Contributed by Joanne C. Kelleher
A new paper from researchers at the University of California, Berkeley says that consumers have misunderstandings about how RFID works and the security issues related to the technology.
The report, Where’s The Beep?: Security, Privacy, and User Misunderstandings of RFID, issued by researchers Jennifer King and Andrew McDiarmid, focused on RFID-enabled passports, transit passes, and credit cards.
The researches issued a written survey about RFID. They then interviewed nine respondents who considered themselves to have a novice or intermediate understanding of RFID and also used these 3 types of RFID products. The report shows their initial findings. I was glad to see that researchers plan to survey more consumers because I don’t think that nine people are enough to get a good, representative sample.
All subjects were accustomed to visible or audible feedback upon their RFID-enabled devices being read, and indeed universally expected it. Most were not aware that reading was possible from distances greater than a few inches, nor that chips could be read without visual or audio feedback, or for that matter, without their consent or knowledge. This finding, coupled with the lack of understanding of RFID’s always-on broadcasting, is something we intend to explore in more depth in the next phase of our project. Recognizing these features is crucial to users taking steps to mitigate risk, particularly when physical shielding is required to block RF transmissions.
Where’s The Beep?: Security, Privacy, and User Misunderstandings of RFID
It is understandable that consumers would be confused about a technology that they can’t see, that has so many variations and is explained differently by different groups. The contactless credit card industry has gone to great lengths to explain that they utilize Smart Cards, not RFID. When looking at the AmEx site for another blog entry, I found that they don’t use the term RFID and do not get into specifics about the security features of their contactless cards.
I just hope that a survey based on just nine people isn’t used to influence legislative action against RFID.