Updated 8/8 to clarify a point about the nature of chips in credit cards.
A funny thing happened on the way to RFID chips, long about 2009. All of a sudden, everybody stopped writing about them.
Tech journals slowed their coverage. The mainstream media dropped the whole subject. And out here on the fringes, people quit writing new works predicting the disasters spychips would bring upon us.
Now, that’s not to say that either RFID chips or the subject went away completely. On the contrary, there were articles and discussions on other topics that heavily involved RFID tech. For instance, just within the last couple years, chips* became ubiquitous in credit and debit cards. Stores had to invest in new types of readers. Liability shifted from the bank to the merchant for fraudulent purchases made with non-chip technology. It was pretty big business with lots of articles written about it, especially in the financial press. But computer chips were just the facilitator of something else. The talk was less about the chips than about whether or not the new methods would prevent ID theft or simply make it possible in a different, perhaps more dangerous way. And whether they imposed an unfair cost or obligation on merchants and so on.
We’ve got RFID chips in our passports and our pets. Inventory control systems run on them in warehouses everywhere. RFID bracelets act as payment devices in theme parks and festivals. And there’s still a bit of both ominous and rah-rah talk about the role the chips will play in making sure we take our medicine. Not to mention talk of OMG requiring chips in firearms. On and on. They are, as predicted, increasingly present in our world.
But the fuss over the chips themselves? It died away as thoroughly as gossip about last year’s celebrity breakup.
The fear of RFID chips being used in our clothing, our possessions, our vehicles, and our bodies for the express purpose of tracking us everywhere? Who thinks about it any more?
—–
I hadn’t. Not for a long time, until a blog-foundation donor asked me to follow up on the topic.
I put it on my to-do list.
But even before I got a chance to crank up the privacy-respecting StartPage search engine to research recent developments, I knew why we weren’t hearing about RFID-enabled omni-tracking. And I’ll bet you do, too.
The reason is:
Eeevil corporations and governments don’t need to sneak chips under our skin or into our food packages or our clothing because we’ve all (or nearly all) gone out and bought and paid for our very own universal tracking devices because we find them convenient. And cool. And fun.
And they do even more for Big and Little Brother than any sneaky old spychip ever could.
At the donor’s request, I was going to write a piece on this. But once I finally got a chance to crank up StartPage, at the very top of the search results I found exactly the article I would have written, though mine might have been more Attitudinal and this one’s stronger on the informational:
“How the fall of RFID chips explains our current surveillance state” by Gillian Branstetter. Published less than three months ago.
Everything she writes about what these developments imply about mass acceptance of the surveillance society — nearly everything — is the sad, damnable, spot-on truth. There’s about one paragraph I disagree with. I’ll leave you to read, ponder, and speculate for yourselves and I’ll try to join in on comments later.
—–
ADDED: In comments, Laird correctly notes that the chips in our credit cards are EMV chips. EMV stands for Europay, Mastercard, and Visa. These chips are not the true RFID chips we spent all that time dreading. Some chipped cards are capable of near-field communications (NFC) — which are indeed radio-frequency communications, but effective only at extremely short distances. Here’s more information
But really, you’d best just read the comments below by some of the guys more in the know. Fact is, I picked a poor example when I mentioned the chipped cards and by doing that I ended up distracting from the main point of the article. Mea culpa.
My cell phone company tried to get me to buy a new, updated phone a few months ago. The pitch was _almost_ successful till I remembered the chip was in the next version up. (I’ve even taken texting off – my fingers can’t move as fast as my mouth can). Also, I no longer have a credit card even for backup because they’ve all been updated with chips. I ignored the update offer and let my non-chipped card go out of date.
In referencing the “mark of the beast”, I’m not sure if Albrecht is believing this herself or citing what can happen, as technology substitutes the modern chip for the mark of the beast.
Thank you for the great post/update on RFID and the link to the recent article on the subject.
