RFID Gazette

Yet More Anti-RFID Envelope Makers
National Envelope Corporation is the latest company to go after the potentially lucrative anti-RFID envelope and wallet market with their Smart Card Guard products. The envelopes can be used to protect contactless credit cards, ID cards, and e-passports. [via Contactless News]

A Smart RFID Mirror
Paxar is currently showing off its smart mirror at a show in Miami, Florida. The mirror, typically to be used in retail clothing stores, gives customers information about a tagged item of clothing. [via RFID Update]

Free RFID Discovery Service
Affilias is offering a service to companies that want to share RFID EPC data over the Internet. What information is to be shared can be configured on a per subscriber basis. Affilias calls the service ESDS (Extensible Supply-Chain Discovery Services) and hopes it'll become an industry standard. [via RFID Journal]

What happens when you lose one? Can the finder/ thief use it to make purchases? Supposedly there are safeguards, but since you can just "tap" your phone at, say, a cashless vending machine, I don't see how that'd stop a thief. I've yet to come across any articles that explain this.

Most people guard their cell phones closely, so it won't be a big issue. Not yet. But since ABI Research predicted back in 2004 that that 50% of phones would have NFC by 2009, it'll become a growing issue. It happens; phones get misplaced or stolen. And if phones become our wallets, isn't that more incentive for some people to steal them? That is, if it's easy to use any stored credits. And will it be easy for a thief to determine what your recent purchases were?

I'm assuming you can have your phone disabled if it gets "misplaced", though you'd have to find a phone elsewhere to make the call. (To whom, exactly? I've not seen any indication that payment credits on NFC phones are handled by credit card issuers or some other organization.)

There's a similar problem for contactless credit cards, since a signature is not required for transactions under $25 for most cards. Sure, these can be easily cancelled, and the transactions removed from a card carrier's credit statement, so the point is moot. But as for a lost NFC phone, I'm guessing that knowledge of what happens is only available to those who have one.

The NIST (National Institute of Standards and Technology) recently released a 150+ page PDF report that details some of the security risks of using RFID in a supply chain. Said Robert C. Cresanti, Under Secretary of Commerce for Technology:

RFID tags, commonly referred to as smart tags, have the ability to improve logistics, profoundly change cost structures for business, and improve the current levels of safety and authenticity of the international pharmaceutical supply chain and many other industries. This important report lays the foundation for addressing potential RFID security risks so that a thoughtful enterprise can launch a smart tag program with confidence.

The report also suggests ways to get around the security risks. Download from NIST issues guidelines for ensuring RFID security. [via Extreme RFID]

RFID is arguably a very efficient technology, made for multiple purposes, useful for private and public sectors. The benefits of RFID are far too numerous to mention in a single article, as the potential applications are seemingly endless. Many in the industry and elsewhere feel that the technology will become ubiquitous and replace older technologies because of its efficiencies and extra functionality. The problem is, it is also a very controversial technology for many reasons, which are thus a barrier to widespread adoption of RFID.

[Commentary] Apparently, all you need to do to skim data from a certain type of RFID chip used in e-passports and credit cards is $20 worth of equipment available on eBay and the know how. Except that security researcher Chris Paget isn't allowed to say how the flaw works, due to a claim by a chip maker that he'd be infringing on various rights. They stopped Paget from talking at the Black Hat conference in February, and they're still trying to do so now.

Very interesting way of trying to defeat detractors, but instead helping, those who feel consumers should be aware of such security flaws will probably mistrust the manufacturer now. (I unfortunately do not know who this is - see below.) Alienating more people is not what the RFID industry needs; it's about awareness. It might be time get new lawyers and PR people.

[UPDATE: I mistakenly indicated that IOActive is the chipmaker in the above article. Correction made, and my sincere apologies for the error.]

[editorial] In a series of proto-cyberpunk short stories and novellas that I wrote in 2002, set in an alternate, near-future Earth country called the United States of North America (Canada and the US), a roving, microchipped band of digital rebels escape from a USNA government that is essentially a dictatorship pretending to be patriotic. Paper is outlawed, thinking for yourself is highly frowned upon, and everyone is being microchipped "for their safety." (By which I mean RFID chips, though I never refer to RFID.)

These rebels have "underground" meeting places where chips are either removed or disabled, and from where their "subversive" activities are planned. These are the true patriots for freedom and justice, but they are looked upon as hackers and criminals, particularly because they disable the RFID microchips. From their perspective, they do this because they feel the chips are a threat to their privacy and general well-being, and that control of the chips can be subverted by malicious parties - counter to this fictional government's claim that the chips are safe.

Well, truth may be stranger than fiction. According to a security researcher in the UK, Adam Laurie, implanted RFID chips can be hacked by malicious parties and thus controlled. Laurie cracked codes for an RFID id card, a livestock chip, and a chip that a volunteer from the audience had previously had implanted.

