Washington State Passes RFID Anti-Skimming Law

There's some really good news about identity theft. The legislators in the State of Washington are keeping up with new technologies. During the last week of March 2008, ComputerWorld Magazine reported:

"Washington Gov. Chris Gregoire this week signed a bill making it a Class C felony to use radio frequency identification (RFID) technology to spy on someone. The bill was signed about a week after the Washington State Senate unanimously passed Bill 1031, which makes it a crime to intentionally scan people's IDs remotely without their knowledge and consent, for the purpose of fraud, identity theft or some other illegal purpose. The bill specifically cites RFID and facial recognition technology. Violators face a prison sentence of up to 10 years. In addition, if the illegally gathered data is used in a separate crime, up to 10 years could be added to whatever sentence violators receive for the second crime."

Why is HB 1031 important? First, according to the Seattle Times:

"The Senate took out an 'opt in' provision that would have made it illegal for any company or person to slip an RFID chip into objects such as loyalty cards or cellphones without consumer consent, said state Rep. Jeff Morris, D-Anacortes, the bill's sponsor. "This is a technology that the consumer is clearly unaware of unless it's pointed out to them," he said."

In other words, it is difficult to impossible for the average consumer to look at a credit card and tell if it is a standard card or an RFID card. When I've discussed RFID cards with most people, 99 out of 100 are  unaware of the RFID technology and its associated data security issues. Some type of legislation is sensible and appropriate. Plus, consumers need notification from card issuers.

Second, other federal legislation requires states to use RFID technology in identification cards. In Washington, HB 2729 governs the use of RFID in driver's licenses:

"As a state with many travelers who cross the border frequently, Washington has become a test bed for RFID. It's one of four states that have signed agreements with the U.S. Department of Homeland Security to use RFID technology in optional-enhanced driver's licenses that became available in January."

Third, most states do not have any laws about skimming for identity theft. So, criminals can steal identity data from RFID cards via skimming today with little risk. Fourth, there needs to be some type of coordination across countries because identity theft skimming poses risks for travelers.

If this situation is scary and unacceptable to you, I encourage you to write to your elected officials.

California Senate Votes For Anti-Skimming Bill (RFID)

The InformationWeek blog reported:

"The California State Senate voted to make it a crime to skim information stored on RFID tags. The Senate voted 36 to 3 to pass the bill, introduced by State Sen. Joe Simitian (D-Palo Alto). The bill, SB 31, goes to the California State Assembly."

The sentiment of the proposed law is nice, but I wonder how it will actually prevent skimming. The law makes it clear what the penalties are for skimmers who are caught, but as with most identity theft thieves seem to never get caught. Hence, the popularity of this crime.

Want to learn more about RFID and identity theft? Start here.

The New U.S. Passports (RFID)

In a prior post, I discussed the new RFID technology and its data security and privacy issues. There is an excellent Los Angeles Times article which questions just how secure the U.S. State Department's new RFID passports are. Here's how the new U.S. passports work:

"The chip on your passport stores your name, gender, birth date and place; your passport number, its issue and expiration dates; and a digital version of your ID photo. It broadcasts this data when its antenna is activated by signals from a government reader at a border crossing. The security of this broadcast is the crux of the debate. The State Department says the chip's range is about 4 inches and that it cannot be read when the passport book is fully closed. But with the right equipment, early critics said, people several feet away or more could secretly access the data and use it to identify Americans, track their movements and steal their personal information. The chip could also be copied or altered to make phony passports..."

To respond to the threat, the State Department modified its new passports:

• "To block radio signals, it put metallic material in the passport's front cover and spine.
• To thwart eavesdropping, it placed a cryptographic key on the printed data page that must be read by an optical scanner to unlock the chip's data. (Officials note Social Security number and address are not on the chip.)
• To prevent tracking, it installed a "randomized unique identification" system that presents a different ID to a reader each time the chip is accessed.
• To counter fraud, it installed a digital signature that flags chips that have been altered."

Are the new passports 100% safe? Nobody knows. I hope that these identity protection measures work. There's an awful lot at stake.

