Bruce Schneier has been a very vocal opponent of the move to put RFID tags, or at least ones without security, on passports. For instance, there is this blog post, and this article. Passports are, of course, interesting, particularly when you have to use them as much as I do. Most countries now seem to be moving to RFID enabled passports. However, recently, credit card companies have started putting RFID tags on their cards, and that is making me wonder.
Several years ago, when I was living in Boston, Exxon started something they called the “Fast Pay” system. The premise was that you had a little piece of molded aluminum on your keychain that contained an RFID tag, and when you pulled into the gas station you just waved the tag in front of the gas pump, at which point you could pump your gas and quickly get back to sitting in traffic waiting to go through the toll booth.
It was probably only a matter of time, but American Express has now started putting RFID tags on some of their credit cards, and it probably will not be long before other credit card companies follow suit. The readers are starting to show up in various places, like McDonalds, which makes sense, because if you eat at McDonalds a lot (and I do; I like their food) then the act of pulling your credit card out of your wallet is just way too much exercise. 🙂
The interesting thing here is that there is virtually no security information available on how RFID tags on credit cards work. In talking to some near-normal people (they are friends and relatives of mine, so they probably are not entirely normal; at least not when it comes to security) they figured this was an interesting idea. My first concern, by contrast, was what stops someone from reading the data off the RFID tag and duplicating it. Estimates on how far away you can be and still read a passive RFID tag range from 10 meters to 25 meters, so unless there is something on these tags to stop unauthorized systems from reading them they are probably readily accessible from quite some distance.
That being said, it is hard to believe that the credit card companies had not thought about this first. I’d just feel a lot better about the whole idea if there was more detail on the security of the system than a claim that they use a “unique cryptogram.”
Of course, if you do not like these RFID tags 15 seconds or so in the microwave oven will take care of them. You may want to use the microwave oven at work though…