Researcher: Misunderstandings surround RFID in use today
In particular, the general public doesn't get how RFID technology works within e-passports and credit cards, which could create unnecessary risk.
When asked how RFID worked, a group of novices responded to a recent academic survey with "witchcraft" and "magic."
In a talk Monday at USENIX Usability, Psyschology and Security Conference (UPSEC) 2008 in San Francisco, Andrew McDiarmid of the University of California, Berkeley, shed light on how ordinary people perceive RFID-enabled cards in their day to day life. He said while novices and intermediates were familiar with times when RFID-enabled smart cards such as work access cards or transit cards didn't work, they couldn't explain it. On the other hand, advanced users knew enough to keep their RFID-enhanced credit cards sheathed in a mini "Faraday cage" so the cards could not be read by others.
Speaking before a room of about 45 fellow researchers, McDiarmid reported on exploratory research conducted in 2007 with Jennifer King, also at U.C. Berkeley. Based on feedback from this initial sample group, the two hope to open the survey to a much larger audience of novice, intermediate, and advanced users during 2008. They will also narrow the focus to two specific RFID-enhanced items: e-passports and contact-less credit cards.
Perhaps most surprising among the data was the assumption of audio or visual feedback among all three groups. McDiarmid said that the use of contact-less credit cards is impersonal; often there is no confirmation of a transaction, such as you had when a clerk handed your card back at the end of the purchase. "Customers want feedback," he said.
Another misconception revealed by the survey is that cards can only be read by specific readers. That is not true, said McDiarmid. Thus, he wasn't too surprised that only two individuals in his survey group knew to sheath their contact-less credit cards.
In a paper released at the conference, McDiarmid and King expressed concern over how the government and commercial interests are assisting the typical end user with the new technology.
McDiarmid said on Monday that although the State Department provides a brochure describing the features of the ePassport, and companies like Visa offer videos describing the features of its PayWave contact-less credit cards, the general public still doesn't understand the basic concepts behind RFID, and therefore do not understand the inherent risks.