Zap! We Know Everything About You

RFID chips are making warehouses run smoothly. Could they also be used to track us?

by Credit.com

It’s not every day that a scientist makes a discovery before the experiment has even begun. But when Thomas Heydt-Benjamin tried to test the security of a new breed of “smart” credit cards, that’s exactly what happened. Heydt-Benjamin, a third-year doctoral student in computer science at the University of Massachusetts, Amherst, aimed a simple radio transmitter at one of the cards. The transmitter was hooked to a computer, which Heydt-Benjamin planned to use to test the sophistication of code that encrypted sensitive information stored on a tiny computer chip embedded in the credit card.

He was hoping for some sport, a chance to do a little code-breaking. “What can I say?” Heydt-Benjamin says. “I’m a geek.”

But something unexpected happened. Before Heydt-Benjamin even sat down at his desk, the cardholder’s full name, card number and the card’s expiration date — everything needed to make a purchase — popped right up on the computer screen. There was no code to break, no encryption to test.

The other computer scientists and cryptologists in the lab reached for their wallets. They whipped out their credit cards and held them in front of the radio transmitter. Their names and card numbers immediately flashed onto the screen.

“We were all very surprised,” Heydt-Benjamin says. “We thought the experiment would be to break the encryption. But then we found there was no code to break at all.”

Researchers at the university began testing different methods of stealing information from the cards. Heydt-Benjamin built a radio transmitter and computer, about the size of a few stacked books, using parts he ordered from the Internet for $100. He stuffed the equipment into a cloth briefcase and boarded an elevator with a colleague. By aiming the transmitter at the other man’s back pocket, Heydt-Benjamin stole the man’s name, credit card number and expiration date before they even reached the lobby.

Using better equipment, Heydt-Benjamin says he could make a transmitter and computer the size of a pack of gum for $50. “I am mystified by the credit card companies’ decision to roll out these cards,” he says. “For the most basic information on the card, there’s no security at all.”

Heydt-Benjamin’s findings touched off a media firestorm and a publicity nightmare for credit card companies. In the past two years, Visa, Mastercard and American Express have distributed millions of credit cards with Radio Frequency Identification (RFID) tags. Each tag is a tiny computer chip, about the size of the period at the end of this sentence. The chip is a miniature memory database, the main job of which is to store information.

RFID tags have no internal battery – they’re powered only when activated by a beam of AM radio waves. A simple radio transmitter, as complicated as a crystal radio set but operating at a higher frequency, is attached to a simple computer, which receives and translates the chip’s data.

Credit card companies tout RFID-enabled cards as a convenient tool to help speed customers through checkout lines. By flashing a credit card in front of a reader, without having the card come into physical contact with a machine or forcing the customer to sign a receipt, paying with “smart” credit cards is 63 percent faster than fumbling with cash, says Rosa Alfonso, a spokeswoman for American Express. “I love it,” she says. “Now, I get frustrated when I’m in a store and they don’t have ExpressPay. It’s so much faster. And if I want a receipt I can totally get it.”

Computer experts and consumer advocates worry that Heydt-Benjamin’s experiments prove what they’ve long suspected — that RFID technology will be used to steal our privacy, defraud consumers, and possibly worse. “Major retailers have made detailed plans about how to track people using their wallets,” says Liz McIntyre, a former bank examiner for the Federal Reserve and author of the book “Spychips,” about RFID technology. “It’s happening right now.”

“If I wanted to kill you, I would sit across the street with a radio transmitter and read your credit card when you entered and exited your house,” says Jim Harper, director of information policy studies at the conservative CATO Institute. “And then I’d set up an IED [Improvised Explosive Device] to recognize you and explode when you enter your office.”

This new technology has many different possible uses, some that haven’t even been discovered yet. RFID tags already are widely used in the warehousing and supply chain industries. The federal government is implanting RFID chips in all U.S. passports, and soon all 50 states are required to start using them in all drivers’ licenses. RFID chips encased in glass are being implanted in pets to help identify them when they run away. And the technology exists to insert chips into human skin as a kind of high-tech diabetic bracelet to alert doctors about medical conditions or drug allergies.

“Right now we’re in the early stages of development and deployment of this technology,” says Jeff Oddo, spokesman for GS1 US, the nonprofit group that developed the retail barcode system and is now working to create an international protocol for how to use RFID. “I’m sure there are uses for this technology that nobody’s even thought of yet.”

