From: Sancho Panza on
December 8th, 2009
RFID passport identity theft made simple
Posted by Robin Harris @ 11:20 pm
<http://blogs.zdnet.com/storage/?cat=5>, Public policy
<http://blogs.zdnet.com/storage/?cat=8>, Security
<http://blogs.zdnet.com/storage/?cat=7>

You're confident your RFID passport is safe in its signal-blocking wallet as
you pass through immigration. What you don't know is that the man behind you
is recording the data sent by your passport's RFID chip as it is
scanned.Your name, nationality, gender, birthday, birthplace and a nicely
digitized photo is in his hands. With that info he can photoshop up a
passport, get a copy of your Social Security card and with that get credit
cards and bank accounts in your name.

*Rewarding individual enterprise*
Thanks to bureaucratic confidence in RFID technology this is a real threat.
An article in the Communications of the Association for Computing Machinery
<http://cacm.acm.org/magazines/2009/12/52836-a-threat-analysis-of-rfid-passports/fulltext>
goes into the details:

For successful data retrieval the perpetrator's antenna must catch
two different interactions: the forward channel, which is the signal
being sent from the RFID reader to the RFID token; and the backward
channel, which is the data being sent back from the RFID token to
the RFID reader. . . .

. . . the perpetrator would need only an antenna and an amplifier to
boost the signal capture, a radio-frequency mixer and filter, and a
computer to store the data. The amplifier itself would not even need
to be that powerful, since it would need to boost the signal over
only a short distance of three to five meters. . . . These RFID
"sniffers" can then be plugged into a laptop via a USB port.

*They've got your data, now what?*
The weak 52-bit key encryption is easily broken. Then just counterfeit the
passport, get a social security card and start shopping!

As the article notes, forging a passport can be expensive. It might be
easier just to steal it.

*The Storage Bits take*
The RFIDiocy keeps getting worse. The Feds were pwnd at DefCon
<http://blogs.zdnet.com/storage/?p=565> earlier this year.

But these are just the risks we know about today. What new technologies will
appear in the next 15 years to make both eavesdropping and forgery easier?

The RFID passport is a technological sitting duck for bad guys of all
kinds - criminals and terrorists - courtesy of the US State Department. As I
noted in previous post:

The time to end this nonsense is now. There are perfectly usable
non-RF storage technologies - like 3D barcodes - that can safely
store data in hard to crack, hard to hack formats.

We can do better. And we must.

Robin HarrisRobin Harris has been messing with computers for over 30 years
and selling and marketing data storage for over 20 in companies large and
small. See his full profile <http://blogs.zdnet.com/bio.php#harris> and
disclosure <http://blogs.zdnet.com/storage/?page_id=154> of his industry
affiliations.
http://blogs.zdnet.com/storage/?p=713&tag=nl.e550




From: William Black on
Sancho Panza wrote:

> You're confident your RFID passport is safe in its signal-blocking
> wallet as you pass through immigration. What you don't know is that the
> man behind you is recording the data sent by your passport's RFID chip
> as it is scanned.Your name, nationality, gender, birthday, birthplace
> and a nicely digitized photo is in his hands. With that info he can
> photoshop up a passport, get a copy of your Social Security card and
> with that get credit cards and bank accounts in your name.
>
Any evidence that anyone has done this yet?

I don't mean someone has done something clever in a lab, I mean a
criminal stealing an identity via a passport at an airport.


--
William Black

"Any number under six"

The answer given by Englishman Richard Peeke when asked by the Duke of
Medina Sidonia how many Spanish sword and buckler men he could beat
single handed with a quarterstaff.
From: tim.... on

"Sancho Panza" <otterpower(a)xhotmail.com> wrote in message
news:4b205286$0$22549$607ed4bc(a)cv.net...
> December 8th, 2009
> RFID passport identity theft made simple
> Posted by Robin Harris @ 11:20 pm
> <http://blogs.zdnet.com/storage/?cat=5>, Public policy
> <http://blogs.zdnet.com/storage/?cat=8>, Security
> <http://blogs.zdnet.com/storage/?cat=7>
>
> You're confident your RFID passport is safe in its signal-blocking wallet
> as you pass through immigration. What you don't know is that the man
> behind you is recording the data sent by your passport's RFID chip as it
> is scanned.

And why should I worry about this? The only things that are broadcast are
the things that can be obtained by reading the passport,

I really don't see why anybody sees this as a problem.

Scare mongering for the sake of it

tim


From: Sancho Panza on

"tim...." <tims_new_home(a)yahoo.co.uk> wrote in message
news:7ocv9kF3q6nkoU1(a)mid.individual.net...
>
> "Sancho Panza" <otterpower(a)xhotmail.com> wrote in message
> news:4b205286$0$22549$607ed4bc(a)cv.net...
>> December 8th, 2009
>> RFID passport identity theft made simple
>> Posted by Robin Harris @ 11:20 pm
>> <http://blogs.zdnet.com/storage/?cat=5>, Public policy
>> <http://blogs.zdnet.com/storage/?cat=8>, Security
>> <http://blogs.zdnet.com/storage/?cat=7>
>>
>> You're confident your RFID passport is safe in its signal-blocking wallet
>> as you pass through immigration. What you don't know is that the man
>> behind you is recording the data sent by your passport's RFID chip as it
>> is scanned.
>
> And why should I worry about this? The only things that are broadcast are
> the things that can be obtained by reading the passport,
>
> I really don't see why anybody sees this as a problem.
>
> Scare mongering for the sake of it

A lot more people are victims of ID theft.


From: tim.... on

"Sancho Panza" <otterpower(a)xhotmail.com> wrote in message
news:4b22af4d$0$22537$607ed4bc(a)cv.net...
>
> "tim...." <tims_new_home(a)yahoo.co.uk> wrote in message
> news:7ocv9kF3q6nkoU1(a)mid.individual.net...
>>
>> "Sancho Panza" <otterpower(a)xhotmail.com> wrote in message
>> news:4b205286$0$22549$607ed4bc(a)cv.net...
>>> December 8th, 2009
>>> RFID passport identity theft made simple
>>> Posted by Robin Harris @ 11:20 pm
>>> <http://blogs.zdnet.com/storage/?cat=5>, Public policy
>>> <http://blogs.zdnet.com/storage/?cat=8>, Security
>>> <http://blogs.zdnet.com/storage/?cat=7>
>>>
>>> You're confident your RFID passport is safe in its signal-blocking
>>> wallet as you pass through immigration. What you don't know is that the
>>> man behind you is recording the data sent by your passport's RFID chip
>>> as it is scanned.
>>
>> And why should I worry about this? The only things that are broadcast
>> are the things that can be obtained by reading the passport,
>>
>> I really don't see why anybody sees this as a problem.
>>
>> Scare mongering for the sake of it
>
> A lot more people are victims of ID theft.

and just how useful is knowing someone's name and date of birth, if you
don't know their address?

tim


>
>