"There's a reason you don't wear your Social Security number across your T-shirt," Albrecht says, "and beaming out your new, national RFID number in a 30-foot radius would be far worse."

There are no federal laws against the surreptitious skimming of Americans' RFID numbers, so it won't be long before people seek to profit from this, says Bruce Schneier, an author and chief security officer at BT, the British telecommunications operator.

Data brokers that compile computer dossiers on millions of individuals from public records, credit applications and other sources "will certainly maintain databases of RFID numbers and associated people," he says. "They'd do a disservice to their stockholders if they didn't."

Or put simply, everyone knows that this is scary beyond reason and we need to do something now BEFORE it's a problem.

Here is some more information from the source article:

In its October 2005 Federal Register notice, the State Department reassured Americans that the e-passport's chip — the ISO 14443 tag — would emit radio waves only within a 4-inch radius, making it tougher to hack.

Technologists in Israel and England, however, soon found otherwise. In May 2006, at the University of Tel Aviv, researchers cobbled together $110 worth of parts from hobbyists kits and directly skimmed an encrypted tag from several feet away. At the University of Cambridge, a student showed that a transmission between an e-passport and a legitimate reader could be intercepted from 160 feet.

The article also mentions a video that shows the results of his experiment. I was able to find it HERE.

Apparently, someone had enough money to spread around to get a law passed in California forcing dog owners to have their pets chipped. Though no one's sure why, at least one pet has died due the procedure. The sad part is that the owner was against the chipping, but was faced with fines and jail time if she didn't. Here's the full write-up from the Spychips newsletter:

===================================================

For Immediate Release
February 3, 2009

Dog Bleeds to Death After "Routine" Microchip Implant Procedure
Grieving owner calls for an end to mandatory microchipping in Los
Angeles

A fluffy bundle of life, love, and enthusiasm named Charlie Brown was
laid to rest last week, the victim of a microchip implant gone horribly
wrong. The long-haired, purebred Chihuahua bled to death in the arms of
his distraught owners, Lori and Ed Ginsberg of Agua Dulce, California,
just hours after undergoing the controversial chipping procedure.

"I wasn't in favor of getting Charlie chipped, but it was the law," said
Lori Ginsberg, citing a Los Angeles county ordinance that requires all
dog owners to chip their dogs once they reach four months of age. Dog
owners who refuse to comply face a $250 fine for the first offense and
up to six months in jail for continued non-compliance. "This technology
is supposedly so great until it's your animal that dies," she said. "I
can't believe Charlie is gone. I'm just beside myself."

Dr. Reid Loken, the board certified veterinarian who performed the
chipping, confirmed on Friday that Charlie died from blood loss
associated with the microchip. He cited "an extreme amount of bleeding"
from the "little hole in the skin where the [microchip implant] needle
went in" as the cause of death. He said he was both saddened and puzzled
by Charlie's death.

"I just don't know what happened to him. We put the chip in the back in
the shoulder blades, the standard place where we put them, and there
really aren't any major blood vessels in that area," he said. "I don't
think it went in too deep; it was a pretty routine chipping."

Dr. Loken suspected the needle may have nicked the muscle around the
scapula, causing blood to ooze from the muscle. However, his efforts to
stem the bleeding with pressure bandages were unsuccessful. The bleeding
could not be attributed to a congenital clotting problem, he said, since
Charlie had undergone a neutering and tooth extraction without incident
just weeks before.

Charlie's owners were devastated by the loss. "Charlie loved to play and
cuddle. He brought so much joy and life to our home," said Lori. "We
loved him and took such good care of him. He meant everything to us."

The Ginsbergs were quick to absolve Dr. Loken of responsibility for
Charlie's death. "He's a great vet and this was not his fault. The real
blame is with the people who forced us to implant our dog against our
better judgment," they said.

The Ginsbergs plan to petition the Los Angeles County Board of
Supervisors to repeal the mandatory chipping law, and have sought the
help of prominent consumer privacy advocate Dr. Katherine Albrecht.
Albrecht is a Harvard-trained researcher who has authored a definitive
academic paper citing literature that links microchips with cancer in
dogs as well as laboratory animals. She has also authored an exhaustive,
47-page FAQ on microchip implants.

