You may have heard about how researchers at the University of Massachusetts tested contactless Visa, MasterCard, and American Express cards by skimming sensitive data from wallets and purses. The homemade device was put together from off-the-shelf parts.
Published last year and picked up by The New York Times and other media outlets, the study gave ammunition to groups like Consumers Against Supermarket Privacy Invasion and Numbering (CASPIAN) that have voiced concern about the security of RFID. (To see Caspian’s proposed RFID labeling legislation, see www.spychips.com/right-to-know-bill.html.)
Executives of the credit-card companies responded to the study to say that the contactless cards in circulation use a higher security standard than the cards that were tested. They also said that their cards transmit an encrypted number that can only be unlocked with a corresponding encryption key.
As the controversy underscores the importance of security in RFID design, vendors are taking different approaches to address vulnerabilities.
Encryptakey has beta tested a portable USB thumb drive that couples a biometric fingerprint scanner with RFID and Bluetooth. The technology moves the exchange of sensitive data to the EncryptaKey portal, a highly secure data-exchange environment that can be used at point-of-sale as well as online transactions.
Certicom Corp. has launched Certicom Security for RFID Product Authentication, which prevents counterfeiting in the supply chain. Certicom is collaborating with Texas Instruments on using elliptic curve cryptography to add item-level RFID tag security to TI’s family of ISO 15693 RFID tags.
TetraGate, developed by epcSolutions, targets advanced checkpoint security. The system couples Fulcrum Biometrics’ facial recognition with RFID to verify the identity of an ID badge holder.
SkyeTek stresses that a key advantage to its embedded RFID readers is the integration of full security libraries, leveraging security from the traditional IT systems such as built-in hashing algorithms. SkyeTek uses open standards, including AES 128- and 256-bit encryption, to secure its RFID transactions.
In announcing its 631 near-field-communication (NFC) phone, Nokia points out that the phone allows an extra layer of security: The handset can be set to permit payment information only when the user expressly authorizes the transaction via a password, unlike a card or tag that can be used by whoever has it.
Other NFC phones and devices, such as those from LG, are integrating AuthenTec’s FingerLoc and EntrePad biometric readers, which incorporate TruePrint fingerprint recognition.