I refuse to buy a ‘smart phone’, ‘smart TV’, use Google, use Facebook or anything like that and privacy/tracking are the reasons but as you and the article author point out most people now carry around their ‘chip’ with them VOLUNTARILY. I have spoken with friends and colleagues about the many negatives of ‘smart phones’ (and Google and Facebook!) but, of course, they are quite happy with the conveniences of being tracked and it is ME who is the weirdo because I am against the lack of privacy, tracking, etc.. Gosh, simply suggesting that they not use Google but instead one of the several privacy-oriented search sites available sets them off, too! 🙂
But after 25 or so years of talking to people on the lack of privacy in our modern world I am used to being the weirdo! 😉
Thank you again, Claire, and the new blog is great!
Well, I have a DumbPhone and don’t Facebook, but the sneaks keep sneaking. I read your recent blog featuring the Maxpedition Jumbo Versipack, and now every page I load carried an ad for, you guessed it, a Maxpedition Jumbo Versipack.
Don’t worry, I’m not clicking. If I get convinced I know which is the right path to Amazon.
And it won’t last much longer. Last night (Okay, early this morning) I searched for illustrations of “stacked bob” women’s hair styles. (One of my fiction characters has one.) So that’s what I’ll be seeing until they catch another signal from me.
Which is my strategy: Throw so much conflicting information against their wall that whatever sticks will be baffling instead of incriminating.
Which (seriously) is their Achilles heel. The FedGov is collecting orders of magnitude more information than they can process in any meaningful way.
” Liability shifted from the bank to the merchant for fraudulent purchases made with non-chip technology.”
It’s important to note, and you did Claire, but less directly, that chip cards are NOT more secure for people. They are more secure for institutions. Single factor authentication is still, single factor, be it chip or mag strip.
Multi-factor (I’ll leave it at dual factor) is far more secure and, absent stupid (or torture), is “theoretically” unbeatable. Dual factor is based on both something you have and something you know. Dipping a card and you’re on your way is NOT more secure, for an individual, than swiping.
My mind is on DoD applications of this principle but I ought to note that, careful observation and subsequent theft can yield a usable atm (or pinned credit) card. No security remains unbeatable.
And the control grid tightens as its creators absolve themselves of responsibility.
One thing that article didn’t mention: Smartphones are vulnerable to being cracked. The latest? ‘Quadrooter’ security flaws said to affect over 900 million Android devices. What makes this even worse is that the phone manufacturers discontinue OS updates for older phones. In this particular case, “An attacker would have to trick a user into installing a malicious app, which wouldn’t require any special permissions.” But from what I’ve read, such a “trick” isn’t all that difficult, if someone can embed the crack into a game, or other little amusement app. We’ve read about infected apps in the Google Play store, though I guess Google has been working on filtering. How successful that’s been, I don’t know.
The main reason no one talks about RFID chips is that they are a technology and technologies themselves do not matter.
There were some news to be made by the fact that RFID chips are good at being implanted, but even that fabricated outrage panic bullshit ran its course.
Whether you are tracked via RFID, some other NFC system, gait analysis, face recognition, card payments, money withdrawals, active BlueTooth, requested or involuntarily-sent GPS data, cellphone telemetry, some device ID, the browser profile, tracking cookies, your IP address or one of the myriad of web services you use does not matter – every one of these is just one additional source of information.
The art lies in reconstructing one identity from a bunch of sources. Which is something we have become very good in the last decade, which is why staying off of Facebook (or one of the other big data agglomerators) or avoiding one technology does not matter much. Even adding misleading data (“chaff”) does not matter much to a good reconstruction as long as it is added by hand or only in one source.
It looks like things are almost a complete step beyond face recognition now. http://motherboard.vice.com/read/faceless-recognition-system-can-identify-you-even-when-you-hide-your-face Everything’s just changing faster and faster, I guess.
FWIW, the chips in the new credit cards are EMV chips, not RFID chips. They do communicate with the chip readers, but not via RFID; they use a different technology called Near Field Communication which only works within very short distances (measured in centimeters).
