What drives adoption ?

I recently read the fascinating document produced by University Of Virginia student Karsten Nohl titled "Mifare Security". In this document, Karsten describes some of the issue with the Mifare RFID Security tag, and how Karsten was able to break the security. This has now raised much concern in the city of Boston, which is using such technology for their CharlieCards subway passes, as was pointed out in this article in CSO Online, as well as other articles scattered across the web.

The question I want to ask is what drives an organization, such as Boston's subway system, to adopt RFID technology for their system? Is it convenience? Does it look cool? Do they feel it will save them time and money? Does Mifare have a fantastic sales team? Do they want a more secure system? In other words, what was the ultimate OBJECTIVE of implementing an RFID solution? I am going to make the assumption that the objective was to save money (and saving time is exactly the same as saving money), and I want to know if whoever made the decision to implement the Mifare system created a Threat Model before deciding to build the infrastructure. A good model would address the question "What would it take to break the encryption of the Mifare chip?", which turns out to be about $1000. I would suspect somebody at Mifare knew this, in light of the findings of Nohl, which highlight the inherent weakness of the crypto used in the chips. If this is indeed the case, was Mifare (or whoever sold the Mifare system) forthcoming with this information? Did Mifare prepare their own Threat Model?

What is important to understand is that 100% security is simply not possible, and that is not what the objective should focus on. The objective should be focused on what level of security is required for the specific application. The Mifare technology used in the CharlieCard is perhaps more than adequate for access control in a closed environment (such as inside an office building), where it would be unlikely that someone would bother spending $1000 to crack tags so they can gain access to the executive dining room. Motivations, however, can be quite high when you can recharge subway passes and make several dollars each time you resell one of them to thousands upon thousands of users on the black market. What is even more interesting is the relatively low risk associated with the office building crack (if it happened). There is very little motivation for a cracker to attempt to "market" his crack of office access control passes to the "masses" yearning to enter a controlled area of corporate headquarters, where it is likely an intruder would be discovered anyway, due to the closed nature of the environment.

It all comes down to why you want to adopt the solution, and what risks adoption brings with it. Taking this approach is the first step.