A forklift revolution

Though the term “RFID” is just now becoming better known to the general public, the supply chain industry has been excited about it for almost a decade. Essentially, RFID chips are intended to do the same things as the UPC bar code, which has been in common use nationwide for 30 years: to help manufacturers, transportation companies, warehouses and retail chains ensure that goods leaving the factory actually make it to consumers.

The problem at hand is enormous. Billions of dollars worth of goods are either stolen or spoiled before being sold every year, says the Cato Institute’s Jim Harper. Most grocery stores have 15 percent of their advertised items out of stock at any given time. “That’s frustrating to consumers and it’s frustrating to the store,” says Pat Walsh, director of industry relations for the Food Marketing Institute, the trade group for major grocery chains.

But barcodes have natural limitations. One barcode applies to each type of product — all iPod minis, for example, share the same code. The barcode, thus, helps aggregate total shipments. If a truck supposedly carrying 1,000 iPods arrives at a store with only 950, the store knows instantly that there’s a problem. But other than searching the warehouse and praying to find a pile of exactly 50 iPods, there’s no way to find those same units.

By using RFID chips, however, the store can track each individual unit, not just the whole truckload. In this system, each iPod has its own RFID chip with its own unique number. If 50 units come up missing, the company can work to find those exact iPods.

Only high-value or easily stolen consumer goods — things like flat-screen TVs, iPods and razor blades — have RFID tags at this point, Jeff Oddo says. That’s because tags cost 25 to 50 cents each, and cheaper items don’t warrant the added expense. But as the technology improves and the per-tag cost decreases, industry watchers believe that more and more products will be individually marked. (Some companies are working to develop tags that can be sprayed onto clothing like spray paint, Oddo says.)

“We believe that RFID can help us better track product and provide greater consumer value,” Walsh says.

But as radio tags are placed on more and more consumer goods, what happens when the product to which they are attached is finally bought? Technology exists to de-activate the tags, but it is still in its prototype phase and too bulky to be integrated into already-cluttered checkout aisles, Oddo says.

So for the time being, millions of RFID tags are flowing out into the world, ready to be switched on by any passing radio transmitter.

Those tags could be used by corporations or thieves to track our movements, consumer advocates warn. Say for instance that a consumer buys a pair of shoes from Wal-Mart with RFID chips implanted in the soles. Wal-Mart could install RFID readers under the floor near its doorways. When they see the shoes walk back into the store the following week, a computer system could link those shoes to the customer’s entire shopping history as it appears through credit cards or customer loyalty cards. More scanners placed throughout the store could monitor the customer’s movement. Does she always go to the grocery section first? Does she comparison-shop? If she bought diapers on her last shopping trip, maybe a coupon machine in the baby aisle could display discounts on formula bottles just as she walks by.

This may sound far-fetched but major corporations are already trying to find ways to do it. In researching her book, McIntyre discovered that IBM has filed a patent application for a computer system called “Identification And Tracking of Persons Using RFID Tagged Items.”

“Big companies like Wal-Mart and Target are talking about using it not just to track their inventory but to track people,” McIntyre says. “RFID waves can travel right through solid objects. They can travel right through your clothing without your knowledge or consent. It’s like having somebody shadow you through your entire shopping trip.”

Retail industry experts agree that the new technology could be used in this way. “Sure, if there are readers in the store, they would be able to read where all those various items are,” Walsh says. “I think there are legitimate concerns about that.”

But such a day is a long way off, partly because the tags are not yet widely distributed on consumer items, and partly because retailers haven’t figured out how best to use them yet.

“I would agree that the vision long-term is that RFID tags would be present on individual consumer items,” says Walsh. “But we’re still having the debate over the best way to use RFID as we learn more about what this technology can and cannot do.”

Some, including Oddo, believe that retailers will refrain from using RFID to track individuals because it could damage the trust between consumers and stores. Others think that even if retailers keep RFID tags intact after the item is sold, the actual risk to consumers is quite low.

“Some people, like Liz McIntyre, say, ‘Oh my God! They can put RFID between the plies of paper in a dog food bag!’” says the Cato Institute’s Harper. “Well, think about that. You buy a bag of dog food, you fill ‘Fifi’s’ bowl for a few weeks, and then you throw the bag in the garbage. Why would anybody track you down? Why would anyone care?”

