Wednesday, October 25, 2006

Sniffing Through Your Wallet with RFID

We should all be glad that Superman was a nice guy. I mean, with his X-ray vision, his personal jet-powered cape, not to mention his lady-killing looks when he didn't have his glasses on, he would have made a formidable criminal. Well, some nice guys in the Department of Computer Science at the University of Massachusetts Amherst have shown us that it doesn't take X-ray vision to read your name and credit-card number off some new types of credit cards that incorporate something called "RFID."

First, full disclosure (I've always wanted to say that): I taught at the University of Massachusetts Amherst for fifteen years before moving south, though not in Computer Science. And even before that, my supervising professor in graduate school and I patented a system that could have been used for RFID, although nobody but the patent lawyers ever made a nickel off the patent, which has now expired.

What is RFID? It stands for "radio frequency identification," and it includes a variety of techniques to track inventories, monitor conditions remotely, and even read credit cards. The common thread in all these things is an RFID chip that goes onto the object in question: a box of Wheaties, a credit card, or even a person's body. You can think of this technology as on beyond bar codes—those little symbols that the checkout person scans at the grocery store. Using the proper RFID equipment, you can receive information about where the object is, its inventory number, and so on, all without contacting the object. So in a warehouse, for instance, every time a pallet full of computers goes out the door, an RFID transponder can count them and record each computer's serial number, and the guy driving the forklift doesn't even have to slow down. You just have to be within radio range, which can vary from inches to several feet. Which is how the clever guys at UMass Amherst did their trick.

According to the New York Times, Professor Kevin Fu asked a graduate student to take a sealed envelope bearing a new credit card and just tap it against a transponder box they had designed. In a few minutes, Professor Fu's name, the credit card number, and even the expiration date appeared on a screen. All without even opening the envelope.

The Times reporter dutifully made the rounds of credit-card firms such as American Express and J. P. Morgan Chase to describe Prof. Fu's magic trick. Visa's Brian Triplett said it was an "interesting technical exercise," but wasn't concerned that it would lead to widespread credit-card fraud. It should be noted that it wasn't Mr. Triplett's credit card number that showed up on the screen.

As with many other technologies that develop out of the public eye for years or decades before emerging into visibility, RFID has been around a lot longer than you might think. Back in World War II, a primitive form of RFID was used with aircraft to "identify friend or foe" (IFF). The equipment was far too bulky or expensive back then to be considered for consumer products, but advances in electronics have given us RFID chips cheap enough to throw away with the empty box of Wheaties. Some experts believe RFID will largely replace bar codes as the inventory technology of the future. And that's not all.

Attaching an RFID tag to one's person would lead to all sorts of situations, not all of which are pleasant. Strangely enough, one of the more popular paranoid delusions in recent years, but not so recent that RFID was developed to do it yet, was that the FBI or some equally secretive outfit had implanted a chip in the patient's body, and the chip was spying on their whereabouts and even their thoughts. I actually had dealings with such an individual when I was back at UMass, and it wasn't a pretty picture. It's not every day that billions of dollars are spent with the unintended byproduct of bringing some nut case's delusion into the realm of reality, but it happens. RFID is a long way from reading peoples' thoughts yet, but even that notion doesn't sound as goofy as it used to, what with PET scans and other noninvasive brain-monitoring techniques.

For now, RFID will begin to show up only in places like grocery stores, automated tollbooth tags such as New York State's "EZPass," and some credit cards. I don't think we need to worry about Prof. Fu's trick falling into the hands of some evil computer scientist, because it's fairly easy to foil. And fortunately, the laws about credit-card fraud in this country are written so that the consumer is liable only for the first $50 of loss, and the credit-card issuer is left holding the rest of the bag. So if Visa and company start losing substantial amounts of money to people who cobble together a duplicate of Prof. Fu's remote card reader, the firms will take the straightforward steps needed to fix that particular problem.

All the same, we need to think about how RFID could be abused, before some clever thief or saboteur does, and take reasonable precautions. And it's going to be a long while before yours truly consents to having any chips embedded in his person. But then, I was born old-fashioned.

Sources: The New York Times story appeared online on Oct. 23, 2006 at I have recently received a copy of RFID Strategic Implementation and ROI: A Practical Roadmap to Success by Charles Poirer and Duncan Mccollum, which has a good nontechnical discussion of RFID's history and how it works.

No comments:

Post a Comment