Friday, December 7, 2012

Is The BulletTrain SAFE Wallet RFID Safe? Separating The Fact From The Fiction



Is The BulletTrain SAFE Wallet RFID Safe?
Separating The Fact From The Fiction

Several people have asked me if the BulletTrain SAFE Wallet is RFID safe? This is a fairly complex issue, that is clearly a coin with two sides. I have invested a great deal of time doing research on the issue, and I have concluded that RFID theft is likely an urban myth, perpetuated by people who wish to benefit from driving consumers by their fear, so they can sell them RFID safe wallets.

Basically, RFID identity theft is like Bigfoot or the Lock Ness Monster. Many people have heard about it, but nobody has ever actually seen it.

I am completely open-minded, and if you have information that refutes this conclusion, by all means post a comment on this post.



Background

First a little background. RFID is the acronym for Radio Frequency Identification. RFID is a technology that embeds a super-small microchip in to a small vehicle like a credit card that can be read with an RFID Reader. Credit Cards with RFID can typically only be read from within 4 inches or less from an RFID reader

RFID chips can be embedded in many different types of objects, ranging from pre-paid public transit cards, to clothing. RFID chips are sometimes referred to as and RFID transponder, because the chip typically has read/write memory and an antenna.

There are two types of RFID chips, or tags. The first is known as active RFID because it has its own power source, and they typically can be read from greater ranges. The second type which are passive tags lack any power. A passive RFID tag is temporarily activated by Radio Frequency generated by RFID readers. A typical example of this would be a credit card sized device used to open doors by swiping it past an RFID reader.

RFID tags are also used today as an alternative to bar code readers since RFID tags don't require and unobstructed line-of-sight between the reader and the tag. This helps in supply chain management in places like a store, where readers can easily keep track of inventory on store shelves, instead of having humans have to manually scan barcodes. 

RFID tags are used today keeping track of all kinds of things, including injectable ID chips for tracking wildlife, and keeping inventory for livestock.



NFC-The New Kid In Town

The newest form of RFID that everbody is talking about is called Near Field Communication which is commonly referred to in its abbreviated acronym form as NFC. NFC is based upon a set of standards for smartphones and other devices which uses two-way radio communication between devices, which is typically achieved by bumping or touching them together, or positioning them in close proximity, which is typically less than an inch.

NFC is based upon a standard protocol that defines data exchange formats, and is based upon RFID standards including ISO/IEC 14443 and FeliCa. The NFC Forum which governs NFC protocols today has more than 150 members and was founded in 2004 by Nokia, Philips and Sony. NFC typically operates within a distance of 4 inches or less, and typically requires little power to operate.

NFC differs from traditional RFID systems because it allows two-way communication between endpoints. RFID systems like contactless smart cards only allowed one way communication.

NFC embedded devices are being used today in contactless mobile payment systems in place of credit cards and electronic tickets. Google Wallet is a good example of this technology which allows people to store credit card and loyalty card info virtually, and they use NFC enabled terminals that also accept credit cards. I took the photo of one of these terminals recently, which I saw in Walgreens in San Francisco.



Apple has not yet adopted and does not support NFC. NFC is becoming increasingly popular throughout Europe, India and Japan.

NFC can ride piggyback and work in conjunction with Wi-Fi and Bluetooth protocols, which allows some smartphones to transfer data and music to each other. Essentially, the transaction begins with an NFC handshake, then gets switch to pier-to-pier Bluetooth or Wi-Fi. NFC is also being used with one tap to setup a handshake between two NFC-enabled devices to facilitate paring Bluetooth speakers or headsets, as well as pairing a smartphone with a TV, so the phone can broadcast its screen to the TV. NFC can even be used in multiplayer gaming on smartphones. NFC is an ideal solution because it avoids the confusion, complexity and typical hassles that come with pairing devices.

NFC supports encryption, so it is typically safer than old-fashioned RFID, which is what began this controversy this article addresses.



Controversy

RFID technology is controversial due to the fact that people believe RFID chips can easily be cloned or used for other nefarious purposes. 

