SlideShare uma empresa Scribd logo

A balanced perspective on RFID

Transferir como PPT, PDF
C
Considerati
TecnologiaNegócios
1 de 24
Security, RFID and Consumers RFID Security, Theory and Practice mr. dr. Bart Schermer RFID Platform Nederland
About me • Secretary RFID Platform Nederland • Privacy specialist at ECP.NL • Partner at Considerati • Assistent professor at the University of Leiden (faculty of law)
Board RFID Nederland
RFID Nederland “Stimulating the uptake of RFID technology and ensuring its responsible use” • Market initiative • 50 participants • www.rfidnederland.nl • www.watisrfid.nl
Business drivers for RFID Realtime insight into business processes increases: •Efficiency •Security •Customer loyalty
Why are these similar? Source: ADT Tyco
Opposing views...
RFID and the Public Opinion
RFID vulnerabilities • Skimming / eavesdropping • Weak crypto • Tag reader authentication
Security risks • Access to data on the chip (including possible keys) • Access to associated databases • Access to communication between tag and reader • Attack vector for databases (e.g. viruses, SQL injects) • Cloning (!!!!) • Possibility to follow / track trace people
“Big Brother is watching you!”
Privacy risks • Due to its invisible nature RFID can be used to surreptisiously gather personal data. • Companies can use this information to profile and classify customers • Companies can use this information to follow and track consumers throughout their daily lives • Companies can use invasive Minority Report style advertising
The role of privacy • Information is power • (Personal) data is used to profile and classify consumers • Privacy is a means to maintain ‘economic equality’ between companies and consumers • Consumers (should) have a say in the processing of their personal data
EU Privacy Law • Data Protection Directive (95/46/EC) • Telecom Privacy Directive (2002/58/EC)
EU Privacy Law • Surreptitious gathering of personal data is a violation of the data protection directive (95/46/EC). • Using personal data for other purposes than for which they have been gathered is a violation of the data protection directive • Surreptiously monitoring and following people is a criminal offence (and where not, it should be). • Targeted advertising without prior permission from consumers is a violation of the data protection directive and the Telecom Privacy Directive (2002/58/EC).
Example I: OV chipkaart • Mifare Classic (subscriptions etc.) / Mifare Ultralight (day tickets) • Hack Plotz & Nohl (reverse engineering -> skimming -> cloning) • Hack Radboud I (Mifare Ultralight) (skimming -> cloning) • Dutch Data Protection Authority warns GVB, NS • Hack Radboud II (Mifare Classic) (cryptoanalysis -> skimming -> cloning) • Press coverage differs from the facts • NXP (wrongfully) bashed for providing insecure chip • Security through obscurity worked for 13 years... See also: https://ovchip.cs.ru.nl/Event_history
Example II: retail
Privacy or security?
Incident driven response... • Consumer backlash (boycott) against technology • Motion to cancel the OV chipkaart • EU Recommendation on RFID & Privacy: - Mandatory privacy impact assesment - Opt-in for retail environment
Observations • Emphasis on technology instead of application • Security issues and privacy issues are often confused • Business reality can differ from security reality - security through obscurity may make sense for a business - cost/risk analysis is leading, not 100% security • Solutions are currently viewed as either/or (e.g. opt-in for retail) • There is no integrated approach towards security and privacy
The right tool for the job • 100% security is not always the most optimal economic decision • RFID should not be the only security measure • Focus on the problem, not the technology • What tool is most effective
Suggestions • Clear(er) distinction between privacy and security - strengthen overall system security - create tools to enhance privacy (Privacy by design, PETs) - create tools to effectuate legal safeguards (consumer in control) • Security experts must educate businesses, consumers, policymakers and politicians (in English please) • Security, business processes, and legal safeguards must strengthen each other
The way forward Companies should: • Use RFID in a responsible manner • Provide benefits not only to themselves, but also to consumers • Provide openness and transparency about the use of RFID • Provide a truly free choice for consumers Government should: • Create tools for the protection of privacy (PETs, RFID guardians, logo system) • Place the consumer in control • Monitor possible shifts in the balance of power, and correct where necessary Security experts and researchers should: • Try to translate their work in proper English (e.g. Jip and Janneke) • ...Keep up the good work
Bart Schermer ECP.NL / RFID Platform Nederland Overgoo 11 2260 AG Leidschendam 070-4190309 bart.schermer@ecp.nl “RFID zal een grotere impact op onze samenleving hebben dan Internet heeft gehad” -- Prof. Cor Molenaar, voorzitter RFID Nederland Questions?

