Language Selection

English French German Italian Portuguese Spanish

GAO study of RFID technology, policy seen flawed

Filed under
Security

A recently released Government Accountability Office study of radio frequency identity device security is flawed because it omits discussion of technologies and federal policies in the arena, according to smart-card industry executives.

GAO defended the report, saying it relied on information provided by other federal agencies and did not delve deep into individual RFID programs that the agencies are implementing.

The GAO report, titled Information Security: Radio Frequency Identification Technology in the Federal Government, discusses privacy and security aspects of RFID tags used for inventory control as well as contactless smart cards used to make personnel credentials. GAO issued the report May 27.

The report cites several privacy and security issues that RFID units can pose, such as "tracking an individual's movements, profiling an individual's habits, tastes or predilections and allowing for secondary uses of information." According to GAO, "While measures to mitigate these issues are under discussion, they remain largely prospective."

But as Patrick Hearn, business development director for Oburthur Card Systems of Chantilly, Va., stated, federal law, regulations and policies mandate many privacy and security protections for the use of smart cards in federal credentialing programs.

"The security measures-encryption and authentication-listed [by GAO as 'prospective'] all exist today and are incorporated into programs such as the State Department's e-passport program," Hearn wrote in an e-mail comment on the GAO report.

Hearn also cited the existence of the Federal Information Processing Standard 140-2, which applies to contactless smart cards issued to federal employees and contractors, as well as privacy and security rules mandated in the Federal Identity Management Handbook.

Hearn noted that the standards that apply to federal use of contactless smart cards mandate compliance with the Privacy Act of 1974, the e-Government Act of 2002, Office of Management and Budget memorandums relevant to the topic and National Institute of Standards and Technology standards for smart-card security and privacy.

Full Article.

More in Tux Machines

today's howtos

Oracle Desperate

Leftovers: OSS and Sharing

Security Leftovers

  • Friday's security updates
  • Judge Says The FBI Can Keep Its Hacking Tool Secret, But Not The Evidence Obtained With It
    Michaud hasn't had the case against him dismissed, but the government will now have to rely on evidence it didn't gain access to by using its illegal search. And there can't be much of that, considering the FBI had no idea who Michaud was or where he resided until after the malware-that-isn't-malware had stripped away Tor's protections and revealed his IP address. The FBI really can't blame anyone but itself for this outcome. Judge Bryan may have agreed that the FBI had good reason to keep its technique secret, but there was nothing preventing the FBI from voluntarily turning over details on its hacking tool to Michaud. But it chose not to, despite his lawyer's assurance it would maintain as much of the FBI's secrecy as possible while still defending his client. Judge Bryan found the FBI's ex parte arguments persuasive and declared the agency could keep the info out of Michaud's hands. But doing so meant the judicial playing field was no longer level, as he acknowledged in his written ruling. Fortunately, the court has decided it's not going to allow the government to have its secrecy cake and eat it, too. If it wants to deploy exploits with minimal judicial oversight, then it has to realize it can't successfully counter suppression requests with vows of silence.
  • Researcher Pockets $30,000 in Chrome Bounties
    Having cashed in earlier in May to the tune of $15,500, Mlynski pocketed another $30,000 courtesy of Google’s bug bounty program after four high-severity vulnerabilities were patched in the Chrome browser, each worth $7,500 to the white-hat hacker.