Protect your RFID ski pass.

The Ski Pass Defender protects your RFID ski pass from being scanned, read or skimmed, until you want to get on the lift.

New ski passes and lift tickets contain tiny two way radios called RFID chips. RFID Readers can access your personal information and track your movements.

  • Protect your personal information
  • Prevent card readers from tracking you
  • Patented easy to use Squeeze to Read Technology
 

“No Privacy Concerns”…Seriously?

The mantra of some legal and marketing departments in industries using RFID and storing guest/customer data is “No Privacy Concerns”. They are hoping to ease the fear of consumers, and allow for easy adoption of the program. However, is this the reality? Facebook is a weak link of privacy in a corporate strategy. The company cannot be directly blamed for this, but the customer definitely has risk.

As a company attempts to gather more data, regardless of how benign it seems, there is a greater risk that someone will want to get that information. And if there is direct financial gain tied to it, there is even more risk.

Anytime data is stored, there should be privacy concerns

Anytime data is stored, there should be privacy concerns

My thought is that ANYTIME a company holds or gathers information there IS a privacy concern. Regarding a company’s stance on privacy, one of my students stated they should say, “Recognizing privacy is important, we have worked hard to address those concerns by building a range of consumer options into our RFID and Social Media program to give you full control of your personal information.”

The sooner companies accept the fact that privacy and security of information is at least a two party job, then we shall be working from the proper premise.  Even top financial companies have regular breaches of security. Heartland Payment Systems data breach Mastercard and Visa for example: Heartland disclosed Jan 20, 2009 that intruders cracked the system it uses to process 100 million card transactions per month from 175,000 merchants. I would imagine that was a VERY secure system.

Until then these threats are acknowledge and talked about, there are things we can do. I will offer you a non-RFID premise of which to be aware.  When using FACEBOOK, do not friend anyone who isn’t really a friend or verified acquaintance. This is not just for a ski area, this scenario can be easily target for any business which has a strong local following. Here is an example of what can happen.

Here is a scenario relevant to a skier or rider:

A crime ring in the Denver or Salt Lake City area opens a few dozen facebook accts and begins “friending” all of the people who like a business, ski resort, sports team, etc.

Companies want to be "liked" on Facebook

Companies want to be "liked" on Facebook

Chances are that a good majority of people are from a nearby metro area. A well established resort may have 50,000 people on Facebook who “Like” the company. The potential new friend (crime ring) writes a nice introduction “Great to have a fellow skier/rider of ‘Snowy Peaks Resort'”.  Let’s say 25% of those people accept the new “friend”. So we have 12,500 people who have friended this crime ring.

Next, the ring is looking for people who are planning a family ski/ride trip “this weekend”. The ring can do a some weekly “research” to find who is going to the mountains, and due to crappy Facebook security I can figure out where the person lives. There are easy free options to gather this data, although a ring can pay $200 a yr for access to programs which can do it more quickly and accurately.

The crime ring also have a few theives on “staff”. On saturday morning, the skier/rider posts, “heading up to the mountains now!”, or just arrived at ‘Snowy Peaks’. Now the burglary begins and guaranteed that nobody is home.

Privacy, what privacy?  ID thieves, are a creative sort. Although the resort did not infringe on any of its privacy policies, this has set a target on guests of “Snowy Peaks”.

I have a significant problem with allowing companies to collect ongoing data from me, especially if they do not recognize these as threats to their guests.

I sent this scenario including actual ways to harvest information to several major ski resorts in Colorado. I am hopeful they will respond with a joint effort of privacy. If there are resorts or businesses which would like to know more, I would be happy to send them a few of these scenarios.

2 potential solutions-

1) The resort can post reminders for people to not accept friends they do not know. Reinforce the message, Privacy is a joint effort between the business and the individual.

2) If the resort uses an application, they can create and promote delayed sending of messages to FB or twitter.  The most conservative settings will be preset, but ongoing management can be set by the guest. Immediate, 4hrs, 8hrs, 24hrs, etc.

Option 2 may create uncertainty in the mind of the thieves, as front range or close proximity skiers/riders often day trip.

Privacy knowledge is powerful. If resorts continue to take the arrogant attitude that there are “No privacy issues” then they are part of the problem.

UPDATE: Fox News just released information that US Governmental Agencies have been “Cyber-friending” people on Facebook and other social media sites.

The Ski Pass Defender is designed to offer the individual the ability to protect access to their RFID stored information. Privacy and security are a joint effort. And Ski Pass Defender costs less than a shared tank of gas.

Jonathan Lawson has been an expert in the field of Identity Theft Risk Management since 2005.  Mr. Lawson has held dozens of education seminars for minors, adults, and seniors regarding identity theft and risk mitigation.

With regard to RFID in ski passes, the ski industry has been looking at the convenience for the guests, and ability to collect clean data from them. There are two main types of RFID chips being used in the ski industry, 13.56 Mhz (HF) and 900 Mhz (UHF) chips. The HF – High Frequency chip can be used close range (<1 meters) as a lift ticket or “stored-value” card, while the 900Mhz can be used for longer range uses (tracking, mass reading in interrogation zones).

