It stops them taking your password without your knowledge. If you know they know, you can do something about it, like changing your password. Plus, it’s a lot harder to capture and interrogate someone than just waving a sensor near their backpocket.
Sorry, I meant passport not password. The idea is that you can beat me and take my passport. Lets say you carefully extract the printed photo from it and insert your photo. Perfect plan? You’d be right if it didnt have an RFID. Now when you go to the border they scan the passport and the picture that comes up from the RFID data doesnt match the picture in the passport.
The idea is that these things have always been incredible insecure and poorly designed. The worldwide passport system is a mess. These are the first baby steps into securing it, and as usual, sadly, the neo-luddites and “perfect security or none at all” crowd are controlling the discourse. Perfect is the enemy of good.
There’s an xkcd for everything.
Not on YouTube, but online nonetheless…
Go here, select “View Interactive Webcast” under “Jamie Hyneman & Adam Savage” (Under Friday) wait for it to load and scroll out to about 28:10.
Any exploration of security problems with RFID is waaaay beyond the scope of Mythbusters. How exciting television is it going to be watching a hacker work? Okay, for most people, then?
When I worked on an electronic currency project back in the '90’s, one of the most fundamental gripes from consumers was that it wasn’t contactless; you had to insert your card into the reader before you could conduct the transaction. IIRC, even AMEX’s smartcard product died a quick and ugly death. Similarly, one major transit system we talked to wasn’t interested because of the lack of contactless operation. (Ironically, that same system has a mag-stripe based monthly pass, now.)
I’ve worked on several RFID projects since then, but in those cases the RFIDs were simply inventory management or product identification systems, not related to a person’s identity in any way. And, I agree with Sage Rat that anyone who puts anything other than a key to a database on an RFID is professionally challenged, and probably shouldn’t be trusted with developing anything more complex than basic HTML pages.
Great link, thanks. Confirms what what many have been talking about upthread.
One little thing to notice, Adam is dismissive of security through obscurity but of course RSA, Inc. is in fact well known for having several such systems such as RC4 (which thankfully is obscure no more).
I think a Mythbusters episode on RFID security is quite doable. They could show how to read a card from 30 feet away without the holder knowing. Get some cheap gear off the Net to clone a card. Etc.