n from Sweden, the USA, Germany etc. to get RFID systems to system implementation levels that would work for Airports, car rental agencies, laundry services, safety services etc. For every 20 systems designed, 19 fail miserably due to an inability to recover and read the data accurately.

But that's just one issue, the guy with the steel 'RFID proof' wallet is protecting data that is generally acquired far easier and far more randomly by a criminal if desired. That same guy probably punches in his pin number at the ATM or store POS terminal in clear view. Throws out garbage with far more information in it, would be easily conned over the phone etc.

So how secure, and smart are these security paranoid people really?

I find those most paranoid about security are also the most lax when it comes to the simplest ways to protect your identity and banking info. It seems to be more about being IT savvy/paranoid than actually aware of your day to day security.

So while most fear the unknown, and I can assure you VERY few people actually understand how RFID works, what it offers and how it is implemented, regardless of how many IT magazines you read, most people have little or nothing to worry about when it comes to such technology, in fact tha trail can be a benefit if you haven't done anythign wrong.

Just three years ago, there were hundreds of companies in the US selling RFID technology, and yet less than 6 people actually knowledgeable enough to implement it properly, make it work and provide solutions based RFID systems, the rest are just selling a trend and it usually gets dropped when it doesn't work.

This issue of people walkign around scannin personal ID in public places is an absolute laugh, a complete joke. Certainly someone has been able to capture and RFID tag, however that information is generally useless and, more often than not, far easier to obtain through other means anyway.

So should we be all weary and careful about RFID systems that offer greater security to the carrier than before? No, we should be careful with the OBVIOUS ways we offer information each day.

I guarantee, if I called 50 people on TR, I could get more detailed, personal information from 10 of them with a simple phone call. Con artists have MUCH simpler ways of getting your money or identity (not that I am a con artist but having worked with public security for many years, I know many tricks of teh trade, not via IT and far easier too).

On the flip-side, wouldn't that trail of info as you pass through an airport, drive through a car wash, use your credit card etc be a benefit to someone who hasn't done anything wrong?

Remember the guy accused wrongly and yet can't definitively prove his whereabouts?

Honestly officer I was there! I know there are no traces of my presence, I try and avoid such horrific, personal security breaches.

This conversation is currently closed to new comments.

13 total posts (Page 1 of 2)   01 | 02   Next
| Thread display: Collapse - | Expand +

All Comments

Collapse -

Oz

by santeewelding In reply to the security flip-side

You are a walking ID chip, yourself.

Once asked, what has you responding to official accusation in the first place?

Collapse -

Defending his baby?

by AnsuGisalas In reply to Oz

Sort of?

Considering:
Leaving a trail behind is good for nothing if it's as flaky as that.

On the other hand, technologies somehow develop, mature if you will... and the unwieldy becomes standard.

And getting a reading can be a question of just having enough scanners on the task.

And physical items carried by social entities will never be completely secure.

Summing up, I have no opinion on it either way.

Collapse -

I didn't say it wa flaky

by Oz_Media In reply to Defending his baby?

I suggested it was overestimated. I've seen many companies spend money of RFID solutions that just didn't work because it was designed poorly.

Technologies do develop and mature, as does teh adjoining security too, just like computers.

Enough scanners on teh task? Right, we are talking about RFID, one scanner can't read it, NO scanners will read it. Also, are you suggesting some group of criminals will start patrolling airports with a dozen scanners, worth 2K a piece to get someone's name, address, birth date etc.?

"Physical items carried by social entities will never be secure." Exactly, regardless of whether it is an ancient bar code, magstrip, RFID etc. Makes no difference, the technology isn't the flaw, the carrier is.

As for it being my baby, I haven't developed RFID products in two years, doesn't pay me a penny, not my trade anymore, no vested interest. What gets me though is people blabbing away about how insecure and eaily foiled such systems are, when it is a result of some knob writing a column in an IT mag, with little or no actual knowledge of RFID frequencies, types etc.

It's like me writing a column on the security flaws of Windows Servers. NOT A BLOODY CLUE, but I can come up with some uneducated guesses based on stuff I read online and have people follow my lead just because it's printed in their favorite IT mag.

I simply suggest the person making such claims actually goes out to Texas Instruments, Zebra,Symbol/Motorola, tains on the technology and applications, limitations, security etc. and investigates reality before spewing someone else's paranoid crap as if it is conclusive and accurate.

Collapse -

So...

by AnsuGisalas In reply to I didn't say it wa flaky

How the heck does it work?
It's not flaky, but it's difficult to make it work...
When it fails to do as intended, how/why is that?
I ask because that doesn't sound like a familiar failure pattern.

