During December’s RFID Security Alliance call, there was an open discussion on the effects of RFID readers becoming ubiquitous. This frank and useful discussion posed the following questions:
What will happen when RFID Readers become embedded in common every day devices that a non-expert can use?
One examples of RFID readers becoming embedded in a common device is with the Smart Phone that many of us own today. Such speculation is not baseless and while limited to the rumor mill at this point, it seems likely that some consumer devices will start to incorporate such reader technologies in the near future. How do we know this?
On the speculative side, the rumor mills are filled with suggestions that next generation Apple iPhone may include such technology:
http://www.appleinsider.com/articles/09/11/05/report_apple_testing_rfid_swipe_support_in_iphone_prototypes.html
http://www.tuaw.com/2009/04/15/iphone-rfid-prototype-is-very-cool/
On the more fact-based side, we know that NXP semiconductors and others are developing combo chips that combine Cell Phone and RFID technology into single devices. While this does not mean a product will certainly be on the market with this functionality, it seems a high probability.
How might such multi-function devices be used?
There could be many uses. Speculating a little, one rational would be to incorporate such RFID reading capability with bar code and other sensors to allow a device to read a product ID (and other information). This would then be used to locate information about the product (through the internet via the cell phone connection), possibly including price at varying local stores as well as a combination of other on-line retailers. Why? To enable a purchase from a different location than the one were you scanned the item. Motivation for purchasing elsewhere includes price, offering a value added purchase, offering related products and their improved availability or other factors (service, support etc). The goal would be to take a small service fee for the pleasure.
Another possible usage is to turn the iPhone into a ‘digital wallet” with RFID.
http://www.9to5mac.com/node/11939
What will happen when RFID Readers are available to such users?
Phones are regularly hacked (e.g. “Jailbreaking” iPhone) or increasingly targeted for unscrupulous activities (e.g. identity theft etc). It will be no different with RFID reader enabled devices and the system and tags in question. One member suggested that applications that have value will be the first ones hacked and then hackers will pick on applications that will be fun to break or for bragging rights.
The RFID Security Alliance is looking carefully at such concerns and has decided to pull together a “Best Practices” white paper to address these concerns. Any solution must address the full spectrum of threats, RF security, physical tag security, reader security etc.
Contributed by Neil Mitchell, RFIDSA Vice Chair
Tuesday, December 22, 2009
Wednesday, December 9, 2009
The RFIDSA's View of the RFID Marketplace
At last week’s RFID Security Alliance meeting we had open discussions about the effects of RFID readers becoming ubiquitous and the state of the RFID marketplace.
Aim Global’s RFID Connections recently spoke with Reik Read, senior analyst for Robert W. Baird & Co., about RFID and the economy. They posted this podcast at the same time the RFIDSA was meeting and it was interesting to see that there are strong overlaps between the thoughts of our members and a leading analyst. You can read/listen to Reik’s interview here. http://www.aimglobal.org/members/news/templates/template.aspx?articleid=3613&zoneid=42.
Here are the highlights from the RFID Security Alliance marketplace discussion:
• Up to 6 months ago, RFID projects were on hold but they are now starting to pick back up.
• There is a shift from exploring RFID to problem solving, i.e. automating to reduce costs, errors and staff.
• The RFID technology is now ready for prime time and the costs of tags and readers are coming down. New products are being developed that will make implementations better: i.e. readers with higher sensitivity, multi-directional tags and more security functions.
• As the role of the U.S. Food and Drug Administration changes and becomes a fully empowered agency, they will be looking at food traceability so RFID will grow.
• Ultra Wide Band is getting more traction around sensitive equipment like in hospitals.
• Several members are seeing more overseas (rather than US) activities, especially for asset tracking.
Of course, our members continue to think that security is an significant issue related to RFID. I was glad to see Reik Read highlighted it as an important issue too.
What are your thoughts about the current RFID marketplace? We invite you to add your comments.