Albrecht cites other adverse reactions stemming from microchips in the
past. In one case, a struggling kitten died instantly when a microchip
was accidentally injected into its brain stem. In another, a cat was
paralyzed when an implant entered its spinal column. The implants have
been widely reported to migrate within animals' bodies, and can cause
abscesses and infection. In at least two documented cases, dogs have
developed cancerous tumors surrounding or adjacent to microchip
implants.

"Tragedies like what happened to Charlie Brown are probably more common
than we like to think," said Albrecht. "But it takes courageous people
like the Ginsbergs to come forward and talk about it."

Albrecht and the Ginsbergs are calling for a repeal of all mandatory
animal chipping laws nationwide, and for the creation of a national
registry to document adverse reactions from the chipping procedure.

"It's horrible to live in a country where your choices are being take
away and you don't get to make decisions about your family and your life
anymore," said Lori Ginsberg. "Politicians should not take away my right
to do what I thought was best for my pet."

For The Media:
Lori and Ed Ginsberg have agreed to speak to the media to help raise
awareness of the dangers of pet chipping. They can be contacted at:
CharlieBrownMemorial@yahoo.com

Pictures of adorable Charlie Brown are available for press and blogging
use at:
http://www.katherinealbrecht.com/images/stories/charlie%20brown%
20003.jpg
http://www.katherinealbrecht.com/images/stories/charlie%20brown%
20004.jpg
http://www.katherinealbrecht.com/images/stories/charlie%20brown%20for%
20first%20christmas%20003.jpg
http://www.katherinealbrecht.com/images/stories/charlie%20brown%20for%
20first%20christmas%20005.jpg

Dr. Katherine Albrecht can be contacted at kma@spychips.com or (877)
287-5854, ext 1.
Her microchip implant FAQ and cancer study can be found online at
www.antichips.com
Further information about Dr. Albrecht can be found at
www.katherinealbrecht.com

Information on the Los Angeles Country chipping ordinance can be found
at:
http://www.laanimalservices.com/PDF/medical/lacounty_ordinance.pdf

Live Radio Interview Today
The Ginsbergs will be joining Dr. Katherine Albrecht on her live,
syndicated radio program today to discuss microchip implants and
Charlie's tragic death. The segment will air from 4:00-6:00 PM Eastern
time on "The Dr. Katherine Albrecht Show." The show broadcasts daily on
the Genesis Communications Network, and can be heard live at:
http://gcnlive.com/Listen_Live.html (Click "Stream 2")

The Ginsberg interview will be archived as a downloadable MP3 file on
Dr. Albrecht's website at:
http://www.katherinealbrecht.com (Click "archives")

# # #

=====================================================================
ABOUT CASPIAN

CASPIAN (Consumers Against Supermarket Privacy Invasion and Numbering) is a grass-roots consumer group fighting retail surveillance schemes since 1999 and irresponsible RFID use since 2002. With thousands of members in all 50 U.S. states and over 30 countries worldwide, CASPIAN seeks to educate consumers about marketing strategies that invade their
privacy and encourage privacy-conscious shopping habits across the retail spectrum.

http://www.spychips.com/
http://www.antichips.com/
http://www.nocards.org/

You're welcome to duplicate and distribute this message to others who
may find it of interest.

=====================================================================

To subscribe or unsubscribe to the Caspian-newsletter-l mailing list, click
the following link or copy and paste it into your browser:
http://mailman.nocards.org/mailman/listinfo/caspian-newsletter-l

If you have difficulty with the web-based interface, you may also
subscribe or unsubscribe via email by writing to:
admin@nocards.org

=====================================================================

Using inexpensive off-the-shelf components, an information security expert has built a mobile platform that can clone large numbers of the unique electronic identifiers used in US passport cards and next generation drivers licenses.

The $250 proof-of-concept device – which researcher Chris Paget built in his spare time – operates out of his vehicle and contains everything needed to sniff and then clone RFID, or radio frequency identification, tags. During a recent 20-minute drive in downtown San Francisco, it successfully copied the RFID tags of two passport cards without the knowledge of their owners.

So he cheaply proved that you can not only clone RFID passports, but you can do it secretly, at great distance, while moving.

Wouldn't it be nice if they thought about the security risks BEFORE putting a wireless chip in the passports?

