RFID in Mobile Commerce and Security Concerns Chassica Braynen April 25, 2007
Introduction Technology Uses of RFID in Mobile Commerce Security & Privacy Concerns Agenda
Introduction Radio Frequency Identification (RFID) is also known as Dedicated Short- Range Communication RFID is an automatic identification method, relying on remotely storing and/or retrieving data from small objects, called RFID tags. These tags contain antennae to receive and respond to queries from an RFID reader. A typical RFID system consists of two main components, tags and readers. RFID devices are similar to barcodes Bar Codes are read or scanned using light – infrared, laser, or optical scanning. RFID tags are read using RF energy – radio waves. Does not require physical contact or line of sight Used in various environmental conditions More beneficial than Bar Codes
Introduction Radio Frequency Identification (RFID) has existed for over 50 yrs Used in World War II on Allied aircraft to identify “friendly” planes Used in the 1960’s and 70’s to tag nuclear equipment Civilian uses began around 1970’s animal ID and temp tracking Railroad inventory tracking In the 1980’s, became more prevalent worldwide Electronic toll collection began in 1990’s Present uses expanding
Introduction Technology Uses of RFID in Mobile Commerce Security & Privacy Concerns Agenda
Technology Basic RFID System Com puter or Data base Rea der Ante nna Tag Antenna w/ integrated circuit chip
Technology 3 types of RFID tag technologies: Active Have an internal power source Longer range, larger memory Stores the most information Read distance = several 10’s of meters Semi-passive Similar to passive, except with small battery Passive Have no internal power supply Powered by radio frequency signal Read distance = 10 mm to 1 meter
Technology 4 different types of tags in use (by radio frequency) Low frequency tags (125 or kHz) High frequency tags (13.56 MHz) UHF tags (868 to 956 MHz) Microwave tags (2.45 GHz)
Introduction Technology Uses of RFID in Mobile Commerce Security & Privacy Concerns Agenda
Uses of RFID Contactless Payment Systems Exxon Mobile - “ Speed Pass ” American Express -“ ExpressPay ” MasterCard - “ Pay Pass ” Hong Kong - “ Octopus Card ” MARTA - “ Breeze Card ”
Uses of RFID Electronic toll control Georgia’s Cruise Card California’s Fas Trak Illinois’ I-Pass Food Services Freedom Pay Concert Entry Tickets embedded with tags Hitachi’s RFID “mu-chip”
Uses of RFID RFID-enabled mobile phones Japan Airlines’ cell phone check-in Can be used as a payment system (still in beginning stages) Restaurants Gas stations Convenience stores The way it works: “Patrons hold their phones up to terminals, causing the amount due to appear on the phone's screen. The customer will enter a secret code into the phone's keypad, authorizing the payment before holding the phone up to the reader a second time to confirm it.”
Introduction Technology Uses of RFID in Mobile Commerce Security & Privacy Concerns Agenda
Security Concerns Generation 1 RFID was not initially designed for security Some RFID tags are vulnerable to alteration, corruption and deletion of the data Wireless protocols can be jammed, creating a denial of service attack RFID data can be copied On Jan 29th 2005, RSA Security and a group of students from Johns Hopkins University broke the proprietary encryption algorithm used by Exxon Mobile’s Speedpass. They were able to successfully copy a Speedpass and use the copied RFID tag to purchase gas. Companies are addressing security issues
Privacy risks Profiling Tracking Notification Tag “sniffing”
Solutions Lengthen passwords to 32 bits Make tag ID non-broadcasting 16-bit randomly generated keys - used to encrypt read, write and erase commands. Authenticated RFID, 2-factor Authentication Monitoring systems Education Some vendor systems are more secure than others Ensure that tag selection is in alignment of company’s security policy Be informed, understand risks
This concludes my presentation.