Contributed by Joanne Kelleher, SecureRF Corporation
RFIDSA Marketing Committee
Aim Global’s RFID Connections recently spoke with Reik Read, senior analyst for Robert W. Baird & Co., about RFID and the economy. They posted this podcast at the same time the RFIDSA was meeting and it was interesting to see that there are strong overlaps between the thoughts of our members and a leading analyst. You can read/listen to Reik’s interview here. http://www.aimglobal.org/members/news/templates/template.aspx?articleid=3613&zoneid=42.
Here are the highlights from the RFID Security Alliance marketplace discussion:
• Up to 6 months ago, RFID projects were on hold but they are now starting to pick back up.
• There is a shift from exploring RFID to problem solving, i.e. automating to reduce costs, errors and staff.
• The RFID technology is now ready for prime time and the costs of tags and readers are coming down. New products are being developed that will make implementations better: i.e. readers with higher sensitivity, multi-directional tags and more security functions.
• As the role of the U.S. Food and Drug Administration changes and becomes a fully empowered agency, they will be looking at food traceability so RFID will grow.
• Ultra Wide Band is getting more traction around sensitive equipment like in hospitals.
• Several members are seeing more overseas (rather than US) activities, especially for asset tracking.
Of course, our members continue to think that security is an significant issue related to RFID. I was glad to see Reik Read highlighted it as an important issue too.
What are your thoughts about the current RFID marketplace? We invite you to add your comments.
Contributed by Joanne Kelleher, SecureRF Corporation
RFIDSA Marketing Committee
Friday, December 4, 2009
Call for Papers: The Workshop on RFID Security 2010
Here is a call for papers.
The Workshop on RFID Security 2010 (http://www.projectice.eu/rfidsec10/index.html) is the sixth edition of a series of workshops held in Graz, Malaga, Budapest and Leuven. In 2010 it will take place in Istanbul, Turkey.
The workshop focuses on approaches to solve security and data-protection issues in advanced contactless technologies like RFID. It stresses implementation aspects imposed by resource constraints.
Topics of the conference include but are not limited to:
More details about how to submit a paper are at http://www.projectice.eu/rfidsec10/CfP/index.html.
Someone from SecureRF attended this event a few years ago and found it was a mix of researchers, academics and businesses.
The Workshop on RFID Security 2010 (http://www.projectice.eu/rfidsec10/index.html) is the sixth edition of a series of workshops held in Graz, Malaga, Budapest and Leuven. In 2010 it will take place in Istanbul, Turkey.
The workshop focuses on approaches to solve security and data-protection issues in advanced contactless technologies like RFID. It stresses implementation aspects imposed by resource constraints.
- New applications for secure RFID systems
- Data protection and privacy-enhancing techniques for RFID
- Cryptographic protocols for RFID
- Authentication protocols
- Key update mechanisms
- Scalability issues
- Integration of secure RFID systems
- Middleware and security
- Public-key Infrastructures
- Case studies
- Resource-efficient implementation of cryptography
- Small-footprint hardware
- Low-power architectures
- Attacks on RFID systems
- RFID security hardware e.g. RFID with PUF, RFID Trojans, .
- April 20, 2010 Submission Deadline
- May 20, 2010 Notification
- June 1, 2010 Final Version
- June 8 - 10, 2010 RFIDSec Workshop
Joanne C. Kelleher
RFID Security Alliance Marketing Committee
Wednesday, November 18, 2009
Speaking Opportunity in Singapore
Hello RFIDSA members,
I received an email today that the Pharmas & Biotech Supply Chain Asia 2010 conference has an open call for speakers. This conference is being held on March 17-18, 2010 in Singapore. http://www.terrapinn.com/2010/pharmascm/index.stm
The invitation said:
"Pharmas & Biotech Supply Chain Asia 2010 will address:
- Import & export regulatory compliance
- Clinical Supply Chain
- Cold chain management and supply
- Achieving Drug Safety across the entire supply chain
- Protecting Inbound Supply Chain Through Stringent Suppliers Qualification
- Managing your logistics and distribution in Asian context
- Strategising the right demand forecasting strategy to ensure speed to market and product availability
- The essential data management technologies to drive supply chain visibility and security
- Manufacturers-Suppliers- Vendors Relationship Management: Collaborating with varies supply chain stakeholders to increase supply chain visbility and integration
- Establishing good supply chain practice in challenging market - India And China
- Packaging and labelling strategies to ensure regulatory compliance and product safety
We are now looking for industry leaders to share their expertise, experience and strategies on the above mentioned topics. Do you have an interesting case study to share? Interested to speak at the event?
