

Why chips in passports and ID cards are a stupid idea - bensummers
http://www.economist.com/sciencetechnology/displaystory.cfm?story_id=14066895

======
mdasen
So, maybe it's just me, but I don't see why RFID is such a great thing for
secure applications. Like, it's an awesome technology for a retail store to do
inventory with. I mean, they can just pass a scanner near a bunch of products
and figure out what they've got. Heck, each individual product can give a
different ID which is even better than the simple barcodes that we use today.

However, why would one use RFID when you _don't_ want the reading to be easy?
There are plenty of technologies that require physical contact to transmit
information (like mag strips or smart chips). If they want the passports to
have to be inserted into a machine, they might as well use one of those
technologies.

I'm all for RFID in its place. It's great for my subway pass so that I don't
have to take it out of my wallet. Same for highway tolls where I don't have to
stop. But neither of those are instances where I completely care about
security. Sure, I don't want anyone cloning my subway pass, but it also isn't
a window into my identity like my passport is and so I can choose convenience
a bit over security there. Oh, a good example would be something like site
passwords. Sure, I don't want anyone getting into my HN account, but it's not
quite the same as someone getting into my bank account and, as such, I don't
need quite as complex a password for it.

I'm not saying that I like the idea of chips in passports, but if you're going
to put one in, why RFID? Why on earth didn't they choose something that
requires physical contact to be read? I mean, the article focuses on the RFID
problems (that it can be read without you knowing it since it doesn't require
physical contact) and doesn't explain how on earth RFID became the choice.
While one might not want to have a chip on their passport, at least a chip
that needed physical access to read would put the holder (mostly^) in control
of who got access to that information.

^I say mostly because there are always pick pockets and such that could swipe
it without your knowledge, but that's a much lower risk than someone walking
around with an RFID skimmer - it requires the person to physically remove it
from your person, put it in a reader, and return it to you without you or
anyone else noticing; not impossible, but a great deal less trivial.

~~~
eru
RFID is not even that much of a hit in retail, either. Some say, "yet". But
widespread use of RFID in retail was "just around the corner" for several
years, now.

As long as the technology is not cheap enough to (profitably!) slap an RFID
chip on every 25 cent cup of yoghurt, it won't be ready for retail.

(At least that's the picture in Germany. But thanks to Aldi, Lidl and a few
others --- most of our groceries don't even accept credit cards, because their
razor-thin margins make them unable to swallow the fee. Debit card processing
--- which is mostly free for the shop --- is nearly universal however. (Except
for Restaurants; most accept only cash.))

~~~
seldo
Wow, Germany sounds like a horrible place to go shopping.

~~~
mustpax
Debit cards aren't half bad. You have to use your PIN to spend money, makes a
thief maxing out your CC harder.

In most parts of Europe, you also don't have to pay %15-20 on top of every
meal at a restaurant out of obligation. Tips really are only tips, you leave
one based on the service you receive.

For the life of me, I really can't get over the fact that you _have_ to leave
a 15% tip by default in the US (unless there was something blatantly wrong
with your meal, of course). I mean, I'm not a dick, I still do it, I just
can't get accustomed to it.

~~~
cookiecaper
You don't _have_ to leave a tip. People don't appreciate it, and if you get
not-bad service you should tip adequately, but the tip is a mechanism designed
to encourage servers to meet your needs as well as possible, and not neglect
their patrons. I think they work well, generally. In most places, a tip is not
mandatory (I have heard of some establishments banning frequent non-tippers),
though you generally leave one anyway to gauge the server's performance. i.e.,
bad performance gets 5-10%, normal 10-20%, awesome 20%+.

~~~
joeyo
You say that you don't have to tip and then advocate tipping 5-10% for bad
performance in the same paragraph? Of course there is no legal obligation to
tip, since if there was it couldn't be called a tip-- it would just be
itemized billing. But the fact that in the US wait staff can be legally paid
less than the minimum wage (before tips) provides an ethical argument for
tipping, if not a legal one.

------
jrockway
I don't really understand why governments are so obsessive about associating a
photograph and a name. I can change my name whenever I want, for no reason at
all. I can show up at the DMV with trivially-forged documents and get an ID
card saying I am whoever I want to be. I can show up in a random country and
easily overstay my visa. I can be a nice person one day, and the next day kill
3,000 people.

So I don't really see what all this scrutiny about identity documents is
about. Identity is something that constantly changes, and doesn't really mean
anything.

------
sketerpot
To make the chips harder to clone, try including a physically unclonable
function as part of the authentication:

<http://en.wikipedia.org/wiki/Physically_Unclonable_Function>

~~~
jrockway
Too expensive. Remember, the chips don't do anything useful, they are there so
the government can look like it is somehow stopping terrorism with amazing
high-tech gadgets.

The 9/11 hijackers had valid passports and visas.

~~~
ars
True about the uselessness of the chips.

But adding a PUF is not expensive. For example the last option listed on the
wikipedia link: a random magnetic strip costs fractions of a penny.

------
Bjoern
1.) Sometimes new technology does not improve your situation but the opposite.
e.g. RFID Passports open new attack vectors. There is no technology which is
totally secure.

2.) RFID is not the problem, you can easily put a mesh inside the cover of the
passport to prevent reading of the chip.

3.) Hammer time^Wthem.
<http://www.wired.com/wired/archive/15.01/start.html?pg=9> or tinfoil it.

4.) Subway cards with RFID are scary. In the UK the police uses the "named"
cards to track peoples movement.

------
onreact-com
The real reason to introduce them is tightened control not "speed" or
something.

