[extropy-chat] RFID smartcard passports and driver's licenses

Mike Lorrey mlorrey at yahoo.com
Thu Apr 7 23:31:28 UTC 2005

--- Dustin Wish with INDCO Networks <dwish at indco.net> wrote:

> I think we are a long way off for that anyway. There are no real
> standards
> set in place yet. If is at least a 20 year circle to TTM on these
> products
> to be mass used. You are also taking into account or assume that the
> financial databases (very closely guarded) will be opened to the
> government
> or hackers for use to screen. Most companies will not share
> information like
> that with the government. They don't really want them knowing how
> much
> business they are doing and to whom, because you can't trust the
> government
> to keep that info confidential. 

The Gramm-Leach-Blyly Act indicates the government knows exactly what
information is out there. The recent hacking of the ChoicePoint
networks means that there are tens of millions of names on the loose in
the hackosphere.

As for RFID, all companies claiming RFID serial number name space have
to register a claim just as they have to for an IP address. There are
no two identical RFID numbers.

> Companies use demographics currently to help understand what their
> customers needs are, but that is a far cry from  big brother
> tracking everyone's movements nationwide. That is to assume that the
> government can develop and effectively use this technology which
> anyone who was dealt with big brother knows is full of bureaucracy
> BS and people that couldn't make it in the private sector. I don't
> know if I should be more scared of the technology or the
> unaccountable government employee using it.

The thing you are missing is that as RFID becomes ubiquitous, a hacker
doesn't need access to a database anymore to rip off your identity, it
is ALL sitting on your person in the form of chips ready to transmit
your personal information like Kitty Kelly playing a crack whore. 

Here is me, a hacker, walking by on a crowded street: BAM, I have your
drivers license/ID: I know your name, where you live, what vehicle
ratings you have (or don't have, which could indicate a criminal record
you want to keep private), your physical description, a photograph,
even your blood type. BAM: I have your passport chip, so I have your
SSN, a cross correlation with your residence address.
BAM: I can at the very least identify what credit cards you keep on
your person, your account numbers and possibly even your expiration
date. Since I already have your residential address I have a pretty
good idea of what your billing address is, and as I have your birth
date and SSN I have a good start on figuring out what your account pin
numbers are.
BAM: I know what shoes you are wearing, what underwear you are wearing
(you ladies take note), your jacket, briefcase, and what stores you
have customer loyalty cards with.

I don't need to decrypt anything on the fly, if anything is encrypted,
I can have my home beowulf cluster crunch on the numbers for several
weeks. BAM: I own you. I can submit what I know about you to equifax
claiming you are applying for a job or an apartment. Now I have your
credit history. I can create fake id that is as authentic as you are. I
can take out a mortgage in your name (have fun making the payments). I
can file a change of address/ seasonal address form with the USPS, set
up a post office box in your name.

This is just ONE passerby. Walking down the street in New York, I can
rip off hundreds or thousands of people every hour. Now, you could
likely get the bank to write off the mortgage as fraud. So long as I
get the cash before that happens, I could rip off hundreds of people a
week for hundreds of thousands of dollars each.

Lets say you have a higher level of card in your pocket. Say, a Schwab
card that is secured by your stock portfolio. I only need to know you
have the card, maybe the card number. Then I call into Schwab, give the
number, and social-engineer the dumb call center worker into giving up
your password. I can now transfer stocks out of your account into
another account, then cash that account out. BAM, your whole life is
wiped out.

Are you getting that cold sinking feeling, yet?

Mike Lorrey
Vice-Chair, 2nd District, Libertarian Party of NH
"Necessity is the plea for every infringement of human freedom.
It is the argument of tyrants; it is the creed of slaves."
                                      -William Pitt (1759-1806) 
Blog: http://intlib.blogspot.com

Do you Yahoo!? 
Take Yahoo! Mail with you! Get it on your mobile phone. 

More information about the extropy-chat mailing list