In the early days of RFID, it was not nearly as secure as it is today. RFID as a term first appeared in 1983 in a patent issued to Charles Walton. In 1995 RFID was first described in a wallet paying patent. 

In 2004, Nokia, Philips and Sondy established the Near Field Communication (NFC) Forum, and in 2006 Nokia was the first to offer an NFC enabled phone. It was not until 2009, that the NFC Forum published Peer-to-Peer communications that could piggyback on Wi-Fi and BlueTooth.




RFID Safe Wallets

There are merchants who sell "RFID" blocking wallets, meaning the chips cannot be read because there is a metal substrate inside the wallet that supposedly blocks the chip from transmitting or being read. The most common substrate used in these RFID blocking wallets is aluminum.

There are videos on the web that warn that a person with an RFID scanner can rub up against you, and instantly scan your card and get your credit card number, expiration date and 3 number security code. But is this a real threat?

I did a lot of investigating into this subject and was not able to find any evidence that it exists today in 2013. I have yet to meet a person who has their identity compromised with or by this supposed technology.

The reason this is significant, is when I designed the BulletTrain SAFE Wallet, I thought it would be a benefit to be able to swipe your BulletTrain SAFE Wallet with an RFID card in it, without having to open and remove your RFID card. Specific examples of the benefit of this would be with being able to swipe a public transportation card, like a Clipper Card, in San Francisco. Plus, there is something James Bond cool-like about just swiping your BulletTrain SAFE Wallet and gaining entry through a door.




So are RFID cards safe? According to Consumer Reports, as of 2011 the number of contactless RFID cards in circulation in the U.S. is only 3.5% of the total debit and credit cards in use, and thus they do not represent a significant target to lure criminals, particularly since traditional magnetic strip cards are so much more easily counterfeited. In other words, it is approximately 30 times more likely somebody will record the magnetic stripe on your card and clone it, than try to scan your RFID card.

Consumer Reports said in 2011: "The Smart Card Alliance, an industry group, maintains that contactless card technology deployed by American Express, Discover, MasterCard, and Visa is secure and that there have been no reports of consumers being victimized. American Express says its contactless cards do not reveal the card account number, and that was the case in the demonstration we observed."

Consumer Reports continues: "Shields or wallets marketed as RFID-blocking devices can make it more difficult for someone with an electronic reader to read your cards, but they don’t entirely block transmission of card data. When Recursion’s security experts tested 10 types of shields and wallets currently being sold to protect contactless cards, they found that none blocked the signal completely, and there was dramatic variability even among samples of the same brand. Using a different approach, Recursion’s experts created a credit-card-sized jamming device for the wallet that prevents cards from responding to any reader."

"Our reporter offered her own homemade shield constructed of duct tape and lined with aluminium foil. It provided better protection than eight of the 10 commercial products, including a stainless-steel “RFID blocking” wallet selling online for about $60."


Consumer Reports concludes" "Bottom line. Until contactless-card security is improved or better protective devices are widely available, consumers can ask for cards that are not RFID-enabled, a request that at least some major card issuers say they will honor."


So the real question is whether or not the Smart Card Alliance is telling the truth when they say there have been no reports of consumers being victimized? I see no reason why they would lie. If it was a serious issue, the credit card companies would not issue RFID or NFC cards. 

From the research I have conducted, it seems like an urban myth, like Bigfoot or The Lochness Monster. Everybody talks about them and is familiar with them, but like the tooth ferry, they don't exist. 

Ironically, the whole RFID Protection Scam Notion is a scam itself for unethical companies to take advantage of consumer fear to sell them something they don't need–kind of like offering people clear plastic vinyl to protect and cover their furniture. In other words its like having to hire a bodyguard to protect you from your bodyguard. It just doesn't make any real sense (pun intended ;-).

As I suggested earlier, if you have information that refutes this, please leave a comment.

7 comments:

If You Enjoy The BulletBlog by JAKEe Be Certain To Check Out Jake's Other Blogs: