RFID passport identity theft made simple

Put your RFID passport in a signal blocking wallet. But pulled out and read it broadcasts your private data for any RFID sniffer to record. And then?
Written by Robin Harris, Contributor

You're confident your RFID passport is safe in its signal-blocking wallet as you pass through immigration. What you don't know is that the man behind you is recording the data sent by your passport's RFID chip as it is scanned.

Your name, nationality, gender, birthday, birthplace and a nicely digitized photo is in his hands. With that info he can photoshop up a passport, get a copy of your Social Security card and with that get credit cards and bank accounts in your name.

Rewarding individual enterprise Thanks to bureaucratic confidence in RFID technology this is a real threat. An article in the Communications of the Association for Computing Machinery goes into the details:

For successful data retrieval the perpetrator's antenna must catch two different interactions: the forward channel, which is the signal being sent from the RFID reader to the RFID token; and the backward channel, which is the data being sent back from the RFID token to the RFID reader. . . .

. . . the perpetrator would need only an antenna and an amplifier to boost the signal capture, a radio-frequency mixer and filter, and a computer to store the data. The amplifier itself would not even need to be that powerful, since it would need to boost the signal over only a short distance of three to five meters. . . . These RFID "sniffers" can then be plugged into a laptop via a USB port.

They've got your data, now what? The weak 52-bit key encryption is easily broken. Then just counterfeit the passport, get a social security card and start shopping!

As the article notes, forging a passport can be expensive. It might be easier just to steal it.

The Storage Bits take The RFIDiocy keeps getting worse. The Feds were pwnd at DefCon earlier this year.

But these are just the risks we know about today. What new technologies will appear in the next 15 years to make both eavesdropping and forgery easier?

The RFID passport is a technological sitting duck for bad guys of all kinds - criminals and terrorists - courtesy of the US State Department.

As I noted in previous post:

The time to end this nonsense is now. There are perfectly usable non-RF storage technologies - like 3D barcodes - that can safely store data in hard to crack, hard to hack formats.

We can do better. And we must.

Comments welcome, of course.

Editorial standards