Recomendados

Open Data Principles Eindhoven
Open Data Principles EindhovenOpen Data Principles Eindhoven
Open Data Principles EindhovenRick Schager
 
SMARTIE
SMARTIESMARTIE
SMARTIEDunavNET
 
Smartie - Project overview
Smartie - Project overview Smartie - Project overview
Smartie - Project overview DunavNET
 
Cloud services in Estonian, startups cloud meetup
Cloud services in Estonian, startups cloud meetupCloud services in Estonian, startups cloud meetup
Cloud services in Estonian, startups cloud meetupRiho Kurg
 
Trustworthy infrastructure for personal data management
Trustworthy infrastructure for personal data management Trustworthy infrastructure for personal data management
Trustworthy infrastructure for personal data management European Union Agency for Network and Information Security (ENISA)
 
Enisa and cyber security standards
Enisa and cyber security standardsEnisa and cyber security standards
Enisa and cyber security standardsEuropean Union Agency for Network and Information Security (ENISA)
 
USEMP Project Presentation ICT 2015
USEMP Project Presentation ICT 2015USEMP Project Presentation ICT 2015
USEMP Project Presentation ICT 2015Andreas Drakos
 
Towards a Privacy-Friendly Internet of Things
Towards a Privacy-Friendly Internet of ThingsTowards a Privacy-Friendly Internet of Things
Towards a Privacy-Friendly Internet of ThingsInternational Institute of Communications
 

Recomendados

Open Data Principles Eindhoven
Open Data Principles EindhovenOpen Data Principles Eindhoven
Open Data Principles EindhovenRick Schager
 
SMARTIE
SMARTIESMARTIE
SMARTIEDunavNET
 
Smartie - Project overview
Smartie - Project overview Smartie - Project overview
Smartie - Project overview DunavNET
 
Cloud services in Estonian, startups cloud meetup
Cloud services in Estonian, startups cloud meetupCloud services in Estonian, startups cloud meetup
Cloud services in Estonian, startups cloud meetupRiho Kurg
 
Trustworthy infrastructure for personal data management
Trustworthy infrastructure for personal data management Trustworthy infrastructure for personal data management
Trustworthy infrastructure for personal data management European Union Agency for Network and Information Security (ENISA)
 
Enisa and cyber security standards
Enisa and cyber security standardsEnisa and cyber security standards
Enisa and cyber security standardsEuropean Union Agency for Network and Information Security (ENISA)
 
USEMP Project Presentation ICT 2015
USEMP Project Presentation ICT 2015USEMP Project Presentation ICT 2015
USEMP Project Presentation ICT 2015Andreas Drakos
 
Towards a Privacy-Friendly Internet of Things
Towards a Privacy-Friendly Internet of ThingsTowards a Privacy-Friendly Internet of Things
Towards a Privacy-Friendly Internet of ThingsInternational Institute of Communications
 
CrimiNee!
CrimiNee!CrimiNee!
CrimiNee!Esri
 
Data Analytics and the Legal Landscape: Intellectual Property and Data Protec...
Data Analytics and the Legal Landscape: Intellectual Property and Data Protec...Data Analytics and the Legal Landscape: Intellectual Property and Data Protec...
Data Analytics and the Legal Landscape: Intellectual Property and Data Protec...FutureTDM
 
Itl startups cloud meetup
Itl startups cloud meetupItl startups cloud meetup
Itl startups cloud meetupRiho Kurg
 
Traditional non traditional ways to protect your intellectual property
Traditional non traditional ways to protect your intellectual propertyTraditional non traditional ways to protect your intellectual property
Traditional non traditional ways to protect your intellectual propertyBoyle_Fredrickson
 
David Hall | The Accidental Criminal: Common Security Laws You Could be Breaking
David Hall | The Accidental Criminal: Common Security Laws You Could be BreakingDavid Hall | The Accidental Criminal: Common Security Laws You Could be Breaking
David Hall | The Accidental Criminal: Common Security Laws You Could be BreakingPro Mrkt
 
Changing legislation – General Data Protection Regulation (GDPR) and librarie...
Changing legislation – General Data Protection Regulation (GDPR) and librarie...Changing legislation – General Data Protection Regulation (GDPR) and librarie...
Changing legislation – General Data Protection Regulation (GDPR) and librarie...CILIPScotland
 
Presentation for NAG seminar
Presentation for NAG seminarPresentation for NAG seminar
Presentation for NAG seminarMichael Fortune
 
Investigative powers in practice – PORTUGAL – November 2018 OECD GFC
Investigative powers in practice – PORTUGAL – November 2018 OECD GFCInvestigative powers in practice – PORTUGAL – November 2018 OECD GFC
Investigative powers in practice – PORTUGAL – November 2018 OECD GFCOECD Directorate for Financial and Enterprise Affairs
 
Uwip Cert011306
Uwip Cert011306Uwip Cert011306
Uwip Cert011306l05i09u
 
Cyber crime DAV Vasant Kunj New Delhi
Cyber crime DAV Vasant Kunj New DelhiCyber crime DAV Vasant Kunj New Delhi
Cyber crime DAV Vasant Kunj New DelhiNamita Jain
 
Cyber Crime - What is it?
Cyber Crime - What is it?Cyber Crime - What is it?
Cyber Crime - What is it?Sovan Sinha
 
Trustworthy Infrastructure for Personal Data Management
Trustworthy Infrastructure for Personal Data ManagementTrustworthy Infrastructure for Personal Data Management
Trustworthy Infrastructure for Personal Data ManagementIoannis Krontiris
 