Contact Stella Teo at +65 6322 2737 or email stella.teo@terrapinn.com to discuss your speaking opportunity at Pharma & Biotech Supply Chain Asia now!"
I don't know anything else about this event and it sounds like a "sponsored" speaking opportunity (i.e. you have to pay), but I thought I would pass it along in case anyone was interested.
Joanne Kelleher
SecureRF Corporation
RFID Security Alliance Marketing Committee
I received an email today that the Pharmas & Biotech Supply Chain Asia 2010 conference has an open call for speakers. This conference is being held on March 17-18, 2010 in Singapore. http://www.terrapinn.com/2010/pharmascm/index.stm
The invitation said:
"Pharmas & Biotech Supply Chain Asia 2010 will address:
- Import & export regulatory compliance
- Clinical Supply Chain
- Cold chain management and supply
- Achieving Drug Safety across the entire supply chain
- Protecting Inbound Supply Chain Through Stringent Suppliers Qualification
- Managing your logistics and distribution in Asian context
- Strategising the right demand forecasting strategy to ensure speed to market and product availability
- The essential data management technologies to drive supply chain visibility and security
- Manufacturers-Suppliers- Vendors Relationship Management: Collaborating with varies supply chain stakeholders to increase supply chain visbility and integration
- Establishing good supply chain practice in challenging market - India And China
- Packaging and labelling strategies to ensure regulatory compliance and product safety
We are now looking for industry leaders to share their expertise, experience and strategies on the above mentioned topics. Do you have an interesting case study to share? Interested to speak at the event?
Contact Stella Teo at +65 6322 2737 or email stella.teo@terrapinn.com to discuss your speaking opportunity at Pharma & Biotech Supply Chain Asia now!"
I don't know anything else about this event and it sounds like a "sponsored" speaking opportunity (i.e. you have to pay), but I thought I would pass it along in case anyone was interested.
Joanne Kelleher
SecureRF Corporation
RFID Security Alliance Marketing Committee
Tuesday, October 27, 2009
Australia takes the application of electronic travel documents to the next level
Since their initial rollout, RFID-enabled electronic passports have seen wide-spread adoption in the
[http://www.timesonline.co.uk/tol/news/uk/crime/article4467098.ece]
But so far, the International Civil Aviation Organization (ICAO) has always insisted that despite any potential security concerns there would never be any fully automated immigration process and that the manual inspection by the immigration officer would serve as last line of defense that cannot be easily fooled.
Now the Australian government has introduced just that: After conducting a multi year trial the so called “SmartGate” system is being deployed at major Australian airports. SmartGate is a fully automated immigration procedure, involving having your passport scanned at a self-service terminal and then using an automatic immigration gate employing face recognition technology to match a live picture taken on the spot against the photo stored inside your passport.
[http://www.customs.gov.au/site/page.cfm?u=5831]
At this point the SmartGate system is open to citizens of Australia and New Zealand aged 18 and over only, but over time the system is expected to open up to citizens of other nations as well.
Boris Wolf
VP of Business Development and Co-Founder
NeoCatena Networks, Inc.
Friday, October 2, 2009
Message from the incoming Chairperson
As the incoming chair of the RFID Security Alliance I want to thank all of those individuals who have contributed to the success of the Security Alliance. The Alliance represents perhaps the most knowledgeable group of individuals in the RFID community who have voluntarily come together to share ideas and start a long process of providing security improvements to our technical community and to the public at large.Given ehealth mandates, the pharma-industries concerns over counterfeit drugs, and the food industries focus on tracking and tracing the perishable supply chain, RFID and RFID security issues will be more in the forefront of corporate thinking than before. The Alliance will be scheduling presentations and enlisting members to present topics that will be focused on industry wide issues during the fourth quarter 2009.
