Is It a Cost-Effective Crime?
So RFID chips are vulnerable, but would it be worth the effort to create, or buy, the equipment to gather this information, and how would you use it?
In the ACM article, “A Threat Analysis of RFID Passports,” the authors list six pieces of information that can be gleaned from the chips on a passport: your name, nationality, gender, date of birth, place of birth, and a digitized photo. They point out that banks in the U.S. won’t issue credit cards without your Social Security number, so there’s an additional step to use the stolen information to get false credit.
Luckily for the criminal, the Social Security Administration will accept any one of three different proofs of identity for a U.S. citizen to be issued a new Social Security card. You can provide the agency with your driver’s license, a nondriver identity card issued by the state in which you live, or you can present your passport. The thief would have to create a counterfeit passport, but he already has that information, including the photo.
But there are costs for this three-step process—passport to Social Security card to credit card. You need the hardware to intercept the signal broadcast by the RFID card. Because the information that you will intercept is encrypted, you will need a program and some time to do the decryption. And finally, and most expensive, you will have to get the materials to recreate a physical passport—preferably, an authentic blank passport.
The basic equipment includes a receiver (small enough to conceal), a way to boost the signal and filter out background noise, and a computer to store and process (decrypt) the signals stolen. Unfortunately for the public, ACM explains “the antenna, mixer, and filter can be homemade with cheap materials or purchased as a set online. Some websites contain schematics, lists of materials, and steps on how to build your own RFID reader the size of a matchbox. These RFID ‘sniffers’ can then be plugged into a laptop via a USB port.” The total cost of the entire rig is estimated by ACM at around $1,000. Although expensive, the authors explain, “These are all fixed costs, and the perpetrator would presumably amortize these by using the hardware to execute numerous attacks over a period of time.” Or he can hook up with a larger syndicate, which might provide his equipment at a reduced or even loaner rate.
A different estimate from Brian Markus, CEO of Aeries Security, one of the project leaders who sent out the RFID scanners at DefCon, claims that “For $30 to $50, the common, average person can put [a portable RFID-reading kit] together.”
So for anywhere from $30 to $1,000, you can go to the airport, stand in line behind your victim and pick up the transmission of his passport info. Now the next problem—it’s encrypted. The encryption isn’t real strong. According to ACM, “An analysis published by the International Association of Cryptologic Research indicates that the entropy of the resulting key is on the order of 52 bits, which, while something of a challenge, is not impossible to crack.”
The cost for this stage is measured in time. The software for cracking the encryption is available free as open source on the Internet, and you would only be losing the time it took your computer to do a brute-force search to accomplish this step.
The last step is the most expensive. You now have to create a realistic-looking, and working (RFID transmissive), passport. The authors point out that “Jerome van Beek of the University of Amsterdam managed to forge a passport RFID chip for $120,” but this might not be necessary because a U.S. passport is still valid if it doesn’t have a chip or if the chip is malfunctioning. Maybe you could use a dummy or date the passport back to a valid, pre-chip date.
The real expense is the blank passport on which you will be printing your stolen information. The authors assume this will be substantial. “In 2008, for example,” they write, “3,000 blank U.K. passports were stolen, and officials valued each one at approximately $3,000.” This could be the wall, before which the identity thief decides to just restrict himself to stealing authentic passports and skipping all the electronics and hassle.
Balancing profits against cost, the ACM analysts consider that “In the U.S., the mean fraud amount per victim for identity theft-related crimes in 2008 was $4,849. The potential revenue from the passport identity theft example, however, could be conceivably higher because of the relative ease with which a passport can be used to open new accounts and prove identity, in comparison with the most common current forms of fraud using stolen credit cards, checks, or mail.” But you still have to balance that against a possible cost of $3,000 for the passport blank and maybe $1,000 for the hardware. Add to that the cost of being caught, and it might be something you’d rather leave to the international digital syndicates. ACM thinks the risk of being caught are relatively high because of “the physical proximity required to eavesdrop on the RFID communication,” the “prevalence of security officers within airports,” and the fact that you might have to purchase a flight ticket to get to areas where these cards are being read.
The article concludes that you’re more likely to have your pocket picked the old-fashioned way at an airport rather than have your RFID card read secretly by that suspicious character in line behind you.
Nevertheless, the Association for Computing Machinery does have several suggestions for improving RFID security concerning passports. The government should up the encryption standard by adding a 128-bit secret password or phrase, unique to your passport chip, to the key derivation algorithm. And the authorities should install an enclosure around the area where these chips are read, a Faraday cage that blocks others in line from receiving the transmissions. Or maybe they should do what was suggested six years ago—transition over to contact chips.