Date: April 2, 2011
Time: 11:00 a.m. – 1:00 p.m. PDT, 2:00 p.m. – 4:00 p.m. EDT
Attendees: Albert Gareev, Alexander Lipski, Deb Amigun, Justin Byers, Lanessa Hunter, Linda Rehme, Michael Larsen, Phil Kirkham, Scott Seltzer, Shmuel Gershon, Timothy Western
In today’s session, we examined a news report that demonstrated the potential risk of new RFID technology built into some credit cards and other documents. While this technology is certainly convenient (just touching it to a reader can complete a transaction) it also raises the potential for devices to be created that could steal the information housed in those cards. Such a device can be easily reproduced with a reader you can buy on eBay for $5, a netbook computer, and downloadable software.
Our mission was to explore the feature (RFID access) and the ways it is used. The discussion today also centered around defining the potential and actual risks, and how we could effectively mitigate those risks in our testing.
We determined what was considered an appropriate and desired use, one that benefits the customers, and unwanted use, such as the potential to be used for identity theft.
Several ideas were considered, including some suggestions in the original video piece (video link here). We tried to reverse engineer the technology to determine the steps in the process, which steps were considered more vulnerable to fraudulent use, and to discuss various test ideas. we also discussed ways to show the reality of the threat, and at the same time, test ideas and approaches that could mitigate the risk of a fraudulent user getting access to the data.
Full chat transcript can be viewed here.