Beware of eavesdroppers with RFID Technology

If you are thinking of implementing radio frequency identification (RFID) technology within your organisation and have yet to think about the security implications, you could be treading on dangerous ground.

Issuing this warning was John OLeary, director of education at CSI.

He pointed out that RFID involves the access of information wirelessly, and thus should be subjected to the same concerns associated with other types of wireless technologies.

This is even more crucial as the usage of RFID technology extends into more areas such as air ticketing, toll collection, physical access control, electronic article surveillance, animal identification, and even waste disposal, he said.

"RFID chips, in the billions, will generate mountains of information. How do we protect the information? What do we share with trading partners? And what do we do with all the RFID chips we generate?" he asked rhetorically.

Business rules will be needed to manage and direct the flood of information, he added. RFID technology is also liable to malfunction or subject to misuse, so organisations have to prepare to handle such problems should they arise.

For instance, people with malicious intent could use immobilisers to disrupt delivery fleets, causing damage to the organisation.

However, OLeary felt that privacy is one of the greatest sources of concern when using RFID technology. Privacy has to do with "protecting the information thats collected and stored on a RFID tag", as the fact that it is transmitted in an "open beam mode" to receivers makes it subject to interception, he said.

Encrypting the data transmitted could be one of the ways to prevent outsiders from accessing the information. If the information is not sensitive, then there is nothing to worry about, he said.

However, if "its specific information that differentiates you, or something that the disclosure of which could be a problem for you, then you should protect, preferably with encryption," OLeary said.

One would have to balance the cost of encryption, infrastructure, and operation against the value of the information that is being protected as well.

If there is information to be protected, who then should be in charge?

"The business manager responsible for the application for which RFID is being implemented must be involved in the discussion of protecting RFID data and its metadata. Likewise, the information security manager must be involved in selecting the methods to secure what the business manager deems necessary to secure," said OLeary.

Users should be aware that as one goes into the technology and uses it more and more, then he or she would become dependent on not only the technologys availability, but also its integrity, he said.

Users definitely have to start thinking about security as well, if RFID implementation is on the cards, as organisations could have to bear the consequences of regulatory and legal infringements if they fail to adequately protect information.

"You dont want to be made a business case study of how to do it wrong," O'Leary quipped.