questionsis my rfid paranoia warranted?

vote-for17vote-against
vote-for6vote-against

Your paranoia is indeed warranted. Here's the website of a friend of mine (Major Malfunction, aka Adam Laurie).

http://www.rfidiot.org/

Don't even get me started. I went out of my way to get my passport done and over before they switched to the new implanted ones. I have plenty of friends who've put them in the microwave. Yes, it hurts the rfid. Yes, you can still use the passport as a passport.

I'll try and check for which sleeve my friends recommend for your stuff.

vote-for2vote-against

@catbertthegreat: Here's my very most favorite bit from last year's Defcon:

http://www.wired.com/threatlevel/2009/08/fed-rfid/

http://seclists.org/bugtraq/2009/Aug/112

[Edit] Which credit card? Don't tell me the bank (google sees all, for one). I just mean, is it Visa, MC, Amex, or Discover?

vote-for3vote-against

Whats this RFID? Is it that gold chippy thing that was on my student ID from 8 years ago?

vote-for3vote-against

@shrdlu: I remember the wired article when they posted it. Also the website you posted me too in the first post linked me to ID Stronghold which I found to have the best price. A deal shall soon appear...

vote-for2vote-against

@catbertthegreat: Oh oh oh. ID Stronghold is an excellent choice. Adam Laurie is a fun guy. You'd like him.

vote-for2vote-against

@sgoman5674: Gold chippy thing? Not if it was visible, no. Here's a really BAD youtube on some fun.

http://www.youtube.com/watch?v=ca5GklXlppY

Not the presentation itself, but the video is sketchy is all. Adam Laurie is the one talking.

[Edit] Warning. This vide is LONG. It appears to be the full presentation that Adam Laurie did at Defcon. It's informative, but go get a beer or something if you mean to sit all the way through it.

vote-for2vote-against

@shrdlu: Its late. I'll watch it at work tomorrow.

vote-for2vote-against

Long as we're chatting, my favorite Adam Laurie moment ever was when some guy at Shmoocon was showing how he had an RFID implanted in the back of his hand so that only he could log into his laptop. Adam cloned it, and used the clone to authenticate. Then he offered to reporgram the chip that was in the guy's hand. Lucky for the guy, he was just joking.

Oh, lord. Is just everything on line now? Here's the video for you.

http://video.google.com/videoplay?docid=-1866201665047516046#

I don't know when Beetle quits talking in this, but it's really worth watching, so stick with it.

vote-for6vote-against

@shrdlu: Nice videos, thanks for those.

Okay posted the sleeves as deals
Passport Sleeve:
http://deals.woot.com/deals/details/39201721-de3f-4245-b696-4467acb5308f/protect-your-identity-secure-sleeve-for-passports-rfid-blocking-sleeves#0

Credit Card Sleeve:
http://deals.woot.com/deals/details/904acd77-c62a-491f-8154-b4c82de8927a/protect-your-identity-secure-sleeves-for-id-payment-cards-rfid-blocking-s

It should be noted that when rfidiot.org tested these sleeves they found they blocked the ability to read the RFID chips in credit cards and passports, but not certain other cards that transmit on a slightly higher frequency.

vote-for1vote-against

@catbertthegreat: So, you didn't answer my question, about which card.

Visa, MC, Amex, or Discover? Don't tell me the bank. Bad juju for you to say that here.

vote-for2vote-against

@catbertthegreat: Good. Amex would be better (but I don't think they have RFID cards either). I have sent that kind of card back, and insisted on one without it. That's just me. Crazy.

vote-for1vote-against

The passport I'd be concerned about, the credit card, who cares?

If someone were to skim/clone your credit card number what's the worst that can happen? You get some fraudulent charges on your account, you report them as fraudulent, get a new card and go on with your life. Credit card fraud is really not a big deal.

If someone were to clone your passport, then you've got real problems. I would shield or disable that thing as soon as I got it.

vote-for3vote-against

@ruadog well i had some fraudulent charges on my card which i disputed and then when i tried to buy a house it showed the dispute on my credit report so i had to write a letter explaining what happened before i could get credit. so it isn't just la-dee-dah, someone stole my info, nothing is different, it can still cause annoyance and headaches. (what if they put the chip in check cards? what if you don't check your account constantly (i do) and they take the money, and you have to wait for it to get put back, or you get overdraft fees?)

vote-for2vote-against

@shrdlu: The one on Youtube is the same thing as the one you posted on google videos.

vote-for2vote-against

@sgoman5674: Sorry about the link being a dupe (although the Google one is much less choppy). I thought it was a link to Major cloning the chip in the guy's hand. I'll have to go looking for that one, because the look on the guy's face when Adam offers to reprogram his implanted chip is, well, priceless. Truly.

vote-for1vote-against

I work with RFID every day and while the application for supply chain management, warehousing, retail, etc.. is useful, the notion that our financial/personal information being potentially exposed is a bit concerning. I don't see why any legitimate organization would utilize a credit card number as the ID for the tag, the tag ID should be separate and reference a database for the credit card info, this way if someone were to intercept the tag ID, the credit card number would be safely stored in the database and a tag ID would be the only thing compromised. Same goes for personal information (SSN, etc) on passport ID's.

vote-for2vote-against

@curseofagony: Please read the information on rfidiot.org (I suspect that it might be eye opening).

vote-for1vote-against

@shrdlu: thanks, I did before I posted my original statement and it doesn't really change my opinion or view.. by far and large the application of RFID occurs in retail and logistics.. go ahead and scan/clone my container tags, big whoop.. useless data unless you have access to our container management suite, random numbers/characters otherwise. When implemented properly, it's a useful tool for automating certain tasks (verifying passports could be one of those tasks). When not implemented properly, people who can take advantage, will.. same as anyone who sets up a home network without securing it. I suspect tag and reader technology will advance over the next few years to a point where our concerns will be addressed.

vote-for1vote-against

@curseofagony: Oh, I see what you're talking about now. Sure, if you are using this for inventory tracking, then it's just fine and dandy, and a decent use of it. I have friends with LARGE datacenters, and they use it for equipment (it's a lot easier to deal with on large racks of computers than some crazy sticker you need a magnifying glass just to read).