The Hacker's Choice, a non-commercial group of computer security experts, has released a video showing a cloned passport being approved by a security scanner at a Dutch airport. When the reader scans the passport it is revealed to belong to one Elvis Aaron Presley, complete with picture.

RFID is not ready. Every country that has tried to use it for identification has failed and miserable.

(H/T to Slashdot for the link)

When will people ever learn?

The optional license will include a picture and radio frequency identification tag that can be scanned to verify a person's identity. The tag will not contain any personal information – only an assigned number, authorities said.

How reassuring. So they won't be able to take my data from it, but they'll be able to clone it and frame me or just use the unique ID to track me remotely. But they're going to be passing out sleeves that prevent it from being read remotely without your authorization. So if you don't find it bulky and actaully use it, you'll be partially protected until it's time to pull it out to be read or if someone gets a few seconds alone with your wallet to pull it out and clone it.

(H/T to Slashdot for the link)

The website includes very loose information about what makes this chip so "uncloneable", but I highly doubt that it's true. An RFID chip is read by radio waves and as long as you can make a chip, computer, or anything else that transmits replicate the signal that the original chip did, you can clone it.

If they mean that you can't make one of these chips copy the data from another of these chips, I can see that as being possible, but what difference does that make in the end if I can use a different brand chip to open your secure door or travel the world in your name?

Katherine Albrecht has written has written an article for Scientific American that everyone should read. For those who don't already know her, she's the leader of CASPIAN and one of the world's foremost experts on RFID privacy issues.

Here is a mini summary of some of the major points:

• Companies intend to replace barcodes with RFID
• Unlike barcodes which identify a product type (i.e. a can of soda), RFID will identify an INDIVIDUAL product (i.e. can of coke #48377625376)
• RFID tags can be read secretly from long distances (30 or more feet).
• RFID tags in licenses have minimal security (and even passports that have more security have been hacked already many times)
• IBM filed a patent that was granted in 2006 for a system of scanners at “shopping malls, airports, train stations, bus stations, elevators, trains, airplanes, restrooms, sports arenas, libraries, theaters, [and] mu­­se­­ums?? to track the movements of people by their RFID tags
• Alton Towers (an English amusement park) issues RFID wristbands to visitors and tracks their movements through the park. While they use it to create a keepsake "where you went" map for their customers, they prove that the system works in practice

RFID misuse has been one of my top issues for a long time and it's important that everyone realize the danger they pose and support preemptive legislation to prevent RFID privacy invasion.

This is hardly surprising. The wireless toll systems use RFID and there isn't an RFID system yet that hasn't been hacked that I know of. Anyway, by cloning anyone's transponder, you can pass through the tolls while the other sucker pays the bill. Also useful for committing crimes in someone else's name.

(H/T to Slashdot for the link)

So much for "Fakeproof". Of course, anyone who knows about RFID and the way they work could see this coming.

A great report has just been released by Consumers Against Supermarket Privacy Invasion and Numbering - CASPIAN. It's 47 pages of frequently asked questions along with detailed, well researched responses to each.

From their press release:

The report reveals how news outlets like Time Magazine, Business Week, and the RFID Journal were used as unwitting pawns in a VeriChip scheme to spread misinformation about the cancer studies. Since research linking the product to cancer first surfaced last year, each of these publications has repeated misstatements from VeriChip company executives, in many cases printing the inaccurate statements verbatim and unchallenged.

Good thing non-profit companies are watching or else this sort of skulduggery would go unnoticed.

This should be interesting. If China didn't take some serious precautions when implementing RFID for their tickets, we should be hearing any day now about people who remotely cloned someone else's ticket and got into the game denying access to the others.

Or, since passport information is stored on the ticket as well, someone with a scanner can find anyone from a given country should they wish to target someone based on their nationality. Let's see what happens.

(H/T to Slashdot for the link)

Lovely.

Customers in shopping centres are having their every move tracked by a new type of surveillance that listens in on the whisperings of their mobile phones.

The main point here is that business are highly interested in knowing everything they possibly can about you. The more then know, the more they can manipulate.

Just wait until everything we're carrying has an RFID chip in it. That will make their jobs so much easier.

