Though it has been proven time and again that unsecured RFID tags can be scanned with cheap, off-the-shelf technology, Wired reports on yet another instance of people being shocked when the data on their unsecured RFID-enabled cards is easily and secretly gathered.

Federal agents at the [DefCon hacker] conference got a scare on Friday when they were told they might have been caught in the sights of an RFID reader.

The reader, connected to a web camera, sniffed data from RFID-enabled ID cards and other documents carried by attendees in pockets and backpacks as they passed a table where the equipment was stationed in full view.

It was part of a security-awareness project set up by a group of security researchers and consultants to highlight privacy issues around RFID. When the reader caught an RFID chip in its sights — embedded in a company or government agency access card, for example — it grabbed data from the card, and the camera snapped the card holder’s picture.

There have been several instances where people have proved the ease of collecting data from RFID tags. Recently, Chris Paget published a video where the hacker shows how he was able to remotely scan, gather ID information, and clone “passport cards” and “enhanced driver’s licenses.”

In November, I wrote about academic researchers who detailed (pdf) security and privacy vulnerabilities in the federal government’s “passport cards” and “enhanced driver’s licenses,” which the federal government deploys in conjunction with some state motor vehicle departments.

Why is this secret data collection a problem? Wired gives one reason:

But an attacker wouldn’t need the name of a card holder to cause harm. In the case of employee access cards, a chip that contained only the employee’s card number could still be cloned to allow someone to impersonate the employee and gain access to his company or government office without knowing the employee’s name.

Learn more about RFID tags and tracking in an article in Scientific American magazine by Katherine Albrecht, How RFID Tags Could Be Used to Track Unsuspecting People.

This entry was posted on Wednesday, August 5th, 2009 and is filed under Anonymity, Identification, RFID, Security, Technology. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Possibly related posts:

• Wired: Army Reveals Afghan Biometric ID Plan; Millions Scanned, Carded by May
• CBC (Canada): New credit cards pose security problem
• Federal Computer Week: DHS approves enhanced tribal ID cards