You can argue that these demonstrations are not sufficient to be concerned about RFID implants, but obviously I'm going to disagree. As a "proto-cyberpunk" writer, I make it a point to write fiction that considers worst case scenarios of the use of technology. Most of my proto-cyberpunk stories are strongly influenced by the work of science fiction author Philip K. Dick, long-deceased and the author of the novels that were turned into Blade Runner, Total Recall, Minority Report, and others. They are very dystopian, and not afraid to speculate on the "what might be" aspect of world politics (see The Man In The High Castle) and the misuse of technology.

I'm not saying that my stories equal Dick's, but they are definitely written in the same spirit. That said, I see RFID as both a blessing and a curse. I am of the staunch opinion that just because something sounds like a conspiracy theory does not make it false. RFID is unfortunately an ideal technology for both very good and very evil - quite possibly more so than any technology in history has ever been. In the wrong hands, it will be misused under the guise of self-preservation. And any proof of that possibility is something that we all need to take note of.

A glimpse of the TV show Las Vegas would suggest to you that security for casinos there are high-tech, marvellous operations. Well it just might be true. A surveillance tech company called Third Eye has a new RF-based security system, SATS (Security Alert Tracking System) based on a wristband biosensor (from SPO Medical) that monitors employee's heart rate. If the rate suddenly increases, management is alerted by an RF signal from the wristband.

The premise is that if a casino employee's heart starts suddenly beating rapidly, they are likely under stress. This could be due to some emergency such as a robbery, or possibly because the employee is planning a theft.

RFID has some very important applications in health care, and this biosensor is no exception. But the idea that every casino employee would have to wear these wristbands, in case they just might be planning a theft, could turn into a Minority Report-like situation. The movie stars Tom Cruise and is based on the Philip K. Dick novel of the same name. The idea is that law enforcement officers can stop crimes before they start by arresting future perpetrators, based on technology that can read the latter's thoughts and determine that will/may commit a crime.

The SPO Medical wristband in and of itself is not my issue but rather Third Eye's intended use of it by casino clients. It seems to move life into the realm of guilty until proven innocent. An odd thing for a company whose name is borrowed from a spiritual concept of the inward eye of self-enlightenment.

Law makers in the US and EU have been considering regulating the use of RFID in their respective districts. The European Union commissioner backed off, deciding to let the technology mature before imposing regulations.

In Washington state, RFID legislation didn't make the Floor. It sought to impose rules on how RFID would be deployed and used to collect personal data. In Wisconsin, a new bill was just passed that prohibits US currency and documents to be embedded with chips. Previously, the state passed legislation banning forced chip implants.

Implants in particular are going to be a hot law issue in the years to come, Companies like VeriChip have been trying persuade anyone and everyone to implant, including soldiers, and diabetics, and have used them on corpses during disaster recovery.

Mobile Payments Initiative
Two organizations have launched a joint initiative for the financial services industry to enable mobile payments. They are looking at two types of payment. One would be for purchases via NFC and other contactless technology. The other would be transfer of funds between the accounts of two consumers. It should be noted that PayPal, the payments processor owned by eBay (who also own the Skype VoIP software company) already allows mobile payments through SMS text messaging.

Apple Into RFID?
Not quite. However, they have filed a patent for a wireless home networking system that uses an RFID reader. The system would assume that a variety of devices (laptop, PDA, iPod) would have an RFID tag and the network would automatically configure a network connection for it. [via RFID Update; they have a link to the patent.]

Very exciting application. I heard nothing about this until now. The drawback is that Apple technology has traditionally been very singular, with the company typically not licensing/ authorizing clones. This sounds like a fascinating application, but it might only ever be used for Apple products.

If You Can't Beat'em, Confuse'em:
So IOActive's researcher Chris Paget was told to put off his "clone RFID cards" talk at the Black Hat conference recently, based on the charge that the demonstration would violate HID Global's patents in card readers. Huh? Defeat "enemies" with confusion? I don't even know where to start with this one. The validity of this claim is questionable. Other RFID presentations did continue, however. Still, this is a bad precedent and stinks of bullying.

The tiny powder RFID chips that Hitachi recently debuted are small enough to be embedded in paper. Reading that in the York Dispatch, it triggered a thought: the US government (collectively) has long desired a way to track paper currency. Some or all American bills have had a thin strip of metal for at least a decade. (My apologies: I don't know which denominations.) But now they may have the means of embedding RFID chips into paper currency.

If you watch enough police dramas on TV like I do, you start thinking of all the times monitoring the literal flow of ransom money would have been helpful. Then there's the other side of the coin, so to speak: the Big Brother scenario, which RFID more than any other technology could support, especially if it becomes as ubiquitous as being in currency. And with RFID in powder form, the potential for abuse grows. Hopefully, that's not the case.