« October 2006 | Main | December 2006 »

November 21, 2006

Jack in the Box Adopts RFID Payments Despite Warnings


Despite warnings about the insecurity of contactless RFID credit cards, Jack in the Box is pushing forward with an unprecedented plan to install RFID card readers in its fast food restaurants. By the end of December, all Jack locations should have the infrastructure in place, according to a report at RFID Product News.

The New York Times recently ran a story revealing that virtually every RFID credit card tested by security researchers, including Visa, Mastercard, and American Express, was vulnerable to unauthorized charges and put consumers at risk for identity theft. Information like the credit card number, card holder's name, and expiration date could be gleaned right through purses, backpacks or wallets without consumer knowledge or consent using a relatively inexpensive device made with over-the-counter hardware. CASPIAN demanded a recall of the spychipped credit cards, but credit card companies have not even notified consumers about the risks.

Of course, identity thieves aren't the only concern. Those who have read our book "Spychips" know that "authorized users" of RFID technology have been planning to siphon information from RFID-laced credit, debit, and "loyalty" cards to deliver up targeted advertising and perform in-depth marketing research. One day, Jack could hide RFID readers in its restaurant doorways, order counters, tables and other locations to grab information you would never offer up voluntarily.

Next time you want to eat fast food, consider passing by Jack in the Box for a more consumer-conscious restaurant--and be sure to tell Jack that you oppose the use of RFID reader devices in public places.

- Liz McIntyre

Posted by liz at 2:55 PM | Comments (1)

November 15, 2006

essex college banner.jpg

Many thanks to Essex County College in Newark, NJ, for having me share information about the RFID threat with faculty, students, and the community at large in two presentations on Monday! Special thanks to Essex County College’s Student Life & Activities, Legal Assistant Studies & Criminal Justice programs, Dr. Linda McDonald Carter, Dr. Patrice Davis, Patt Slade and Shirley Rice for making the events possible.

Thanks also to Bob Pickett, attorney and host of Kiss FM's top-rated talk shows "Open Line" and "Week in Review" for making a special introduction at the evening program.

This college is an amazing oasis in the city of Newark, and it's full of dedicated faculty, staff and students. The campus is immaculate and the facilities are outstanding. This school brings in incredible programs and nationally recognized speakers like human rights activist Enrique Morones, and National Action Network Founder & President Rev. Al Sharpton, as well as state and local lawmakers and educators. Attendance is free! Newark is so fortunate to have this resource and access to important forums.

It was a joy and pleasure. Thanks to everyone!

- Liz McIntyre

Posted by liz at 3:31 PM | Comments (0)

November 3, 2006

Passport insecurity


Just when you thought the RFID security situation couldn't get any worse, it turns out there is a serious vulnerability in the new spychipped US passports. (Surprise, surprise.) British security researcher Adam Laurie has found that the cryptography used in the RFID tags can be cracked by anyone who can get near your passport, provided they have your name, date of birth, and passport number. This info would allow them to unlock your passport chip and download your digital photo and other information from the passport.

Laurie has written a program that he explains can "exchange crypto keys with the passport and read and display the contents therein, including the facial image and the personal data printed in the passport." Anyone wanting to duplicate a passport would then have complete access to your digital passport photo along with your passport's cryptographic key.

How would a hacker get your name and passport number? It's not as hard as you might think. They could pick up a discarded boarding pass at the airport, log onto British Airways website (or any of a number of equally insecure data sites on the Internet), or work for a business like a bank or hotel that routinely requires and records such information. (Heck, nowadays you have to show a passport just to check into a hotel or exchange currency in Europe --- even to log onto a computer at an Internet cafe.)

Why would our government insist on spending money on insecure technology that puts travellers at risk? A CASPIAN press release we issued last year may help explain:

Heads of Federal Agencies encouraged to "advance the industry"

For more details about passport security, here are some useful links:

* Edward Hasbrouck, the Practical Nomad, explains how to tell if your passport contains a spychip.

* Security company Flexilis gives a vivid demonstration showing how the RFID shielding in passport covers fail to protect passport holders if the passport is open even 1/4", putting Americans at risk of physical harm. (And we now know, data skimming, as well.)

* Security expert Bruce Schneier discusses passports.

-Katherine Albrecht

Posted by Katherine Albrecht at 6:02 AM | Comments (1)

November 2, 2006

Checkpoint Systems lays off RFID staff


The RFID industry is hurting. Checkpoint Systems, Inc., the guys who want to hide RFID tags in the soles of people's shoes (see their website image above) and who put spychips in Calvin Klein and Abercrombie & Fitch clothing labels, has apparently had a hard time selling its RFID systems. The company has "scaled back its RFID efforts and laid off members of its RFID team" and "will no longer sell complete library inventory-management systems or RFID readers" after reporting a decline in 2nd quarter revenues over 2005.

Source: "Checkpoint Refocuses RFID Effort," RFID Journal, Oct 23, 2006

But don't rejoice just yet. A followup (damage control?) story three days later acknowledged that the company has ceased funding its team of five RFID experts and their R&D efforts, but says it is still "excited about RFID" and will continue to sell all of its current RFID products, including library inventory-management systems.

Disturbingly, the one part of the company's RFID program that will apparently continue to receive funding is the development of dual-purpose anti-theft tags coupled with RFID tags. If Checkpoint pulls this off, those ubiquitous little stickers on products that set off the alarm gates in stores will double as item-level RFID spychips with unique ID numbers. These can be linked in a database with shoppers' personal data, enabling the tags to silently transmit information about the product and the purchaser to readers anywhere in the envcironment for years after the sale. Pass through the gates on your way into the store, and your shoes could report their age, what you paid for them, and most importantly, your presence.

Checkpoint CEO George Off says, "When our customers are ready to go to RFID, they'll want those RFID systems to not only perform inventory tracking and other functions, they'll want the systems to perform security functions, too. They won't want to put two tags on one product." This is exactly the scenario we fear -- that RFID tags would be intentionally hidden in everything we own. It's our job as consumers to make sure Checkpoint's customers are never ready to adopt item-level RFID tagging.

- Katherine Albrecht

Posted by Katherine Albrecht at 7:40 AM | Comments (2)