In addition we are starting a membership drive to ask for contributions to cover the legal costs to convert the organization to a non-profit status. This status will enable the organization to qualify for federal , state and local grants for RFID security issues and research. So if you can contribute send an email to our Secretary/Treasurer Anna Haight (mailto:a@qlmconsulting.com). In all cases your energy and expertise are greatly appreciated.
Michael McCartney
Chairperson
RFID Security Alliance
Chairperson
RFID Security Alliance
Tuesday, August 4, 2009
Feds at DefCon Alarmed After RFIDs Scanned | Threat Level | Wired.com
http://www.wired.com/threatlevel/2009/08/fed-rfid/
____________
D. Mike Ahmadi
P: (925) 413-4365
E: MikeAhmadi@mikeahmadi.com
Sent from my phone, so please forgive spelling and punctuation errors.
Friday, July 17, 2009
Reporters: Unsure of the RFID Security Facts? Contact the RFIDSA.
Contributed by Joanne C. Kelleher
Earlier this week one of my co-workers sent me a link with the comment “No surprise, but this kind of guy really irritate me.” The article, Chips in official IDs raise privacy fears by AP National Writer, Todd Lewan appeared in several places including http://news.yahoo.com/s/ap/20090711/ap_on_bi_ge/us_chipping_america_iv. It also triggered follow up articles such as Robin Harris’ blog post on ZDnet entitled RFID passports: a tragedy waiting to happen.
I was planning to post about how much of the content was old news or technically incorrect. For example, Harris mixed up Pass Cards and Passports which use different RFID protocols and have different security features. But Mark Roberti, editor of RFID Journal, beat me to it so I am going to refer you to his postings -AP Hack Strikes Again and Another Blogger Confuses the RFID Issue.
If any reporters wish to write about RFID security issues in the future, please contact the RFID Security Alliance and we can refer you to people who can accurately talk about the topic.
Earlier this week one of my co-workers sent me a link with the comment “No surprise, but this kind of guy really irritate me.” The article, Chips in official IDs raise privacy fears by AP National Writer, Todd Lewan appeared in several places including http://news.yahoo.com/s/ap/20090711/ap_on_bi_ge/us_chipping_america_iv. It also triggered follow up articles such as Robin Harris’ blog post on ZDnet entitled RFID passports: a tragedy waiting to happen.
I was planning to post about how much of the content was old news or technically incorrect. For example, Harris mixed up Pass Cards and Passports which use different RFID protocols and have different security features. But Mark Roberti, editor of RFID Journal, beat me to it so I am going to refer you to his postings -AP Hack Strikes Again and Another Blogger Confuses the RFID Issue.
If any reporters wish to write about RFID security issues in the future, please contact the RFID Security Alliance and we can refer you to people who can accurately talk about the topic.
Tuesday, May 12, 2009
RFID Privacy and Data Protection Principles
Contributed by Joanne C. Kelleher
The Commission of The European Communities issued a recommendation today “on the implementation of privacy and data protection principles in applications supported by radio-frequency identification.”
Their “recommendation provides guidance to Member States on the design and operation of RFID applications in a lawful, ethical and socially and politically acceptable way, respecting the right to privacy and ensuring protection of personal data.”
Here is a summary of the recommendations:
I also found several of the Commission’s reasons behind these recommendations (the “whereas” clauses in the beginning of the document) to be right on target:
6.) Because of its potential to be both ubiquitous and practically invisible, particular attention to privacy and data protection issues is required in the deployment of RFID. Consequently, privacy and information security features should be built into RFID applications before their widespread use (principle of ‘security and privacy-bydesign’).
13.) RFID application operators should take all reasonable steps to ensure that data does not relate to an identified or identifiable natural person through any means likely to be used by either the RFID application operator or any other person, unless such data is processed in compliance with the applicable principles and legal rules on data protection.
19.) An assessment of the privacy and data protection impacts carried by the operator prior to the implementation of an RFID application will provide the information required for appropriate protective measures. Such measures will need to be monitored and reviewed throughout the lifetime of the RFID application.
22.) RFID applications with implications for the general public, such as electronic ticketing in public transport, require appropriate protective measures. RFID applications that affect individuals by processing, for example, biometric identification data or health related data, are especially critical with regard to information security and privacy and therefore require specific attention.