Lingering questions about credit card safety

The credit companies say they’re satisfied with the security of their new cards. “We did pilot tests on millions of transactions all over the country for years before the official roll-out,” says Alfonso (spokespeople for Visa and MasterCard did not return multiple calls for this story). “We’re confident that these cards are both convenient and secure.”

Still, of the 30 cards that Heydt-Benjamin has tested so far, not one has encrypted the card number or cardholder’s name. His experiments point out a variety of weaknesses. The most obvious: By buying some basic equipment, anyone can build a radio transmitter to read credit card information. Industry representatives say this is not a major concern, since cards must be within two to four centimeters of the in-store card readers to be scanned. “Trust me, sometimes I get really annoyed when I’m, like, two inches away from the thing and it still can’t read the card,” Alfonso says.

But just because the in-store readers are low-powered doesn’t mean that a transmitter built by an identity thief would be. “Some transmitters can read RFID chips from 50 feet away,” says David Molnar, an RFID researcher at University of California, Berkeley.

And scanning the card itself isn’t the only way to steal its information. Transmitters also can be rigged to eavesdrop on the communication between the credit card and the in-store scanner. “Either way you do it, it’s still really easy from a technical point of view,” Molnar says.

The other way to steal credit card information is the old-fashioned way, by breaking into the database that contains the RFID chip codes. This could happen through the computers of companies that process credit card transactions — a hacker accessed five million Visa and MasterCard accounts this way in 2003, for example, while in 2005 a breach at CardSystems International exposed 40 million cardholders to the risk of identity theft.

“Anytime you create a database, you create another target for people who want to steal information,” Molnar says.

The credit card companies respond that consumers don’t need to worry about fraud because they’re only held liable for $50 if their cards are stolen and used fraudulently. The companies have sophisticated computer systems constantly searching transaction records for anything that seems out of place. Also, most touchless RFID transactions are limited to a maximum of $25 each. Bigger transactions require a customer signature.

Nevertheless, McIntyre and co-author Katherine Albrecht, who are famous in the retail industry for their activism against RFID technology, have called on the credit card companies to recall all cards with RFID and replace them with traditional cards. So far, the companies have refused.

“We have sophisticated fraud monitoring techniques in place,” Alfonso says. “Bottom line, our technology works.”

Who will watch the government watching you?

One key finding of the 9/11 Commission report was that it was far too easy for the Sept. 11 hijackers to obtain documentation to enter the United States legally. Congress responded with three initiatives to make the process of obtaining legal identification more difficult. All three involve RFID technology.

First, Congress directed the State Department to implement biometric identifiers on passports. The intent was to speed up lines at customs checkpoints and thwart passport forgery. (Although information policy expert Jim Harper doubts whether forgery was ever much of a problem. After all, the Sept. 11 hijackers all entered the U.S. legally, he points out.)

The State Department began attempting to implement RFID technology, and the first generation of RFID chips tested by the department were a disaster during their trial run, Harper says, because researchers discovered how easy it was for unauthorized radio transmitters to steal information from them.

So a number of safety precautions were implemented. The chips were coded with stronger encryption, Harper says. Wire mesh was added to each passport pamphlet to repel radio waves, provided that the pamphlet is closed. And instead of scanning the chips from a distance, now each passport is physically inserted into a reading machine.

A State Department spokesman, who declined to be interviewed on the record for this story, says that the new passport chips are secure, and keep data much better protected than the chips used in credit cards.

But others wonder what is the point of all this effort. If there never was a widespread problem with passport forgery, then the only remaining advantage of RFID chips was speed. But even with the new chips, passports still must be swiped through a reader, which is just as slow as the old system. “They spent millions on this, and they’re no better off than they were before,” Harper says.

The State Department also is using RFID chips in its new “Passport Light” program. A Passport Light is designed to be used by Americans traveling to countries where a full passport isn’t required, including Canada, Mexico and Costa Rica. The cards resemble drivers’ licenses, with the cardholder’s name, address, photo and a separate Passport Light ID number. All this information is included in an RFID chip, which is intended to speed lines at border crossings.