Collapse -

The technology is fine

by Oz_Media In reply to So...

The implementation is often the flaw, people think RFID is for everyonme and it simply isn't. MOST systems are dummped due to cost, other systems are dumped due to the implementers not choosing the best types of tags for the job. many more are flawed due to the positioning of fixed readers. Others are an issue with errant interference. The power comes from the scanners, the tags are very sensitive and easily destroyed due to poor placement, water, metals, WiFi interference from the company's computer network etc.

In some applications it works but it takes a long time and the right people providing the solutions in order to make even test implementations work SORTA okay. It's not for everyone, in fact it's not for MOST businesses as bar coding is still cheaper and less prone to environmental issues.

The key here is that, while they TALK of active and semi active tags seding out signals up to 30', the reality is 99% of tags are passive, especially in ID where there's noowhere to place a battery for an active (expensive) tag. Passive tags must be read almost directly, within less than a foot andn exposed to the scanner. ID INSIDE a wallet, even a pocket containing keys etc. is pretty hard to read accurately. In most cases you need to remove it and open it up facing a scanner for the read to register.

I think when standing in an airport check in, waving your ID past a tag reader, it would be pretty obvious if someone was standing right beside or behind you with a scanner in clear view.

Again there are FAR, FAR easier ways to collect personal information from people. Criminals are lazy and look for easy ways out, taking advantage of people's sloppiness with their information instead of going out of their way to gain it through thrwarting new technology. It just doesn't fit the criminal/con man's mentality.

Collapse -

So, it's like a bar code....

by AnsuGisalas In reply to The technology is fine

Except that it's not as large and not as easy to copy?
Hm. Doesn't sound extremely dangerous.
For now at least.
Magstripes are no better at least, as the user is still the major weakness.

Collapse -

Exactly

by Oz_Media In reply to So, it's like a bar code. ...

In fact the only reason RFID got off the ground is because it offered faster access to the provided data than a bar code, and can store a little more data. Note that newer bar code technologies, such as PDF ( 2D bar codes) offer more info than before also.

Example of RFID benefit. Until now, a pallet of varied goods to be shipped had to have bar codes that were placed in position so that the shipper can scan each box individually. One box in the middle of a pallet, of a different type to others, meant that the pallet had to be manually broken down. The items could not feasibly be scanned on every movement, such as manufacturing, to shipper, to distributor, to reseller's store room, to the shelf. After that item was sold, the chain had to work backwards to get a new order placed. The manufacturer could not determine the needs of the distribution warehouse until data was compiled and given to purchasing and an order was manually placed, enter RFID.

A full RFID asset tracking system allows for much faster, much more accurate supply chain management. Tags are installed at the manufacturing point, a full pallet of mixed goods is simply driven by forklift right onto the truck, readers in the shipping dock instantly read ALL tags on the pallet as it passes the dock to the truck. That truck then arrives at the distributor, who also has RFID towers reading it as it enters the warehouse. As it leaves, again it is read as it enters the truck to the retailer, the retailer can use a handheld scanner to quickly receive the pallet into stock. That information is tracked and shared through a system that runs through the entire chain, allowing pinpoint identification or orders, shipping location etc. A manufacturer can easily tell that product A is running low at the warehouse and manufacture, fill an order and ship automatically without any manual scanning and inventory management required. automated supply chain management, as seen in WalMart these days.

On tags, a few years ago RFID was not implemented by many, bar code labels cost a fraction of a penny each, RFID tags were more than 70 cents. Now cost has been refined and they have figured they'll have a tag costing less than 5 cents soon. For the supply chain savings, it justifies their use.

This system, much as ANY ID card, credit card etc. uses a passive tag. There is NO battery, it transmits NO information by itself. It's not just spitting out your card number and address as you walk down the road. The passive tag needs to be 'woken up' by a reader sending it a 'handshake' signal. the tag will then look to the reader and request a secure ID code, validating the reader requesting the tag info (much like SSID for a wireless network but a little more sophisticated). If the reader's security code is recognized by the tag, the tag then allows it's data to be read, encrypted again, which the host system decodes and stores as needed.

A reader that would be able to shake hands, manage such encryption and collect this secured data costs a minimum of $1800.00 Canadian WHOLESALE. Retail is double that at least, without a charger, extra battery, mobile operating system etc.