26.) Research and development on low-cost privacy-enhancing technologies and information security technologies is essential at Community level to promote a wider take-up of these technologies under acceptable conditions.
A full copy of the document, issued May 12, 2009, is at http://ec.europa.eu/information_society/policy/rfid/documents/recommendationonrfid2009.pdf. Also check out their RFID page at http://ec.europa.eu/information_society/policy/rfid/index_en.htm.
The Commission of The European Communities issued a recommendation today “on the implementation of privacy and data protection principles in applications supported by radio-frequency identification.”
Their “recommendation provides guidance to Member States on the design and operation of RFID applications in a lawful, ethical and socially and politically acceptable way, respecting the right to privacy and ensuring protection of personal data.”
Here is a summary of the recommendations:
- Develops a framework for privacy and data protection impact assessments
- Identify those applications that might raise information security threats then develop new schemes, or apply existing schemes, in order to demonstrate that an appropriate level of information security and protection of privacy is established in relation to the assessed risks.
- Develop and publish a concise, accurate and easy to understand information policy for each RFID application and inform individuals of the presence of RFID readers for the application.
- Inform individuals of the presence of RFID tags that are placed on or embedded in products in the retail trade, determine whether tags placed on or embedded in products sold to consumers through retailers by others represent a likely threat to privacy or the protection of personal data and deactivate or remove at the point of sale tags used in their application.
- Take appropriate measures to inform and raise awareness among public authorities and companies of the potential benefits and risks associated with the use of RFID technology, especially information security and privacy aspects.
- Stimulate and support the introduction of the ‘security and privacy by design’ principle at an early stage in the development of RFID applications.
I also found several of the Commission’s reasons behind these recommendations (the “whereas” clauses in the beginning of the document) to be right on target:
6.) Because of its potential to be both ubiquitous and practically invisible, particular attention to privacy and data protection issues is required in the deployment of RFID. Consequently, privacy and information security features should be built into RFID applications before their widespread use (principle of ‘security and privacy-bydesign’).
13.) RFID application operators should take all reasonable steps to ensure that data does not relate to an identified or identifiable natural person through any means likely to be used by either the RFID application operator or any other person, unless such data is processed in compliance with the applicable principles and legal rules on data protection.
19.) An assessment of the privacy and data protection impacts carried by the operator prior to the implementation of an RFID application will provide the information required for appropriate protective measures. Such measures will need to be monitored and reviewed throughout the lifetime of the RFID application.
22.) RFID applications with implications for the general public, such as electronic ticketing in public transport, require appropriate protective measures. RFID applications that affect individuals by processing, for example, biometric identification data or health related data, are especially critical with regard to information security and privacy and therefore require specific attention.
26.) Research and development on low-cost privacy-enhancing technologies and information security technologies is essential at Community level to promote a wider take-up of these technologies under acceptable conditions.
A full copy of the document, issued May 12, 2009, is at http://ec.europa.eu/information_society/policy/rfid/documents/recommendationonrfid2009.pdf. Also check out their RFID page at http://ec.europa.eu/information_society/policy/rfid/index_en.htm.
Thursday, April 16, 2009
Welcome to a New Security Alliance
Contributed by Joanne C. Kelleher
A new organization, the Cloud Security Alliance is being launched next week at the RSA Conference. They plan to provide security advice to companies adopting cloud computing products.
SearchSecurity.com has an opinion piece about the challenges the new Cloud Security Alliance (CSA) will face and the RFIDSA gets a mention. The CSA is tackling 15 "Domains of Concern" and several of these items overlap with issues we face with RFID.
-------------------------------------------------------------
Cloud computing group to face challenges ahead
By Eric Ogren at SearchSecurity.com
15 Apr 2009
-snip-
"This is not the first, nor will it be the last, security alliance that was formed to get ahead of security issues that may stunt the growth of enticing new technologies. A search on "security alliances" will quickly uncover similar organizations including the Internet Security Alliance, Voice over IP Security Alliance, Document Security Alliance and Radio Frequency Identification (RFID) Security Alliance. Security practitioners are well-schooled in talking about potential security pitfalls in new technologies and in making best practices recommendations."