(H/T to Slashdot for the link)

As part of a social experiment, attendees at a hacker conference in July will be issued badges with electronic tracking devices. Large displays will show in real-time where people go, with whom they associate, for how long and how often.

Hopefully after seeing how easy it is to tag and track someone with RFID, people will become more aware of what a dangerous technology this could be if we don't pass strong privacy regulations to prevent their misuse.

(H/T to Slashdot for the link)

Well flipping duh.

Most newly issued passports carry an embedded RFID containing digitally signed biometric information. Access to this chip is wireless, which introduces a security risk, the possibility that an attacker might be able to access data on a person’s passport without the owner knowing.

It's this reason that putting RFID in passports was such a stupid idea to begin with. Put wireless into any system that protects private information and watch the world come crashing down around you.

I'm not saying that it's impossible to secure a system using wireless, but it takes a whole hell of a lot more effort that was put into the passports system.

Anyway, now that someone has proven this is viable, those fears that someone can just scan a crowd and find the Americans to target have been entirely validated.

In what was a colossally stupid decision, the US put RFID chips in passports. Oh wait, this article is about the outsourcing! Right.

In what was another colossally stupid decision, the US is now outsourcing the production of RFID passports.

A university has hacked the encryption of an RFID chip maker who's contactless smartcard applications include fare collection, loyalty cards, and access control cards.

Washington state passed an anti-RFID law that's unfortunately far weaker than it should be.

The Washington legislation outlaws the use of RFID "spy technologies" to collect consumer information without the owner's consent. The only problem is, heavy corporate lobbying narrowed the scope of the law (before Governor Gregoire signed it) to cover only criminal acts such as fraud, identity theft, or "some other illegal purpose" (making it a Class C felony to do so). Collecting information from consumer RFID chips for marketing purposes in Washington—with or without the owner's consent or even knowledge—is still fair game.

Oh well. I suppose it's a start.

Caspian just released a paper documenting the research showing the causal link between RFID implants and cancer in lab animals. The reason they issued this report is because of the recent news press about the issue. They wrote and issued this report because "a lot of misinformation about the cancer research has circulated since [the original cancer research] was published". Damage control by Verichip perhaps?

In almost all cases, the malignant tumors, typically sarcomas, arose at the site of the implants and grew to surround and fully encase the devices.

That's not subtle is it? Neither is this:

Either VeriChip and the makers of HomeAgain actually don't understand the difference between a benign fibroma and a malignant fibrosarcoma," noted Dr. Albrecht, "or they're deliberately lying to the public. Either way, it's clear they can't be trusted. We hope our new report will set the record straight.

Check out the "Recent Industry Misstatements about Implant-Cancer Research" section near the bottom of the page for specific examples of lies/ignorance told by chip makers and CASPIAN's factual rebuttals.

Nothing like treating people like animals to be tagged and tracked. Of course, it's much easier to start by tracking kids because they don't have much choice in the matter and when they grow up, they'll be less resistant to the practice. Enter surveillance society…

But let's not get ahead of ourselves. They portray the tests as successful, but as Bruce Schneier points out, "So now it's easy to cut class; just ask someone to carry your shirt around the building while you're elsewhere."

Or how about, "it's easy to get someone you hate in trouble by wearing their uniform for a few minutes while vandalizing the teacher's lounge."

Or "We had no idea that constantly bombarding students with radio frequencies in closed spaces during their formative years would lead to these kinds of mutations! Mrs. Johnson, you can't honestly expect us to pay to have Timmy's third arm removed can you?"

I love how companies start implementing RFID without any thought to the consequences.

Because Walmart isn't addressing the privacy concerns with rfid, I can't help but cheer when I hear their efforts to get RFID into all their products has failed.

Wal-Mart's change of plan demonstrates the need for retailers and suppliers alike to tread carefully with RFID. As retailers such as Best Buy have observed, widespread adoption is still years, not months, away. At the same time, some of the greatest benefits may not be in applications first thought to be ripe for the technology, such as automating distribution centers. Instead, retailers are finding early gains closer to the sales floor, where they are using RFID to track consumer buying patterns and ensure products are on shelves in time for promotions.

It used to be that Walmart's market power was so high that they could force anything they wanted, but I guess that's starting to slip a little.

(H/T to Slashdot for the link)