On the other hand, putting this same data in something like a credit card or passport is just begging for trouble (and watching the feds' faces as the stuff in their wallets started showing up on the screen at Defcon was TRULY wonderful). A technology that is useful and good in one place can provide for disaster when used elsewhere. BTDT.

[Edit] I see your statement about trusting the tech to catch up, and address privacy concerns. I'll be betting against you on this one (encryption on the tag is a no go, just for starters).

vote-for2vote-against

@andycool22 - I've had several fraudulent charges to my accounts and never had it show up on a credit report. At least for me, it really has been la-dee-dah every time. If you're not looking at your statement when it arrives each month then you get what you deserve.

As for the check card, that's why I call and lower the limits so no one can clear out the account.

vote-for1vote-against

I work for the State of Michigan in the Sec of State office, and our new Enhanced Licenses, which are required for travel to Canada Mexico or the Caribbean with out a passport, have RFID chips. The chips only transmit an alpha numeric string that when entered into the Homeland Security database pulls up the drivers photo and information. If anyone else were to access the transmission it would be useless to them.

vote-for1vote-against

@ruadog: If you are speaking of a debit card, you have ABSOLUTELY NO PROTECTIONS on this, other than what your bank pretends to give you. The laws on credit cards do not apply to the laws concerning your bank account. If that card is compromised, your account can be emptied, and continue to lose money (since you have overdraft protection, kindly given to you by that same bank), and this can go on for months. I've seen this happen.

Here's a brief summary (and it's recent):

http://www.creditnet.com/credit-news/credit-cards-may-offer-more-protection-than-debit-19545642.php

vote-for2vote-against

@shrdlu - You are correct. That is one reason I don't like debit cards and keep very low transaction limits on the one I do have.

Care to explain how it could go on for months? Once you get a statement and detect it wouldn't canceling the card or getting a new account take care of that?

vote-for1vote-against

@ruadog: You asked how you could lose money for months...

While most banks will attempt to do the right thing, there is nothing legal to compel them to do so. Consider that you have overdraft. It is possible that, sooner or later, you can get much of the money back, but your credit will be ruined, you have the potential of bounced checks and other unpleasantness, and so on.

The worse documented cases (and no, sorry, I'm not going to post it here, considering that Google indexes anything on Deals in SECONDS) have been at major banks, and have involved losses extending into $30,000 dollars in at least one case.

While I'm thinking about it, it's also a good reason not to write a check to a stranger. It's child's play to take those routing and account numbers, and run off new checks on a home printer, using the same bank stock as normal checks come on, but with completely different name, address and etc. Use your VISA/MC/AMEX instead.

vote-for3vote-against

@ruadog: Dang it. You changed your response while I was answering. Unless you CLOSE your bank account, this fraud can continue (not sure about how quickly getting a different debit card would help, but that should actually be fast, as you would expect). You are obviously more savvy than the average person when it comes to your money. Most are not. In addition, all those dings to your account before you notice something's gone wrong are still going to be a problem.

BTW, I like credit unions better than regular banks, and note that they are much more likely to work with you, and to be quicker to catch fraudulent activity.

vote-for3vote-against

@shrdlu: Did you see this article yet? I found it over at regular woot.com.

http://iphonetheif.blogspot.com/2010/01/iphone-theif-bust.html

Its pretty cool/funny/fascinating.

vote-for1vote-against

@sgoman5674: Interesting. Yeah, people just don't realize that stealing phones might backfire. When my daughter had a phone stolen, I had ALL the charges for calls made after it was stolen reversed to the people that were called. Oh, big surprise to them, I'm sure. I don't think that's an available feature to everyone, but I was still happy to do it. In additino, the phone was turned off within three hours of her telling me it was gone.

See, the iPhone guy should have had the phone disabled. Feh. What do I know? Besides, that was AT&T, not my particular favorite on customer service in any case.

Really very interesting though. Thanks for sharing it.

vote-for1vote-against

The passport I have no idea about but you should not worry one bit about the credit card. For the RFID's in credit cards to be read the reader has to be damn near touching the card so the idea of skimming your information from a distance is really not possible.

vote-for1vote-against

@jyanez: I beg to differ on your assumptions about credit cards. I've seen them read out of back pockets, through the wallet and jeans.

vote-for2vote-against

@jyanez: You should still be worried about credit card RFID. If an "old school" pickpocket can slip a wallet out of your pants without you realizing, then it would be trivial for a modern RFID thief to get a reader within the few inches they need to steal the data wirelessly. Never underestimate the creativity of a sufficiently motivated criminal.

vote-for1vote-against

@ruadog: I use to agree with you about the credit cards... who cares.. but a new show just did a 'sting' with RFID cards and how easy it is to 'steal' the info.

Did you know the RFID, does not just have your card number and pin on it but your billing address and security information as well. When scanned the thief gets ALLOT more off your card than just the number.....

I personally refuse to use RFID, I was unaware they are in the new passports as I am waiting for one in the mail as I type..... drats.