Therefore this hysteria that people need to walk around with tinfoil wallets is simply hilarious. The makers of these wallets must be laughing all the way to the bank! They then tell some IT guy about the need for their wallets, he prints a scary article in a local PC mag, and advertises THEIR product to save people from the horror of stolen ID. People make cheap knockoff scanners, and test then on a modified tag to show they can see it. Those scanners would fail miserably in a real environment with quality, secured tags though.

I've heard it all before, the sky is falling, old hat stuff. End of, this is a phenomenal technology that, when implemented correctly, keeps production and shipping costs down while providing lower prices to end users.

The big game now is the automated supermarket. Shelves are tagged, the grocery store no longer needs people walking the aisles scanning stock levels, it's done automatically. In Europe they have designed a system to automatically scan your shopping cart as you simply walk out the store, no checkout. A predefined and authorized payment system just gives you a bill, you enter your pin code and you are paid for without taking a single item out of the cart to be checked through. They are having issues with aluminum cans, the LIQUID not the aluminum creates a tough read for a 5 cent tag still, high end tags are okay but not the affordable ones YET.

It's a great technology, with a long way to grow yet. I have an RFID tag on my windshield, as I drive through my favorite car wash, it reads my tag, the terminal welcomes me by name, offers me a discount and my upgraded wash service. Slick, 24 hours, discounts and bonus service without even winding down my drivers window or talking to anyone. I can stop in at 3AM and get the same benefits and service as I would when the attendant is there in the daytime, in fact faster.

Collapse -

Excellence, Oz

by santeewelding In reply to So, it's like a bar code. ...

It's what you should have done the first time around.

What you said comports with everything I have ever read, and continue to read, about the technology, and in your own words, without typo one.

Collapse -

ok then

by Jaqui In reply to the security flip-side

There are some who feel any security cameras, any scanning system and more recently RFID leads to their right to personal privacy being challenged. The argument is that if you have nothing to hide, who cares? The counter argument being, I have done nothing wrong, why are they watching ME?

Good point, it goes back to the belief that you have a right to privacy in public places, as unsane as that sounds. [ unsane, since insane should rightly mean extremely sane if the prefix in was to carry the same meaning as for inflammable ]


The flip-side to that is if you AREN'T doing anything wrong, you now have a trail of when and where you were.


webcams, smartphones, cctv cams, traffic cams all provide exactly the same trail.


There are thousands of people who are improperly arrested and even incarcerated for something they haven't done, and yet circumstantial evidence leads to their arrest and criminal charges.

If you have done nothing wrong, wouldn't it be nice to be able to prove it when falsely accused? Your word can be validated in ways it never could before.


webcams, smartphones, cctv cams, traffic cams all provide exactly the same trail and are not effective at proving your whereabouts, rfid chipped ID won't be any better.


The RFID issue, steel wallets (lol) cracks me up. Another peer, who's claim to fame is security paranoia, seems to feel that I have drunk the RFID sales reps Cool Aid and now I am jaded and unaware of potential personal security risks.


naw its that aluminum foil helmet you wear man, I keep telling you that it amplified the radio frequencies reserved for the US government and will destroy your ability to make intelligent decisions.
[ reference: http://people.csail.mit.edu/rahimi/helmet/ ]


Not true at all, no RFID sales team has EVER pitched me, I am not an end user and have only worked at the development and deployment stages, working to find ways to get RFID to actually READ what it is supposed to. There are a gazillion issues trying to get RFID tags to actually display data properly and yet people who write IT columns try to make it out to be this loose, easily stolen information. If the $60,000.00+ RFID systems are not able to read tags due to the simplest issues, then someone looking to steal such information could not easily do so, especially with some inexpensive, Radio Shack quality scanner. PLUS the information is encrypted to begin with, it doesn't just scan an area and spit out everyone's info aimlessly.


ahh, the encrypted data chipped id, as opposed to the radio frequency beacon with a unique id [ RFID chips ] used for tracking shipments / vehicles. a completely different ball of wax there.


RFID is very young technology and has a long way to go before such data is that easy to capture, at which time the security measures will matire also, much to the endless headache of RFID implementers. This is also why it is not implemented as widely as many feel it is, in fact it has a long way to go before it is really effective beyond the asset and supply chain management capabilities it was designed for.


always is teething problems with new technology. the real issue is that many people would do what epass canada did and use unsanely unsecure technologies to "secure" the information. epass canada uses clientside java to secure access to your information with federal government agencies, like revenue Canada. This is literally equal to going on vacation and leaving the keys hanging in the front door.


