09 The Criminal Abuseof Radio Frequency Identification Devi

09 The Criminal Abuseof Radio Frequency Identification Devi

The Criminal Abuse of Radio Frequency Identification Device Technology

Peter Klerks Principal lecturer, Police Academy of the Netherlands

The upcoming Radio Frequency Identification Device (RFID) technology will revolutionize production and operations management throughout the world. Replacing traditional bar code product identification, miniature RFID chips enable much more efficient stock-keeping in stores, warehouses and transport. Automatic scanning of products enables faultless cashier operations without human interference. RFID technology also finds its way to identity documents, credit cards and paper money. The tags are already used to track livestock, to pay for gas, and to pay tolls, as well as to check out books at libraries. One RFID vendor received government approval to offer RFID chips that can be implanted in humans to store medical information to be read in case of an emergency. Market prognoses predict many billions of RFID chips to be sold annually by 2010. Soon, we will all be surrounded (and quite possibly even injected) with hundreds of RFID chips, many containing more or less sensitive personal data.

RFID will also become an effective tool in criminal investigations. An RFID chip could be used to identify the original purchaser of an item found at a crime scene. The technology could also be used to identify individuals in a crowd, and it will be useful in deterring shoplifting and other theft. While evidence from an RFID sensor would be hard to refute, malfunctions can happen in any technology.

The technology

RFID systems are based on radio waves. Each tag is equipped with a passive tiny radio transmitter. When it receives a special radio signal from a reader, the tag responds by sending its own unique serial number through the air over a distance of several meters. Other, battery-powered tags are active transmitters themselves, allowing distances of hundreds of meters between tags and readers. RFID tags can be minuscule in size: chips of only 0.05 m have already been demonstrated, although currently a 4 m antenna is still required for functional use. Tag readers are connected to computer databases, managed by powerful data mining technologies.

The risks

The risks involved in implementing RFID technology on a wide scale have been recognized, understood and predicted by ICT experts and security analysts for several years. The Police Academy of the Netherlands first noticed RFID relevance to law enforcement and the risks it entails in a report contributing to the National Threat Assessment on organized crime in April 2007 (Klerks & Kop, 2007). The Criminal Intelligence Service Canada brought out a classified early warning assessment in June 2007 (CISC 2007). Police experts on the Police Futurists International online forum have discussed RFID (w.policefuturists.org), and the U.S. GAO issued a report on the technology’s implications (GAO 2005). U.S. state and federal legislators have taken initiatives to stimulate industry self-regulation and introduce restrictions (Adler 2005).

Generally, privacy concerns regarding adoption of RFID technology include (among others):

• The unauthorized reading of RFID tags. • The security of personal information contained on RFID tags to prevent the unauthorized use or dissemination of such information. • The ability of third parties to profile individuals by their possessions containing RFID tags.

• The use of RFID technology to provide covert tracking or surveillance of individuals (Adler 2005).

Most RFID tags can be easily counterfeited. It's easy to scan the bar code and lift the data from them. The technology is therefore likely to enable the creation of new crimes by thieves, blackmailers and stalkers. There are also other serious privacy concerns, as voiced by NGO’s including the American Civil Liberties Union, the Electronic Frontier Foundation, The World Privacy Forum and a dozen other organizations (Garfinkel, 2004). These organizations ask for a voluntary moratorium on RFID technology in consumer goods, because the use of RFID could in their eyes enable an omnipresent police surveillance state, and it could make identity theft even easier than it has already become.

RFID is a potentially dangerous technology because RFID chips can be embedded into products and clothing and covertly read without the bearer’s knowledge. A small tag embedded into the heel of a shoe or the inseam of a leather jacket for inventory control could be activated every time the customer entered or left the store where the item was bought; that tag could also be read by any other business or government agency that has installed a compatible reader. Since every RFID chip has a unique serial number, stores could track each customer's comings and goings. Similar readers could also register the RFID tags currently contained in car keys. Privacy watchdogs therefore demand an absolute ban on hidden tags and covert readers. Tags should be ‘killed’ when products are sold to consumers, and RFID technology should never be used to secretly unmask the identity of people who wish to remain anonymous.

Consumer watchdogs are not the only ones voicing concerns. IT companies such as the cryptography producer RSA, have already shown evidence of just how vulnerable this technology is (Germain 2005). One of RSA's big worries lies in the ease with which the personal data contained in RFID tags can be acquired. Researchers from RSA Laboratories and Johns Hopkins University recently scanned the information on RFID chips in car keys and on ExxonMobil SpeedPass tags. They were able to collect enough information to crack the encryption codes on the tags. The researchers discovered the security flaws while studying the Texas Instruments Registration and Identification System, according to news reports. The low-power radiofrequency security system they cracked is used worldwide. The Texas Instruments system is only one of a number of RFID systems on the market. Those with criminal intentions with the same knowledge of how to breach RFID tag security layers could steal the cars or buy free gas. RSA sees examples such as this as a sign that the backers of the RFID industry are being short-sighted by trying to roll out more uses for RFID devices before their security and privacy issues are addressed.

Although certain cryptographic security measures are applied in e.g., RFID chips held in passports, RFID technology could still be promoting instead of preventing identity theft. Canadian law enforcement has recently issued in-house warnings that criminals can be expected to attempt and succeed in hacking databases containing RFID data and abusing information thus gained to commit financial crimes (CISC 2007).


Adler, Kenneth A. 2005 “RFID & Privacy Issues: A Snapshot of Proposed Laws.” RFID Product News 2005 No.9(w.rfidproductnews.com/issues/2005.09/feature/08.php)

CISC 2007 “The Use of Radio Frequency Identification Devices for Criminal Purposes.”. Sentinel Strategic Early Warning Assessment (4)2, June 2007. Restricted/Protected ‘A’

GAO 2005 INFORMATON SECURITY: Radio Frequency Identification Technology in the Federal Government. Washington, DC: Government Accountability Office, May 2005. (w.gao.gov/new.items/d05551.pdf)

Garfinkel, Simson L. 2004 “The Trouble with RFID”. The Nation February 3, 2004. (w.thenation.com/doc/20040216/garfinkel)

Germain, Jack M. 2005 “RFID Technology Faced with Privacy Considerations.” E-Commerce Times July 1, 2005. (w.ecommercetimes.com/story/44406.html?welcome=1211469589) Klerks, Peter en Nicolien Kop 2007 Maatschappelijke trends en criminaliteitsrelevante factoren. Een overzicht ten behoeve van het Nationaal dreigingsbeeld criminaliteit met een georganiseerd karakter 2008 – 2012. Apeldoorn: Politieacademie, Lectoraat Criminaliteitsbeheersing & Recherchekunde