-snip-
Read the full piece at http://searchsecurity.techtarget.com/news/column/0,294698,sid14_gci1353872,00.html#
A new organization, the Cloud Security Alliance is being launched next week at the RSA Conference. They plan to provide security advice to companies adopting cloud computing products.
SearchSecurity.com has an opinion piece about the challenges the new Cloud Security Alliance (CSA) will face and the RFIDSA gets a mention. The CSA is tackling 15 "Domains of Concern" and several of these items overlap with issues we face with RFID.
-------------------------------------------------------------
Cloud computing group to face challenges ahead
By Eric Ogren at SearchSecurity.com
15 Apr 2009
-snip-
"This is not the first, nor will it be the last, security alliance that was formed to get ahead of security issues that may stunt the growth of enticing new technologies. A search on "security alliances" will quickly uncover similar organizations including the Internet Security Alliance, Voice over IP Security Alliance, Document Security Alliance and Radio Frequency Identification (RFID) Security Alliance. Security practitioners are well-schooled in talking about potential security pitfalls in new technologies and in making best practices recommendations."
-snip-
Read the full piece at http://searchsecurity.techtarget.com/news/column/0,294698,sid14_gci1353872,00.html#
Saturday, April 4, 2009
Thank God For Academic Interest
I recently had the opportunity to present to a join meeting of the American Society For Quality (ASQ) and The Institute For Supply Chain Management (ISM) on the subject of ePedigree. The title of my presentation was "ePedigree: Security As A Quality Objective" and I was joined by Bikash Chaterjee of Pharmatech Associates.
One of the attendees was Dr. Richard Dawe, an associate professor from Golden Gate University in San Francisco. He teaches about global supply chains, and ee was very intrigued by my presentation. He essentially found it quite interesting that in all the discussions about ePedigree, security issues rarely get any mention.
One of Dr. Dawe's MBA students asked me to assist he with a project she is working on centered on ePedigree. I spent some time explaining the enormous security challenges with implementing ePedigree in general, and also about security challenges in the RFID "portion" of ePedigree.
What I find absolutely fascinating about discussions at this particular level (meaning the academic level) is that I find myself feeling very warmly embraced by the teachers and students. This is because I bring them information they cannot easily find through any of the organizations that claim to specialize in providing answers about ePedigree.
As I mentioned in a previous posting, organizations (like SupplyScape) are working very hard to convince companies (like pharmaceutical companies) to get "ePedigree Ready", and raising the spectre of security obviously throws a huge monkey wrench into the works. It essentially amounts to a cover up of the issues, because many of these ePedigree implementation organizations are well aware of the security issues. For those that are not aware of the issues, ignoring opportunities to become more aware is perhaps an even bigger crime.
When I explain a mere handful of the security challenges and risks associated with insecure ePedigree and RFID implementations, I consistently get the classic "eyes wide and mouth open" response from the audience, who are shocked to learn this new information. What is even better is when I show them documented evidence of what I am discussing.
I hope more academics become involved and spread the word.
One of the attendees was Dr. Richard Dawe, an associate professor from Golden Gate University in San Francisco. He teaches about global supply chains, and ee was very intrigued by my presentation. He essentially found it quite interesting that in all the discussions about ePedigree, security issues rarely get any mention.
One of Dr. Dawe's MBA students asked me to assist he with a project she is working on centered on ePedigree. I spent some time explaining the enormous security challenges with implementing ePedigree in general, and also about security challenges in the RFID "portion" of ePedigree.
What I find absolutely fascinating about discussions at this particular level (meaning the academic level) is that I find myself feeling very warmly embraced by the teachers and students. This is because I bring them information they cannot easily find through any of the organizations that claim to specialize in providing answers about ePedigree.
As I mentioned in a previous posting, organizations (like SupplyScape) are working very hard to convince companies (like pharmaceutical companies) to get "ePedigree Ready", and raising the spectre of security obviously throws a huge monkey wrench into the works. It essentially amounts to a cover up of the issues, because many of these ePedigree implementation organizations are well aware of the security issues. For those that are not aware of the issues, ignoring opportunities to become more aware is perhaps an even bigger crime.
