Customer Data and Wireless Payments: Does Convenience Trump Security?
Wireless payments sure are snappy. You can buy gas with the wave of a wand and buzz through a toll booth without opening a window. But this fast-and-easy way to transfer customer data can pose a threat to security. Any organization using the technology should harden its defenses before it's deployed.
Warning: Your personal data may be at risk. As RFID (radio frequency identification) devices work their way into consumers' everyday lives, the potential for data breaches grows rapidly.
RFID technology used to be used primarily to track warehouse operations and perform inventory control through. Now, this same technology is finding its way into smart keys -- keys that merely need to come close to a lock in order to unlock it. RFID transponders now speed travelers through toll booths and gas stations without requiring users to whip out credit cards or old-fashioned cash.
But these modern-day marvels can be quickly and easily read by the devices the user intends to use them with, they can also be easily read by someone with nefarious intentions. Even worse, vendors are moving RFID short-distance transmissions into long-distance delivery via wireless networks and satellite relays. All of this happens over a patchwork of hardware and software that often defies PCI (payment card industry) compliance rules and best-practice network security.
"RFID can communicate lots of different data. RFID tags need a validation process. Users have to know what is acceptable and what the guidelines are. There is no one standard for this. Too many proprietary systems are in use," Steve Salvitti, senior vice president of enterprise mobility for InfoLogix, told CRM Buyer.
A new survey by the Computing Technology Industry Association (CompTIA) finds that use of radio frequency identification technology is on the rise in a variety of industries. Among the most popular applications are asset tracking, personal identification, supply chain, retail management and closed-loop manufacturing.
The worldwide survey of 155 IT companies found that 46 percent of their customers have implemented one or more RFID solutions, either as pilot projects or production deployments. This is an increase from a 2007 survey, when IT companies reported 34 percent of their customers had initiated RFID projects. Customers come from a cross section of industries, including services, government, finance, healthcare, retail, communications and manufacturing.
Among the RFID products and services IT companies say they are delivering to customers today are hardware installation and maintenance products, consulting and training services and software implementations. The survey, however, did not focus on security factors associated with the spreading use of RFID.
"RFID offers adopters of the technology a number of benefits, from improvements in manufacturing, inventory and distribution processes, to reduced costs for product theft, spoilage or obsolescence," said Todd Thibodeaux, president and chief executive officer, CompTIA. "It's incumbent on our industry, with help from organizations such as CompTIA, to help customers overcome any obstacles to RFID usage and help them benefit from the efficiencies RFID can deliver."
Because RFID is still relatively new in consumer and enterprise circles, two similar technologies are often lumped together. RFID and Near Field Communications (NFC) are not the same thing.
"In the market, RFID has come to refer to inventory tracking, where NFC is more specific to person transactions. A key difference between RFID and NFC protocols are the way in which the master/slave relationship is handled," Brian Kirk, vice president of business development for NetworkIP, told CRM Buyer.
With RFID, the master and slave roles -- which device gets to control which -- cannot be reversed, whereas with NFC, the roles of master and slave can be reversed. In fact, NFC provides for a peer-to-peer relationship, he explained.
The consumer solution typically called "RFID," then, is more likely to really be NFC. That transition will take place very soon, according to Kirk.
One common vehicle for deploying RFID and NFC technology today is the Smart Card. A considerable amount of education is needed for both consumers and retailers about security. Knowledge about how a consumer's identity and bank accounts will be secured will be imperative if these technologies are going to succeed, noted Kirk.
Different standards exist. For instance, ISO14443 and 15693 are the international standards for contactless smart cards operating at a radio frequency of 13.56 MHz. ISO14443 has a range of 10 cm (4 inches) and is viewed as the more secure of the two standards.
The Near Field Communications protocol adheres to ISO14443. ISO 15693 has a much wider range of transmission (1 to 1.5 meters) and is more likely to be used for tracking inventory in a warehouse, according to Kirk.
"Not only does NFC have a much shorter transmission range than RFID, inherently making it more secure than traditional RFID, but applications running over NFC technologies will more than likely encrypt the data that is being transmitted. So even if there is a 'sniffer' trying to pick up the transmission, it won't pick up anything of use because of the encryption," said Kirk.
Along the Way
Security with these devices is not a universal given. RFID is still getting under way in some circles, Mike Lang, executive vice president of sales and marketing for Numerex, told CRM Buyer. Its newest role is using satellite, cellular or WiFi for long-distance transmission of data taken in by local reading devices.
"Security is something you don't just have with a purchased product. You have to keep working on it every day. This area needs a certain level of education on what it is and how it works. In the wireless world, the big challenge is how the RFID device integrates with security measures," said Lang.
The distance RFID data travels is not as much of a concern as how that data gets to where is is going. The key factor is what happens when the information is transmitted, according to InfoLogix's Salvitti.
"There is no difference whether the use is short or long distance. What matters more are other factors that affect security," he said. "There are multiple points with the hardware and software that allow the possibility of a breach."
For instance, the actual device used and its firmware need to be PCI compliant, which many older devices still in wide use are not. Also, WiFi networks pose a risk. Once the data goes on the air, how secure is it? The data has to go to a SAP local environment. How secure is that?
"Some vendors say, 'I'm compliant today, so I am OK.' But that is not true," Salvitti said. Being compliant is a constant battle. Something that is secure today may not be secure in two months.
"RFID users need monitoring of the network. This didn't exist before. Hardware and software vendors all have their own offerings. The challenge is how to make it all work together. This is the crux of what is happening," he said.
This is a new technology, and the penalties for being non-compliant are high. So are the liabilities when breaches occur, he noted.
"RFID can be made secure if it is done right. But if users only engage certain pieces, it will only get partial security. It can be done. The question is how committed is the enterprise to doing it," Salvitti concluded.