What is the purpose of RFID identification, and what access control problems and security risks are associated with it?
RFID stands for radio frequency identification. RFID tags emit radio signals and are usually embedded in things like credit cards, passports, merchandise, or even livestock. The tag resembles a smart card when embedded in a card and may carry the same data as a smart card, but smart cards need to be swiped by a reader and don't transmit radio signals.
RFID is a fantastic technology for businesses, particularly warehousing, retail and livestock. RFID tags can be attached to merchandise in a warehouse so that employees can automatically conduct inventories with handheld readers that send data to the company's servers or databases. Users don't have to go back to a terminal to enter data manually.
The fundamental security problem of RFID is the same as that of any wireless device. It transmits data out in the open where it can be easily sniffed, captured or stolen. Thus, an attacker doesn't even have to find a network or cable for attaching a sniffer. All he or she needs is a laptop with an antenna and a wireless hookup outside the place the device is transmitting, and he or she could obtain confidential customer information leading to financial loss or identity theft.
Security guru Bruce Schneier has long been a vocal critic of the recent move by the State Department to put RFID chips in U.S. passports. He has cited the feats of security researchers in the UK who were able to steal data with simple home-built readers with parts costing under $100.
Also, RFID chips can only hold a limited number of encryption keys, which makes them more vulnerable to cracking.
In answer to the question about access controls, RFID chips, like those in smart cards, come in two varieties: programmable and fixed. Programmable chips are at higher risk, since they can be manipulated for malicious purposes, whereas pre-programmed chips aren't as susceptible.
RFID technology is still developing and maturing. To be more secure, all radio signals need to be encrypted and shielded, so they can't be read without authorization. Chips also need to be designed to carry stronger encryption keys.
RFID technology isn't going away, as evidenced by the stringent requrements Wal-Mart Stores Inc. has put in place for its suppliers. But a thorough analysis of the IT security risks should always be conducted before any implementation.
Learn about the possible benefits of microchip implants and RFID tags for remote employees.
Looking for more information on securing micrichip implants and RFID tags? Read this expert response.
Dig Deeper on Identity and access management
Related Q&A from Joel Dubin
Ensuring authenticity of online communications is critical to conduct business. Learn how to use a public key and private key in digital signatures ... Continue Reading
Learn about the purpose of CAPTCHA challenges that enable websites to differentiate bots from authentic users to stop spammers from hijacking forums ... Continue Reading
Proper planning is at the top of the list for single sign-on best practices, but it's important to get enterprise SSO implementations off to a good ... Continue Reading