Apple's patent for a RFiD reader in the iPhone

Apple's patent for a RFiD reader in the iPhone

Resorts have been sold these benefits from the RFID vendors. It looks good on paper, but RFiD was designed as an open platform, rather than a secure platform.

As more information comes to light regarding RFiD such as the ability for the iPhone and Android devices to be equipped with RFiD readers will people tolerate it. My thought is yes, many will out of ignorance or indifference. The Ski Pass Defender is not made for them. It is designed for those who like the convenience of RFiD as a lift pass, but prefer to opt-out and/or better protect their privacy.

You won’t have to ask is that an iPhone, or are you just happy to read my RFID?

Here is how easy skimming can be: The Credit Cards are enabled with 13.56Mhz chips, the UHF 900Mhz can be read from longer distances.

RFiD goes far beyond the Ski Industry

RFiD, Radio Frequency Identification. The technology in itself can be helpful, and there are many industries already using it. These industries and new ones will continue to promote it because from their point of view it is incredibly beneficial to their bottom line. And marketed correctly to the consumer it will be accepted readily. This technology is growing, and there are many potential uses for it. As chip pricing continues to drop and companies continue to create uses for the technology look for RFiD to proliferate.

Here is a RFID Privacy Advocate, Dr.Katherine Albrecht. This is part 1 of a 3 part video.  She may seem alarmist at times, however she understands this technology extremely well, and there is nobody better at seeing the consumer-side of the industry. She is the unofficial watch-hawk of the industry. If you have limited time, start watching this video at 6:40.

When considering the rest of this article, one must remember that Passive RFID Technology doesn’t need to be hacked, it was designed to be completely open. A  reading and cloning of the pass information is all it takes.

Regarding some cloning and security concerns Wikipedia states (RFID, Safety Concerns), “Other cryptographic protocols attempt to achieve privacy against unauthorized readers, though these protocols are largely in the research stage. One major challenge in securing RFID tags is a shortage of computational resources within the tag. Standard cryptographic techniques require more resources than are available in most low cost RFID devices.”

Bruce Schneier speaks regarding the open source reading software at RF Dump.org:
“[Grunwald] is doing what RFID is supposed to do,” said security author and Counterpane Internet Security Inc. Chief Technology Officer Bruce Schneier. “This is serious. He didn’t hack anything. RFID technology originally was designed to be completely open; that’s its problem. He went to the spec, read it and followed it. If you query the chip, you will get this info. If there were security countermeasures on the chip that were thwarted, then we could talk about hacking.” Source: Computerworld USA 2004

I will give you a RFID scenario that will seem very beneficial. And indeed in itself it could be.
All the products that you purchase have an RFiD chip placed in the package. And you have a kitchen with shelving and refrigerator which have RFiD readers built-in.

Getting ready to create a grocery list? You use your Kroger/Safeway/Grocery Store Tablet PC app. You simply push a button, and it inventories what you have and generates a shopping list for you. You print it out and take it to the grocery store, and the application prints your discount coupons to take to the store. Or perhaps you make an adjustment to your order push “SEND” and your order is whisked to the grocery store with all applicable discounts. When you arrive, your groceries are packaged and ready for you. You don’t even need your Credit card, because it is already linked to your iPad application. You just say thank you, and off you go. You love it.  Technology at its finest.

I could write several chapters on marketing strategies based off this relatively simple application of RFiD. Topics would include consumer adoption, consumer incentives, tiered shopper pricing, incentive pricing, impulse purchasing, preferred product placement, etc. When a person realizes grocery store margins are extremely thin. Stores make much of their money by selling grocery aisle “real estate” rather than by simply selling the products. And the large grocery stores also sell your buying data to third-party “partners” from purchases that you make on your “value/discount card”.

The “Marketing” Office – Parody –  This is fictional, entirely fictional. In no way possible could this conversation really taken place. Really, seriously, there is no way, really…..

Third-party partners don’t necessarily have to fall within the same industry, in fact many times they do not. For example, an Insurance company (Health, life, auto)… would want to know if you bought a case of cigarettes, beer or liquor every 3 days. Or if you participate in what some would call “risky” activities.  Such as skiing double-black diamond or terrain park runs all day long.

When a person truly understands the scope of the way data can be shared and interpreted I ask, “Can you see how the puzzle of your habits and lifestyle can be put together?” Companies say they are just looking to stratify you into a group, and there is no desire for them to identify you personally. However, the data allows them to if they wish. Your name, email, and social security number are just cells on a spreadsheet.

Ski and Ride free and untracked!

Ski and Ride free and untracked

The industries employing RFiD have incredible financial backing, and financial incentive to have you adopt the technology.

They control a much larger media machine than any individual opponent. Yet as an individual we do have the right (for now) to determine how we share our information. When I ski or ride I prefer to do it UNTRACKED, and leave an anonymous reminder of where I have been.

 Page 3 of 6 « 1  2  3  4  5 » ...  Last »