I worked for many months, with specialists brought n from Sweden, the USA, Germany etc. to get RFID systems to system implementation levels that would work for Airports, car rental agencies, laundry services, safety services etc. For every 20 systems designed, 19 fail miserably due to an inability to recover and read the data accurately.


bad quality control then somewhere in the system. since most likely they are using some embedded java to encrypt it would likely be in the encryption tools


But that's just one issue, the guy with the steel 'RFID proof' wallet is protecting data that is generally acquired far easier and far more randomly by a criminal if desired. That same guy probably punches in his pin number at the ATM or store POS terminal in clear view. Throws out garbage with far more information in it, would be easily conned over the phone etc.


sssh! you and I know any real pro would be going through the garbage as a first step to performing identity theft. that is what private investigators do to get evidence.


So how secure, and smart are these security paranoid people really?

I find those most paranoid about security are also the most lax when it comes to the simplest ways to protect your identity and banking info. It seems to be more about being IT savvy/paranoid than actually aware of your day to day security.

but it's true of most people Oz, the paranoids don't really do anything to truly protect themselves.

So while most fear the unknown, and I can assure you VERY few people actually understand how RFID works, what it offers and how it is implemented, regardless of how many IT magazines you read, most people have little or nothing to worry about when it comes to such technology, in fact tha trail can be a benefit if you haven't done anythign wrong.

see my above comments about the cctv / traffic cames etc.


This issue of people walkign around scannin personal ID in public places is an absolute laugh, a complete joke. Certainly someone has been able to capture and RFID tag, however that information is generally useless and, more often than not, far easier to obtain through other means anyway.


this issue is most likely a direct result of wardriving. after all if they can get online through an unsecured wireless access point, why can't someone steal information from a radio transmitted signal from their id?


Honestly officer I was there! I know there are no traces of my presence, I try and avoid such horrific, personal security breaches.


lmao

Collapse -

Well |I won't go through all of this

by Oz_Media In reply to ok then

Just got back from Spanish Banks, tired now.

But you completely overlook my comments, several times, as illustrated by your replies "web cams, smart phones, CCTV cams, traffic cams all provide exactly the same trail.
That's exactly what I am getting at, not just RFID. The problem with security cams is that they record over a loop, unless you can get that film before it records over itself, you are SOL. My point was all these 'checkpoints' people fear, such as having a record of your credit card trail, having your ID scanned at an airport etc, are solid evidence of your whereabouts. Personal privacy don't even come into play. You are looking to enter a private place or to conduct business airplane, ATM etc. you are now using a PRIVATELY OPERATED service by choice, your personal privacy is not being hindered in any way shape or form.

It's not like they are selling it on Ebay or posting YouTube videos of you entering an airport.

as for RFID applications, a credit card instead of a shipping tag, the identification, tag and reader is identical.

The information is gathered the same way, RFID chips are actually rather limited in the data they can hold, they have storage capacity but much of that is used for encoding and encrypting, unless very high end, custom work that no Airport would invest in. There are also many laws about WHICH information can be coded to an RFID tag, with personal privacy an security in mind. There are about a dozen regulators on the RFID consortium and they operate across a lot of countries (as they would have to) to set global standards that abide by even the strictest privacy laws.

Quality control? Has nothing at all to do with it, it is due to the vast limitations and applications of RFID technology, it is simply useless in most applications as there is always some form of interference, the tag required otherwise would be far too expensive to be viable, etc.. You have to remember, MOST of these systems use passive tags, they must be less than 12cents each, which makes them VERY weak and hard to read accurately unless presented directly under a scanner, much as you would a bar code.

"why can't someone steal information from a radio transmitted signal from their id?
because tags used on 99.999% of applications, and 100% of ID tags are passive. They do not "transmit" ANYTHING. You generally would have to be within a foot of a passive tag to POSSIBLY get a read, if you have the right tag association (PIN) code.

IF you have a reader, AND it just happens to have the correct pin code to shake hands with a tag, read that data, figure out the encryption used and they decode that data, you could find out less than by just snatching a wallet, digging through someone's trash, making a 2 minute phone call to them. RFID isn't some errant signal being broadcast, it is passive. A reader sends out a code that is associated with the tag, if it sees a reader with the correct code (PIN) it verifies and shows up as available. It then shakes hands and allows it's coded information to be read.

If you don't have the exact code in your scanner that the tag will identify with and shake hands with, your scanner is a 3K mobile computer. Some tags use a randomly generated code, each time it is scanned it changes the code, so picking up the passcode (somehow, one day) would not help you if it was tried later.

Back to Hardware Forum
13 total posts (Page 1 of 2)   01 | 02   Next

Related Discussions

Related Forums