When I explain a mere handful of the security challenges and risks associated with insecure ePedigree and RFID implementations, I consistently get the classic "eyes wide and mouth open" response from the audience, who are shocked to learn this new information. What is even better is when I show them documented evidence of what I am discussing.
I hope more academics become involved and spread the word.
Friday, April 3, 2009
Help Present a Balanced View of RFID Security
Bert Moore, Editor of AIM Global’s RFID Connections, discusses RFID security and privacy in his April 1, 2009 column titled RFID: Legislative Action.
The RFID Security Alliance invites vendors and end users interested in this issue to join our organization.
Burt also goes on to announce the availability of a new technical report from the International Organization of Standards (ISO) which was based on the work of AIM Global. Publication ISO/IEC TR24729-4, Information technology - Radio frequency identification for item management - Implementation guidelines - Part 4: Tag data security is available for purchase from the AIM Global website.
I was pleased to see that this report “offers sufficient guidance to enable users or developers to assess potential risks and determine appropriate techniques to mitigate these risks.” The RFID Security Alliance encourages users and implementers to completing a risk assessment of potential RFID systems.
"At some recent legislative hearings on whether to limit, regulate or restrict RFID in some way, advocates of RFID finally began to get their views heard. Why? Because many of the advocates weren't companies manufacturing or selling RFID, they were companies and agencies actively using the technology. They were able to point out to state legislators how the technology was actively benefitting citizens of the state. And their real world experiences helped put to rest some of the more outlandish claims of some privacy advocates.
At the same time, there are new concerns that some companies and governmental agencies are implementing RFID technology without giving adequate attention to the need for security and, therefore, privacy. Concerns about covert reading of ID cards and similar items must be addressed because they highlight real or potential system vulnerabilities that expose not only individuals but the entire system to unnecessary risk.
It is up to those in the RFID community -- both vendors and end users -- to be heard in legislative hearings and community forums in order to present a balanced view of the technology and point to ways in which it can be implemented securely so that it can continue to provide benefits while protecting the integrity of the system and personal privacy."
The RFID Security Alliance invites vendors and end users interested in this issue to join our organization.
Burt also goes on to announce the availability of a new technical report from the International Organization of Standards (ISO) which was based on the work of AIM Global. Publication ISO/IEC TR24729-4, Information technology - Radio frequency identification for item management - Implementation guidelines - Part 4: Tag data security is available for purchase from the AIM Global website.
I was pleased to see that this report “offers sufficient guidance to enable users or developers to assess potential risks and determine appropriate techniques to mitigate these risks.” The RFID Security Alliance encourages users and implementers to completing a risk assessment of potential RFID systems.
Thursday, February 19, 2009
RFID Security & Privacy and Search Engine Results
Contributed by Joanne C. Kelleher
Marketers know that you can track social trends by looking at search engine results for select phrases. As the director of Marketing at SecureRF Corporation, I have been tracking various key words related to radio frequency identification (RFID) for a couple of years and after seeing Mark Roberti’s latest RFID Journal blog entry I did a little more research.
Mark Roberti’s RFID Opponent Joins Ixquick.com blog entry discusses how the RFID Journal website appears as the top link in Ixquick.com with a rating of eight stars. Ixquick, a meta-search engine that uses other search engines to produce its results, dubs itself "the world's most privacy-friendly search engine." The more times a site appears at the top of search results such as Google, MSN and Yahoo, the higher a rating the site receives in Ixquick. Mark found RFID Journal’s high rating ironic because “Katherine Albrecht, founder of Consumers Against Supermarket Privacy Invasion and Numbering (CASPIAN) and an outspoken opponent of radio frequency identification—and, from time to time, of RFID Journal for its advocacy of the technology—has been placed in charge of public relations at Ixquick.com.”
In testing the phrase RFID Security (no quotes) in Ixquick I found that the blog I usually contribute to (the RFID Security blog) was ranked # 2 with six stars. The RFID Security Alliance homepage (RFIDSA.com) was ranked # 3 with six stars. Of the other “38 unique top-ten pages selected from at least 49,599,904 matching results” there were a mix of sites I expected, like Wikipedia and other RFID security vendors or organizations and a few disappointments, like a seven year old article and discount barcode vendor. Overall, these top results were focused on solutions to RFID security issues.