Also, I don’t agree that the new chips are not “more secure for people”. They are more secure, period, because they create a unique transaction code every time they are used, as opposed to the old magnetic strips which contain static data that can be easily duplicated. The chips cannot be easily duplicated, which cuts down significantly on counterfeiting and other forms of fraud.
The consumer was not responsible for fraud losses either under the old mag strip system, and that remains true under the new chip system. The new rules merely reallocate fraud losses between merchants and credit card companies; from the consumer’s perspective it’s neither better nor worse. But while there is no direct consumer benefit from the change, cutting down on fraud losses will ultimately lead to better consumer prices. (And of course there will be less inconvenience and annoyance to consumers if the frequency of card counterfeiting drops.) It really is a better system, and it has nothing to do with tracking your movements. Of course, the ability to track your purchases remains, but that is no different than under the old system and has nothing to do with the chips.
Laird — You are right about the chips (for the most part, that is)! I’ll need to clarify next time I’m online.
Alas, my computer battery is dying and except for the days I can plug in at the library, I have only minutes at a time to do all my research, linking, etc. Getting that fixed soon.
OTOH, indeed the liability transfer is as you said, but IMHO it remains to be seen whether there’s any benefit to the consumer at all. Signs do point in the direction of successfully foiling a lot of fraud, but jury’s still out.
Turns out the whole business of EMV vs RFID vs NFC remains confusing and RFID may still come into it:
https://www.heartlandpaymentsystems.com/blog/2015/02/22/what-the-heck-is-this-computer-chip-doing-in-my-credit-card/
https://www.quora.com/Do-I-really-need-a-RFID-blocking-wallet-with-an-EMV-card
I think faceless recognition is reaching. They may want to believe they can recognize a “faceless” face or body, but it’s highly unlikely to be accurate for what or who they’re after.
Firstly, everybody has a twin somewhere. (I met mine in my own hometown when I was a teenager; no relation at all.) Secondly, there are only so many features around – it’s how they’re put together that makes the individual. If Billy the Kid was still on a wanted poster, the “experts” would be swearing they found him in Paris, France next year based on their “faceless” criteria. They see what they want to see, just like cops (or nosy neighbors) find suspicious activity in perfectly normal behavior. They will “recognize” a feature on their list because the feature is present in many people. But the technology will work no better than lie detector tests, and for the same reason: other variables can get in the way of accuracy in interpretation.
Chip cards are not RFIDs. There are RFIDs in some credit-card-like things such as gasoline pumps where you wave a card or keychain dongle to charge your gasco card account.
When people talk about chips on credit cards, they are referring to cards with a square, gold-colored contact patch visible over the chip. Those are technically called EMV cards, for Europay, MasterCard, and Visa who created the standard.
EMV cards are decidedly more secure than signatures. You don’t hand the card to the cashier/waitperson, eliminating an opportunity for them to copy the card details. All communications with the card issuer’s servers are encrypted with strong encryption, eliminating the ability of bad guys to tap into the magnetic stripe reader.
Yes, chip and sign is single factor, just as mag stripe swipe and sign. But in mag stripe all the information is in the clear. Just because they are both single factor does not make them equal in security.
It is trivial to make EMV chip cards 2-factor, and anyone who cares about security should do so. Most issuers will let you log in to the card account on the web and pick your PIN. A few insist on generating a PIN and mailing it to you.
In either case, chip and PIN is genuine 2-factor authentication, and much more secure.
The smart phones aren’t RFID chipped, as Claire notes they have way more snooping capabilities than any RFID.
But using ApplePay or the various competing implementations adds yet another level of security. The card data is carried in the phone, securely encrypted. The user activates it either with a (hopefully) strong password or with a fingerprint. The merchant never sees the card or card number, eliminating yet another opportunity for fraud. Instead, they get a custom number generated by the payment app.
We’ve lost a lot of ground on privacy, but it’s not all bad news. Apple’s default encryption of all phone data is a good thing, and I use ApplePay whenever I can because of the security benefits.
These companies respond to customer demands, and more people are demanding increased privacy protections. There is hope.
