Software // Information Management
Commentary
10/19/2004
09:12 PM
Commentary
Commentary
Commentary
Connect Directly
RSS
E-Mail
50%
50%

SmartAdvice: Write IT Plan For Nonprofit That Incorporates Values

Measure the value of IT to a nonprofit in a plan with definable standards, The Advisory Council says. Also, plan around security concerns when implementing RFID; and protect confidential HR information the same way as other company data.

Question B: What security issues do we need to consider in using RFID?

Our advice: Most engineers, especially those involved in the design of cutting-edge technology, fail to appreciate that malicious hackers and high-tech criminals are the largest group of early adopters on the face of the planet. Their goals as early adopters are clear and well understood--find the flaws and exploit them when legitimate users roll out the technology. Somehow this message, one that reverberates throughout the global hacker community, never seems to be heard by the engineering community. Typical engineers, it appears, are incapable of thinking like crooks when analyzing the potential ways their designs and products may be maliciously manipulated. As a result, users are constantly challenged to make the best of a bad situation when it comes to implementing emerging technology in a secure manner, a problem which could have easily been mitigated in the early stages of the design process, had it been considered. Radio-frequency identification is no exception.

RFID Pointers
Over the next decade RFID will change our world with respect to asset management, inventory tracking, retail point-of-sale, and access control. In the long run, the impact will be positive. In the short term, there will be some serious bumps in the road. If you're considering investing in this technology, here are some key points you need to consider:

Related Links

Metro Opens "Store of the Future"

RFID PC Handheld Reader

RFDump



There are two types of RFID tags when it comes to cost: cheap and expensive. As you would imagine, the cheap tags have the majority of security flaws, while the expensive tags, those that support point-to-point encryption (ISO 14443 / DESFire) and a PKI key exchange, are the ones less likely to be maliciously manipulated.

Unfortunately, cheap tags rule the day in today's deployments, hence the problem at hand--a problem that pivots on four critical issues: First, RFID tag content, content that might include an electronic product code (EPC) or price, can be modified in the field. Second, cheap tags can be read and modified by hand-held devices such as a PDA equipped with a $220 compact-flash RFID read/write plug-in. Third, the hacker community already has embraced and is distributing free software with this capability. Fourth, the entire RFID use process is open to exploitation. Combine these factors and you have a crime waiting to happen.

Crimes Waiting To Happen
The most obvious crime is a new form of shoplifting, where the EPC codes are changed to indicate a lower-price item, and then paid for at an automated self-service checkout. Another, less-obvious problem, that requires no modification to the tag, is one where your competitor surreptitiously scans your merchandize to catalog what's on your shelves. On a similar tangent, rumors within law enforcement have reported that hijackers of cargo trucks are already using RFID readers to help determine which shipping pallets are worth stealing. Another is a form of denial of service, where EPC tag data is changed to random data, forcing a time-consuming manual inventory to correct the problem. But most serious is the opportunity for a criminal to get close to a person and use a hidden RFID reader to capture the content of the person's access-control badge. Minor effort is required to duplicate the content given the tools that exist, providing the criminal with the ability to circumvent physical access controls if the RFID badge is the only requirement for authorized access.

As mentioned previously, RFID has enormous future potential, but those implementing this technology need to realize that the hackers and criminals of the world see the same potential in the short term, only from a different perspective.

-- Bill Spernow

Previous
2 of 3
Next
Comment  | 
Print  | 
More Insights
The Agile Archive
The Agile Archive
When it comes to managing data, donít look at backup and archiving systems as burdens and cost centers. A well-designed archive can enhance data protection and restores, ease search and e-discovery efforts, and save money by intelligently moving data from expensive primary storage systems.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest - August 20, 2014
CIOs need people who know the ins and outs of cloud software stacks and security, and, most of all, can break through cultural resistance.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.