In comparison, the top result in Ixquick for the phrase RFID privacy was the Spychips site, a project of Katherine Albrecht’s CASPIAN organization. Most of the other “20 unique top-ten pages selected from at least 53,299,284 matching results” also focused on the issues and problems related to consumer privacy in the usage of RFID rather then solutions.
This trend of RFID security: solutions and RFID privacy: issues continued in Google. The phrase RFID Security currently results in about 1,060,000 Google results, a dramatic increase from about 518,000 to 626,000 pages at various times in 2008. I was pleasantly surprised to see that there are now 21 sponsored links for this phrase, including RFIDSA members Verayo and Neocatena. Until recently there were only a few paid listings for solutions to RFID security issues. In comparison, the phrase RFID currently results in over 21 million hits with 389 sponsored links and RFID privacy currently results in over 2 million hits but only 1 to 4 sponsored links (one of which was from Amazon for a book by the same name).
As the RFID Security Alliance was founded as a resource to drive market education and discussion about security and privacy issues surrounding the use of RFID technologies, solutions and applications, we can have a role in changing these trends. If your organization is interested in addressing these issues, regardless of where your website currently appears in the search engines, we invite you to join the RFIDSA - www.rfidsa.com.
Marketers know that you can track social trends by looking at search engine results for select phrases. As the director of Marketing at SecureRF Corporation, I have been tracking various key words related to radio frequency identification (RFID) for a couple of years and after seeing Mark Roberti’s latest RFID Journal blog entry I did a little more research.
Mark Roberti’s RFID Opponent Joins Ixquick.com blog entry discusses how the RFID Journal website appears as the top link in Ixquick.com with a rating of eight stars. Ixquick, a meta-search engine that uses other search engines to produce its results, dubs itself "the world's most privacy-friendly search engine." The more times a site appears at the top of search results such as Google, MSN and Yahoo, the higher a rating the site receives in Ixquick. Mark found RFID Journal’s high rating ironic because “Katherine Albrecht, founder of Consumers Against Supermarket Privacy Invasion and Numbering (CASPIAN) and an outspoken opponent of radio frequency identification—and, from time to time, of RFID Journal for its advocacy of the technology—has been placed in charge of public relations at Ixquick.com.”
In testing the phrase RFID Security (no quotes) in Ixquick I found that the blog I usually contribute to (the RFID Security blog) was ranked # 2 with six stars. The RFID Security Alliance homepage (RFIDSA.com) was ranked # 3 with six stars. Of the other “38 unique top-ten pages selected from at least 49,599,904 matching results” there were a mix of sites I expected, like Wikipedia and other RFID security vendors or organizations and a few disappointments, like a seven year old article and discount barcode vendor. Overall, these top results were focused on solutions to RFID security issues.
In comparison, the top result in Ixquick for the phrase RFID privacy was the Spychips site, a project of Katherine Albrecht’s CASPIAN organization. Most of the other “20 unique top-ten pages selected from at least 53,299,284 matching results” also focused on the issues and problems related to consumer privacy in the usage of RFID rather then solutions.
This trend of RFID security: solutions and RFID privacy: issues continued in Google. The phrase RFID Security currently results in about 1,060,000 Google results, a dramatic increase from about 518,000 to 626,000 pages at various times in 2008. I was pleasantly surprised to see that there are now 21 sponsored links for this phrase, including RFIDSA members Verayo and Neocatena. Until recently there were only a few paid listings for solutions to RFID security issues. In comparison, the phrase RFID currently results in over 21 million hits with 389 sponsored links and RFID privacy currently results in over 2 million hits but only 1 to 4 sponsored links (one of which was from Amazon for a book by the same name).
As the RFID Security Alliance was founded as a resource to drive market education and discussion about security and privacy issues surrounding the use of RFID technologies, solutions and applications, we can have a role in changing these trends. If your organization is interested in addressing these issues, regardless of where your website currently appears in the search engines, we invite you to join the RFIDSA - www.rfidsa.com.
Subscribe to:
Posts (Atom)