Security, RFID and
Consumers
RFID Security, Theory and Practice
mr. dr. Bart Schermer
RFID Platform Nederland
About me
• Secretary RFID Platform Nederland
• Privacy specialist at ECP.NL
• Partner at Considerati
• Assistent professor...
Board RFID Nederland
RFID Nederland
“Stimulating the uptake of RFID
technology and ensuring its
responsible use”
• Market initiative
• 50 parti...
Business drivers for RFID
Realtime insight into business processes increases:
•Efficiency
•Security
•Customer loyalty
Why are these similar?
Source: ADT Tyco
Opposing views...
RFID and the Public Opinion
RFID vulnerabilities
• Skimming / eavesdropping
• Weak crypto
• Tag reader authentication
Security risks
• Access to data on the chip (including possible keys)
• Access to associated databases
• Access to communi...
“Big Brother is watching you!”
Privacy risks
• Due to its invisible nature RFID can be used to surreptisiously gather
personal data.
• Companies can use ...
The role of privacy
• Information is power
• (Personal) data is used to profile and classify
consumers
• Privacy is a mean...
EU Privacy Law
• Data Protection Directive (95/46/EC)
• Telecom Privacy Directive (2002/58/EC)
EU Privacy Law
• Surreptitious gathering of personal data is a violation of the data
protection directive (95/46/EC).
• Us...
Example I: OV chipkaart
• Mifare Classic (subscriptions etc.) / Mifare Ultralight (day tickets)
• Hack Plotz & Nohl (rever...
Example II: retail
Privacy or security?
Incident driven response...
• Consumer backlash (boycott) against technology
• Motion to cancel the OV chipkaart
• EU Reco...
Observations
• Emphasis on technology instead of application
• Security issues and privacy issues are often confused
• Bus...
The right tool for the job
• 100% security is not always the most optimal economic decision
• RFID should not be the only ...
Suggestions
• Clear(er) distinction between privacy and security
- strengthen overall system security
- create tools to en...
The way forward
Companies should:
• Use RFID in a responsible manner
• Provide benefits not only to themselves, but also t...
Bart Schermer
ECP.NL / RFID Platform Nederland
Overgoo 11
2260 AG Leidschendam
070-4190309
bart.schermer@ecp.nl
“RFID zal ...
Upcoming SlideShare
Loading in...5
×

A balanced perspective on RFID

290

Published on

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
290
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
4
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

A balanced perspective on RFID

  1. 1. Security, RFID and Consumers RFID Security, Theory and Practice mr. dr. Bart Schermer RFID Platform Nederland
  2. 2. About me • Secretary RFID Platform Nederland • Privacy specialist at ECP.NL • Partner at Considerati • Assistent professor at the University of Leiden (faculty of law)
  3. 3. Board RFID Nederland
  4. 4. RFID Nederland “Stimulating the uptake of RFID technology and ensuring its responsible use” • Market initiative • 50 participants • www.rfidnederland.nl • www.watisrfid.nl
  5. 5. Business drivers for RFID Realtime insight into business processes increases: •Efficiency •Security •Customer loyalty
  6. 6. Why are these similar? Source: ADT Tyco
  7. 7. Opposing views...
  8. 8. RFID and the Public Opinion
  9. 9. RFID vulnerabilities • Skimming / eavesdropping • Weak crypto • Tag reader authentication
  10. 10. Security risks • Access to data on the chip (including possible keys) • Access to associated databases • Access to communication between tag and reader • Attack vector for databases (e.g. viruses, SQL injects) • Cloning (!!!!) • Possibility to follow / track trace people
  11. 11. “Big Brother is watching you!”
  12. 12. Privacy risks • Due to its invisible nature RFID can be used to surreptisiously gather personal data. • Companies can use this information to profile and classify customers • Companies can use this information to follow and track consumers throughout their daily lives • Companies can use invasive Minority Report style advertising
  13. 13. The role of privacy • Information is power • (Personal) data is used to profile and classify consumers • Privacy is a means to maintain ‘economic equality’ between companies and consumers • Consumers (should) have a say in the processing of their personal data
  14. 14. EU Privacy Law • Data Protection Directive (95/46/EC) • Telecom Privacy Directive (2002/58/EC)
  15. 15. EU Privacy Law • Surreptitious gathering of personal data is a violation of the data protection directive (95/46/EC). • Using personal data for other purposes than for which they have been gathered is a violation of the data protection directive • Surreptiously monitoring and following people is a criminal offence (and where not, it should be). • Targeted advertising without prior permission from consumers is a violation of the data protection directive and the Telecom Privacy Directive (2002/58/EC).
  16. 16. Example I: OV chipkaart • Mifare Classic (subscriptions etc.) / Mifare Ultralight (day tickets) • Hack Plotz & Nohl (reverse engineering -> skimming -> cloning) • Hack Radboud I (Mifare Ultralight) (skimming -> cloning) • Dutch Data Protection Authority warns GVB, NS • Hack Radboud II (Mifare Classic) (cryptoanalysis -> skimming -> cloning) • Press coverage differs from the facts • NXP (wrongfully) bashed for providing insecure chip • Security through obscurity worked for 13 years... See also: https://ovchip.cs.ru.nl/Event_history
  17. 17. Example II: retail
  18. 18. Privacy or security?
  19. 19. Incident driven response... • Consumer backlash (boycott) against technology • Motion to cancel the OV chipkaart • EU Recommendation on RFID & Privacy: - Mandatory privacy impact assesment - Opt-in for retail environment
  20. 20. Observations • Emphasis on technology instead of application • Security issues and privacy issues are often confused • Business reality can differ from security reality - security through obscurity may make sense for a business - cost/risk analysis is leading, not 100% security • Solutions are currently viewed as either/or (e.g. opt-in for retail) • There is no integrated approach towards security and privacy
  21. 21. The right tool for the job • 100% security is not always the most optimal economic decision • RFID should not be the only security measure • Focus on the problem, not the technology • What tool is most effective
  22. 22. Suggestions • Clear(er) distinction between privacy and security - strengthen overall system security - create tools to enhance privacy (Privacy by design, PETs) - create tools to effectuate legal safeguards (consumer in control) • Security experts must educate businesses, consumers, policymakers and politicians (in English please) • Security, business processes, and legal safeguards must strengthen each other
  23. 23. The way forward Companies should: • Use RFID in a responsible manner • Provide benefits not only to themselves, but also to consumers • Provide openness and transparency about the use of RFID • Provide a truly free choice for consumers Government should: • Create tools for the protection of privacy (PETs, RFID guardians, logo system) • Place the consumer in control • Monitor possible shifts in the balance of power, and correct where necessary Security experts and researchers should: • Try to translate their work in proper English (e.g. Jip and Janneke) • ...Keep up the good work
  24. 24. Bart Schermer ECP.NL / RFID Platform Nederland Overgoo 11 2260 AG Leidschendam 070-4190309 bart.schermer@ecp.nl “RFID zal een grotere impact op onze samenleving hebben dan Internet heeft gehad” -- Prof. Cor Molenaar, voorzitter RFID Nederland Questions?
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×