Edited to add:
I see some of this has been addressed in later comments. I like the new comment edit feature! But I’ll let this one stand.
Laird and s — I also updated the article to reflect that the chips in credit cards, although they have minor RFID capabilities, are capable only of near-field communications and can’t be remotely read — as of now.
EMV and NFC are different. Neither is RFID.
The NFC cards have the symbol with 4 curves: see http://bit.ly/2aHq7Hy
RFID cards in people’s wallets are mostly used for IDs. You wave the card in front of the reader and if you are authorized, it opens the door/gate/lock.
A faraday shielded wallet or purse protects against RFID and NFC card remote reading.
The EMV cards have the square chip with gold contacts visible. There has to be power and comm signals touching those gold contacts or the chip won’t work. No way to hack it remotely; it needs power.
Well, I absolutely must bow to your superior expertise in this matter, s, and thank you for the correction. I know this is an area where you know more than I.
But I remain confused, because some sites talk about “EMV with NFC” and others talk about NFC simply using very short-range radio-frequency signals, and wouldn’t that be a form of RFID?
Sigh. Okay, I just edited the post’s footnote again: added a caveat to my caveat and a mea culpa to my mea culpa.
But …
https://www.heartlandpaymentsystems.com/blog/2015/02/22/what-the-heck-is-this-computer-chip-doing-in-my-credit-card/
And that’s from an outfit that makes payment systems.
Good points. I use cash except when it’s not possible.
I suspect that the author of the Heartland blog is not a techie. His description is confusing. The topic is confusing.
RFIDs come in 2 varieties: passive and active. Passive RFIDs have no power supply. When the passive RFID is exposed to the correct radio frequency it uses the radio waves to power itself, and responds with the data stored inside. Implantable chips in pets are passive RFIDs. Many keycards that unlock doors at hotels and office buildings are passive RFIDs.
Active RFIDs have a battery or other power supply. They can send much stronger signals, and are designed to be read from distances of 10s or even 100s of meters. E-Zpass electronic toll tags on cars are active RFIDs.
NFC is a spawn of RFID. There are both active and passive NFC devices, just as with RFIDs. Passive NFC devices are called tags. Active NFC are used in smartphones and the payment terminals you see in more places all the time.
NFC uses magnetic fields. While at the same frequency as some RFIDs, the devices have to be close enough for the magnetic field between them to form an air-core transformer. This limits the useful range to about 6 inches, perhaps 12.
NFC can be hacked, someone with a good directional antenna could reach NFC tags up to perhaps 30 feet away and trick them into giving up whatever data they have. This won’t (shouldn’t!) work on NFC in smartphones; those apps require establishing a secure channel with strong encryption, something a hacker should find extremely difficult to do. Man-in-the-middle attacks on smartphone NFC are theoretically possible, but I know of no examples “in the wild.”
The hacking potential and lack of security in most NFC tags is what convinced me to buy a shielded wallet. It works all too well. I used to wave my wallet with key card inside at hotel room locks to get in; now I have to take the card out of the wallet first.
The larger point, that the RFID threat didn’t materialize quite as predicted, is a valid one. I’m a privacy geek, but I capitulated about a year ago and now carry a smartphone, something far more dangerous than any RFID could ever be. I take precautions but don’t fool myself; I’ve sacrificed privacy for convenience and commerce. At least in some areas, like ApplePay, I’ve actually increased security a bit.
http://takimag.com/article/how_cvs_invaded_my_brain_joe_bob_briggs2/print#axzz4GtCMpEe8
Fred, that’s hilarious. I used to read Joe Bob Briggs … OMG, it must be decades ago when he was doing “drive-in movie reviews.” Didn’t even know he was still around.
World’s first implant-activated smart gun has arrived
https://www.rt.com/viral/355305-smart-gun-chip-embed/
RFID technology may exist some risks, but never with a big BUG,You know, even if the Pentagon can be compromised, not to mention an RFID card,so,just Enjoy the convenience of RFID brought to us,and you can buy NFC for you phone on http://www.asiarfid.com