But critics see problems with this system, too. In some places, motorists will hold their Passport Light cards in the windshield of their cars as they approach the border so that agents can scan their identification 10 seconds before the vehicle arrives at the gate. But someone just across the border could eavesdrop on these signals and steal the information, possibly for later use in smuggling operations. “The transmitter would have to be pretty high-powered, but that’s not particularly difficult or expensive to do,” says Molnar.

In other places, travelers standing in a border control office will hold their cards aloft to be scanned before they reach the desk. This is meant to speed the system. But is there any way to assure that the traveler who scans his card is actually the next person in line? “This is a recipe for confusion,” Harper says. “They’re creating more problems for themselves than they actually solve.”

Finally, Congress passed the Real ID Act last year to create a nationally standardized identification card for all citizens and residents. “American citizens have the right to know who is in their country, that people are who they say they are, and that the name on the driver's license is the real holder's name, not some alias," Congressman James Sensenbrenner, R-Wisc., said from the floor of the House of Representatives in May, 2005, just before the bill passed.

But many technology experts and consumer advocates worry that Real ID cards could make it easy for the government to track citizens’ movements. The problem is not in the traditional use of drivers’ licenses, which police officers and others check to make sure someone is who they say they are. It’s that each time a Real ID card is scanned to check someone’s identity, that scan will be stored indefinitely in a database that also records where that person was at exactly what time.

“It turns what traditionally has been an identification confirmation into a record keeping event,” Harper says. “That can be used by the government to track you. If they figure out the code, it could also be used by criminals.”

An enterprising government agency or private company could also install what techies call a “sorting door,” a doorway rigged with RFID transmitters. The transmitters, each set to a different frequency, could blast each person going through the door with radio waves. One would search for the person’s Real ID, another for credit cards, another for the RFID tag implanted in her sweater or jeans. The data could be instantly collated to create a massive file of information on each person, to be used for good or ill.

“You could read everything. You could really take someone’s life apart,” Molnar says. “The cost of readers is dropping. That could be very easily done.”

Small actions now = Big compromise later

Even the strongest critics of RFID as it is currently being implemented believe that the technology could become tremendously useful. Jim Harper, whose worst fears include the possibility of RFID chips being used as bomb triggers to execute people, says the technology is best used in moderation, largely by supply chain businesses looking to track goods. “A lot of privacy advocates are rich white folks who don’t care if they can save money,” Wilson says. “But to most people, saving nickels and quarters is a big deal. RFID can help reduce loss and spoilage, which over time will save retailers billions of dollars, which they can pass onto consumers.”

And the researcher who sparked the recent panic over RFID chips worries that consumer advocates might sink the technology entirely by overstating the risks. “I’m actually very excited about RFID technology,” Heydt-Benjamin says. “When you buy a sweater with an RFID chip, you would like to know that your movements are not being tracked. But if you’re using good security techniques, there shouldn’t be any problem.”

But for those concerned about possible misuse of RFID, the time to get involved in the fight is now. GS1 US and its international partner, EPC Global, are in the middle of writing the protocols for how these chips should be used. And large corporations like Wal-Mart are stepping gingerly into the RFID field, says Pat Walsh, because they don’t want customers to worry about being spied upon. Industry representatives and technology experts say that a small group of concerned consumers could have an outsized impact on retail policy for decades to come.

“When your margins are as thin as Wal-Mart’s, losing one percent of your customers because they’re concerned about RFID means the difference between losing money and making a profit,” Harper says. “If just a small number of consumers steps up and says, ‘You must do this, you may not do that,’ the big companies are going to do it.”

Things you can do:

• Write a letter to the national retail stores where you shop, such as Wal-Mart, Target or K-Mart, and tell them that you don’t want active RFID chips coming home with you in the goods you buy. Send a copy of the letter to the people who are writing the RFID standards right now:
  GS1 US
  1009 Lenox Drive
  Suite 202
  Lawrenceville, New Jersey 08648
• Try holding your credit card up to a bright light so you can see through the card. If you see a tiny dark dot connected to a wire that wraps around the edge of the card, send it back and request a new card without an RFID chip. Then write a letter to the company’s president, and maybe your Congressman, demanding stricter security on RFID cards.
• Concerned that a product you’ve bought has an RFID chip embedded in it? Take it back to the store and demand an exchange. Or, try cutting it off. Or, try messing with the retailers by swapping your iPod with a friend.

Return to Top