Technologists object to U.S. RFID passports - Jul. 13, 2006 <Start soap box> I just got my replacement American Express Blue for Business credit card and to my dismay I found that Amex has given up on smart card tech and has instead led us down the primrose path with their "ExpressPay" RFID based technology. With MasterCard touting their "Tap and GO" payment system (also RFID) an Technologists object to U.S. RFID passports – Jul. 13, 2006 I just got my replacement American Express Blue for Business credit card and to my dismay I found that Amex has given up on smart card tech and has instead led us down the primrose path with their “ExpressPay” RFID based technology. With MasterCard touting their “Tap and GO” payment system (also RFID) and now Amex, did these folks read about the problems that the US Gov is having with RFID’s in passports? (Technologists object to U.S. RFID passports – Jul. 13, 2006 ) Here’s my bitch…there is a VERY good reason why high security facilities demand that you have positive acknowledgment of a card swipe for entry. It’s just too easy for someone to lose a card or have it stolen. Now with an RFID someone with just a bit of kit can walk through a crowd (occasionally brushing up against folks) and harvest RFID information. Heck even if the information is encrypted, it can still be gathered for bulk decryption later. (See how well the DVD encryption worked!) So for proximity entry cards, you not only swipe/wave your card, but you must also punch in a challenge code (pin). This way a stolen card can’t be used to get access to our nation’s secrets. Heck, many new keypads even use OLED’s under the keys to change the positions of the numbers so that someone can’t just dust the keypad.So I’ve written a real letter to the American Express folks asking them to get their head examined; but in the mean time I’ve taken a hammer to my new card (sniff) to destroy the RFID chip. Just as a bit of history, in the very early days of eCommerce, American Express lured me into becoming a Blue member by being one of the first to put into place verbiage in their user agreement saying that they will protect me from Internet fraud if I signed up. hint hint hint… Hey Amex! Do the same thing for the RFID and maybe I’ll just quietly request a new card and stop destroying your investment. Better yet, make the person scan a finger or type in a pin code. Oh yeah, I’m far from the first to raise my hackles on this subject…check out this for a rant on using the RFID to track what products you might be looking at in a store…very big brother if you ask me… Lastly, to my congressional representatives…please make sure that if you choose RFID for a national ID, make sure that it requires my explicit acknowledgment to the intrusion. Or better yet, if you want a way to ensure that the ID isn’t fake, why don’t you talk to Gavin Jancke at Microsoft Research? His 2D color bar code can’t be read unless you take it out of your wallet, and can contain enough information that you can embed an RSA signature in it. Don’t you think this might be a more acceptable plan to folks that would like to maintain a bit of privacy? Technology Industry