RFID passport identity theft made simple

Summary:Put your RFID passport in a signal blocking wallet. But pulled out and read it broadcasts your private data for any RFID sniffer to record. And then?

You're confident your RFID passport is safe in its signal-blocking wallet as you pass through immigration. What you don't know is that the man behind you is recording the data sent by your passport's RFID chip as it is scanned.

Your name, nationality, gender, birthday, birthplace and a nicely digitized photo is in his hands. With that info he can photoshop up a passport, get a copy of your Social Security card and with that get credit cards and bank accounts in your name.

Rewarding individual enterprise Thanks to bureaucratic confidence in RFID technology this is a real threat. An article in the Communications of the Association for Computing Machinery goes into the details:

For successful data retrieval the perpetrator's antenna must catch two different interactions: the forward channel, which is the signal being sent from the RFID reader to the RFID token; and the backward channel, which is the data being sent back from the RFID token to the RFID reader. . . .

. . . the perpetrator would need only an antenna and an amplifier to boost the signal capture, a radio-frequency mixer and filter, and a computer to store the data. The amplifier itself would not even need to be that powerful, since it would need to boost the signal over only a short distance of three to five meters. . . . These RFID "sniffers" can then be plugged into a laptop via a USB port.

They've got your data, now what? The weak 52-bit key encryption is easily broken. Then just counterfeit the passport, get a social security card and start shopping!

As the article notes, forging a passport can be expensive. It might be easier just to steal it.

The Storage Bits take The RFIDiocy keeps getting worse. The Feds were pwnd at DefCon earlier this year.

But these are just the risks we know about today. What new technologies will appear in the next 15 years to make both eavesdropping and forgery easier?

The RFID passport is a technological sitting duck for bad guys of all kinds - criminals and terrorists - courtesy of the US State Department.

As I noted in previous post:

The time to end this nonsense is now. There are perfectly usable non-RF storage technologies - like 3D barcodes - that can safely store data in hard to crack, hard to hack formats.

We can do better. And we must.

Comments welcome, of course.

Topics: Mobility, Security, Wi-Fi

About

Harris has been working with computers for over 35 years and selling and marketing data storage for over 30 in companies large and small. He introduced a couple of multi-billion dollar storage products (DLT, the first Fibre Channel array) to market, as well as a many smaller ones. Earlier he spent 10 years marketing servers and networks.... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.