How Secure is your RFID Solution?

— April 01, 2008

One day not too long ago, I brought the supply chain to an end for a multi-billion dollar organization. I cut the RFID tag out of a pair of new jeans.

There was no label on the tag to identify it as an RFID tag. It was not in a readily noticeable location. But there it was, a piece of white fabric two inches square and attached to a seam. All it had printed on it was a dotted line and the words "Cut Here." But cut what?

As an information security and privacy professional, I understand the implications of RFID tags for individuals and organizational supply chains. But would a consumer unfamiliar with RFID tags really cut it off just because it says "Cut Here?" It would be comparable to the individual who picks up the phone because the caller ID says "Pick Up" even though it displays an unknown number. (Admit it, you've picked up at least one of these calls, it's human nature.)

If you're unfamiliar with RFID technology, or are not as familiar with it as you'd like to be, download a free copy of the National Institute of Standards and Technology (NIST) Special Publication 800-98 Guidelines for Securing Radio Frequency Identification (RFID) Systems ( RFID-2007.pdf)

 What you will learn are the components that make up an RFID-enabled supply chain and how to properly deploy RFID technology in your organization. You will also be provided with an introduction to how an organization's RFID use  can effect the privacy of individual consumers.

RFID technology has many uses beyond supply chain management, including access control to facilities (or your car) and automated payment, among others. No matter the specific RFID implementation deployed, it is imperative to understand the security and privacy ramifications of the technology.

Does your company care if someone copies the data contained in an RFID tag and then uses the copied data to make fraudulent purchases? How about unauthorized individuals entering a secure facility with a copy of a legitimate access badge that belongs to an employee? The actual employee would never know her RFID tag data had been compromised. Data can be copied off an RFID tag without having physical ownership of the device. Would potential customers modify their purchases if they knew that they could be personally tracked by the RFID tag your company placed on a product?

Do not simply deploy an RFID solution based on marketing materials. Conduct your own due diligence and address security and privacy aspects of RFID use.

From a supply chain perspective, RFID tags may one day effectively "self-destruct" by rendering the data contained therein unusable. Until then, don't forget to "Cut Here."

Ben Halpert, CISSP, is an information security researcher and practitioner and writes monthly about security. Comments, questions and requests can be sent to him at; please include SECURITY in the subject line.


comments powered by Disqus

RATE THIS CONTENT (5 Being the Best)

Current rating: 0 (0 ratings)



Must See


What Enterprise Apps Need Now

Mobile Enterprise explores how companies across all segments are increasingly leveraging mobile apps to enhance productivity for everyone, from field service workers to C-level executives.