Software security firm warns RFID tags could open door to high-tech identity theft
Peter Wilson
Sun
New digitally enhanced passports might make your life easier, but they could also potentially place your personal data in the hands of cybercrooks or terrorists, according to a report issued today by international security firm McAfee Inc.
That’s because the passports — some of which are already being tested by the U.S. government — contain radio-frequency identification (RFID) tags that contain such information as the person’s name, place of origin, date of birth, photo, and digital fingerprint. They’re designed to be read on a screen by customs and immigration officials.
“You wave it in front of a scanner and it authenticates you,” said McAfee’s security research and communications manager David Marcus in an interview.
“But what if I set up a fake scanner and I query people as they’re walking by, and I’m scanning at hip level where most people keep their passports?” said Marcus.
That information could then either be used for identity theft, said the McAfee Global Threat report, or by terrorists who want to target citizens of specific countries for attack.
As well, added Marcus, the same kind of hidden scanning could be used on RFID-equipped credit cards, that allow users to pay for goods simply by waving them as they pass through a checkout point.
“Our concern is that people implement RFID in a secure manner,” said Marcus. “And most of the [RFID] stuff that we’ve looked at has been broken very easily.”
Marcus said that is because the data is largely not being encrypted, or there are other insecurities in the way it is captured.
Scammers will also be concentrating more on cellphones, said the report, because they are increasingly being used for financial transactions.
“Trends show us recently that malware writers, the bad guys, simply follow the money trail,” said Marcus. “So if you’re doing money transactions or you’re buying and selling through the cellphone, then basically they’re going to write the same kind of malware for the cellphone as they do for the PC.”
And, like the holders of RFID-enhanced passports, cellphone users who make mobile payments at vending machines or in stores could find their personal information being intercepted.
Scammers might strike at cellphone users another way, said the report, by planting malware in the phones that would send text messages to costly premium services.
As well, said the report, financial and other personal information could be gathered through the simple interception of text messages sent from cellphones.
Internet telephony services like Skype are becoming another area of concern, according to McAfee. “Skype you can use to do Internet phone calls, and you can use to call regular telephones, and you can use it for instant messaging and chat and file-sharing,” said Marcus. “So it’s very common to get lots and lots of pop ups and lots of advertisements targeted at the Skype user. You end up getting a lot more directed advertising through that channel than you would if you were just making a phone call.”
© The Vancouver Sun 2007
