First cloned passports, then bombs, and now ATM fraud: Security problems should plague RFID's future
First, it took hackers barely two weeks to clone the new RFID-based passports. Wrote Wired of the situation:
Grunwald says it took him only two weeks to figure out how to clone the passport chip. Most of that time he spent reading the standards for e-passports that are posted on a website for the International Civil Aviation Organization, a United Nations body that developed the standard. He tested the attack on a new European Union German passport, but the method would work on any country's e-passport, since all of them will be adhering to the same ICAO standard.
Said Bruce Schneier of the RFID "e-Passports:"
....I am opposed to RFID chips. My fear is surreptitious access: someone could read the chip and learn your identity without your knowledge or consent.....
And then what? Well, let's say you're a terrorist targeting Americans with improvised explosives. Writes fellow ZDNet blogger George Ou:
At Black Hat 2006, Flexilis inc. demonstrated that improper shielding in the proposed American RFID passports might be used by terrorists to set off bombs that may target citizens of particular nations. To demonstrate this, Flexilis produced a video showing what happens to an improperly shielded RFID-enabled passport versus a properly shielded RFID passport.
George has a link to the video. RFID's bad security week doesn't end there. Again, Bruce Schneier writes:
This is interesting. Seems that a group of Sri Lankan credit card thieves collected the data off a bunch of UK RFID-protected credit cards.....They couldn't clone the RFID chip, so they took the information off the magnetic stripe and made non-RFID cards. These cards wouldn't work in the UK, of course, so the criminals flew down to India where the ATMs only verify the magnetic stripe.
Back to Schneier's post on e-Passports:
Sure, the State Department is implementing security measures to prevent that. But as we all know, these measures won't be perfect. And a passport has a ten-year lifetime. It's sheer folly to believe the passport security won't be hacked in that time. This hack took only two weeks!.....
The best way to solve a security problem is not to have it at all. If there's an RFID chip on your passport, or any of your identity cards, you have to worry about securing it. If there's no RFID chip, then the security problem is solved.
e-Passports appear to be fait accompli. It's doubtful that the international community will back down from this manifest destiny any time soon (governments somehow like to stay the course, even after the courses they're on are proven to lead to bigger problems). Perhaps now is a good time for all those fancy-schmancy wallet makers to accessorize our passports with fashionable sheilding. That of course says nothing for what happens when you take it out.