Satisified With RFID Skimming Protection (Product Review)

A couple weeks ago, I purchased online the Armadillo Dollar "skimming" shield product. I ordered two shields and both arrived in separate business-size envelopes within a larger U.S.P.S. Express Mail package. Each envelope included a shield and instructions. That makes it easy to give the second shield as a gift.

I opened one envelope and read the instructions, which were clear and simple. The instructions said that you could place the Armadillo Dollar product in your wallet to protect multiple RFID cards, often referred to as "smart cards" or contact-less credit cards. I folded one Armadillo Dollar product in half, placed two contact-less smart cards inside, and then placed the bundle in my pants pocket. I don't want to open my wallet every time I need to use one of my RFID cards. I planned to test Armadillo Dollar the next day on the way to work.

One the way to work the next morning, I pulled the Armadillo Dollar and my RFID cards out of my pocket and waived them near an RFID reader at a Boston MBTA station entrance. Nothing happened: the turnstile did not open. The RFID reader was unable to penetrate the Armadillo Dollar shield. Great! Then, I removed my MBTA Charlie Card by itself and waved it by the station's reader. The turnstile opened as usual.

At work, I repeated this process at the the downtown-Boston office where I work. Employees use RFID badges to access both the building elevators and individual company offices. As expected, the RFID reader was unable to penetrate the Armadillo Dollar shield. I then removed my employee badge by itself and waved it the RFID reader. The turnstile opened as expected.

While this isn't a scientific test, it is good enough for me. The product works as advertised... RFID readers couldn't penetrate the Armadillo Dollar shield. Wisteria House fulfilled my product order as requested, and applied the product discount as promised. I am satisfied since I now have some identity protection for my RFID cards. When I receive my new RFID U.S. Passport, I'll repeat this test with the Armadillo Dollar shield.

Want to learn more? This video provides some background about RFID or smart cards and "skimming"... how an identity thieve can clone a smart card:

Want to learn more? Read this New York Times article about no-swipe credit cards, or this C/Net Review about contact-less credit cards. You can also visit the Smart Card Alliance, armadillodollar.com, or the National Envelope web sites.

[Author's note: you can rely on I've Been Mugged for independent product reviews. The I've Been Mugged blog is wholly independent, and is not affiliated with any identity theft or identity protection products. Nor do we accept any advertising or payments from manufacturers of identity theft products or services.]

New Wireless Identity Protection Product: Armadillo Dollar

Many of us already have Radio Frequency Identification (RFID) cards in our wallets or purses. You have an RFID card if it's a card that you wave near (about 2 inches) a wall- or table-mounted reader. RFID cards are supposedly easier to use because the RFID card and the RFID reader don't have to physically touch. They just have to be close enough -- a few inches -- for the reader to access the information stored on the RFID card. Some credit cards, debit cards, and store charge cards are RFID cards.

I have two RFID cards. One is the security badge to enter the office building and my employer's offices. The second is my Charlie Card to ride Boston's MBTA mass-transit system. When I worked in London in 2004, my Tube pass was an RFID card.

While I realize that RFID is here to stay, I am not wildly excited about the technology because it's security gaps are well known, and are dependent upon the issuer properly encrypting the sensitive personal data stored on each RFID card. Identity thieves can use a portable RFID reader to collect personal data from unsuspecting RFID cardholders: a process called a "skimming." The thieves can then create, use, and sell duplicate, bogus RFID cards. And, it's almost impossible for the average user to know when an identity thief has used a skimmer to steal your personal data from an RFID card.

With this in mind, I was curious to read this TrustedID blog post:

"Armadillo Dollar, a new product created by Wisteria House Products, offers protection against this new wireless identity theft and RFID monitoring. Users place the product in their wallet, and it blocks the transmission of sensitive private information from RFID (Radio Frequency Identification) enabled debit/credit cards or employee badges. The user can move around undetected by RFID readers, and wireless identity thieves."

If you want to learn more about the RFID technology, read the RFID Journal, the RFID blog, or visit armadillodollar.com. I haven't yet tried the Armadillo Dollar product, so I can't speak to how effective it is. If any I've Been Mugged readers already use the product, please share your experiences.