Common structural issues in sector specific M&A transactions
Common structural issues in sector specific M&A transactionsCommon structural issues in sector specific M&A transactions
Common structural issues in sector specific M&A transactionsALTIUS
 
W5a profibus pa device configuration using fdt, andy smith
W5a profibus pa device configuration using fdt, andy smithW5a profibus pa device configuration using fdt, andy smith
W5a profibus pa device configuration using fdt, andy smithPROFIBUS and PROFINET InternationaI - PI UK
 
ECTA - Notification and Takedown in Italy
ECTA - Notification and Takedown in ItalyECTA - Notification and Takedown in Italy
ECTA - Notification and Takedown in ItalyMariano Cunietti
 
INNA POLIAKOVA «5 key legal issues of outsourcing agreements to be negotiated...
INNA POLIAKOVA «5 key legal issues of outsourcing agreements to be negotiated...INNA POLIAKOVA «5 key legal issues of outsourcing agreements to be negotiated...
INNA POLIAKOVA «5 key legal issues of outsourcing agreements to be negotiated...Lviv Startup Club
 
2015 Albin Zuccato - Sentors frukostseminarium om dataskydd
2015 Albin Zuccato - Sentors frukostseminarium om dataskydd2015 Albin Zuccato - Sentors frukostseminarium om dataskydd
2015 Albin Zuccato - Sentors frukostseminarium om dataskyddsentormss
 
Cavablar e-jurnalı,say 2.
Cavablar e-jurnalı,say 2.Cavablar e-jurnalı,say 2.
Cavablar e-jurnalı,say 2.Elvin85
 
Actualiteiten wbp
Actualiteiten wbpActualiteiten wbp
Actualiteiten wbpConsiderati
 
Privacy and visibility in the sensor society
Privacy and visibility in the sensor societyPrivacy and visibility in the sensor society
Privacy and visibility in the sensor societyConsiderati
 
Cavablar-3
Cavablar-3Cavablar-3
Cavablar-3Elvin85
 
Cavablar 3
Cavablar 3Cavablar 3
Cavablar 3Elvin85
 

Mais conteúdo relacionado

Mais procurados

CrimiNee!
CrimiNee!CrimiNee!
CrimiNee!Esri
 
Data Analytics and the Legal Landscape: Intellectual Property and Data Protec...
Data Analytics and the Legal Landscape: Intellectual Property and Data Protec...Data Analytics and the Legal Landscape: Intellectual Property and Data Protec...
Data Analytics and the Legal Landscape: Intellectual Property and Data Protec...FutureTDM
 
Itl startups cloud meetup
Itl startups cloud meetupItl startups cloud meetup
Itl startups cloud meetupRiho Kurg
 
Traditional non traditional ways to protect your intellectual property
Traditional non traditional ways to protect your intellectual propertyTraditional non traditional ways to protect your intellectual property
Traditional non traditional ways to protect your intellectual propertyBoyle_Fredrickson
 
David Hall | The Accidental Criminal: Common Security Laws You Could be Breaking
David Hall | The Accidental Criminal: Common Security Laws You Could be BreakingDavid Hall | The Accidental Criminal: Common Security Laws You Could be Breaking
David Hall | The Accidental Criminal: Common Security Laws You Could be BreakingPro Mrkt
 
Changing legislation – General Data Protection Regulation (GDPR) and librarie...
Changing legislation – General Data Protection Regulation (GDPR) and librarie...Changing legislation – General Data Protection Regulation (GDPR) and librarie...
Changing legislation – General Data Protection Regulation (GDPR) and librarie...CILIPScotland
 
Presentation for NAG seminar
Presentation for NAG seminarPresentation for NAG seminar
Presentation for NAG seminarMichael Fortune
 
Uwip Cert011306
Uwip Cert011306Uwip Cert011306
Uwip Cert011306l05i09u
 
Cyber crime DAV Vasant Kunj New Delhi
Cyber crime DAV Vasant Kunj New DelhiCyber crime DAV Vasant Kunj New Delhi
Cyber crime DAV Vasant Kunj New DelhiNamita Jain
 
Cyber Crime - What is it?
Cyber Crime - What is it?Cyber Crime - What is it?
Cyber Crime - What is it?Sovan Sinha
 
Trustworthy Infrastructure for Personal Data Management
Trustworthy Infrastructure for Personal Data ManagementTrustworthy Infrastructure for Personal Data Management
Trustworthy Infrastructure for Personal Data ManagementIoannis Krontiris
 
Common structural issues in sector specific M&A transactions
Common structural issues in sector specific M&A transactionsCommon structural issues in sector specific M&A transactions
Common structural issues in sector specific M&A transactionsALTIUS
 
ECTA - Notification and Takedown in Italy
ECTA - Notification and Takedown in ItalyECTA - Notification and Takedown in Italy
ECTA - Notification and Takedown in ItalyMariano Cunietti
 
INNA POLIAKOVA «5 key legal issues of outsourcing agreements to be negotiated...
INNA POLIAKOVA «5 key legal issues of outsourcing agreements to be negotiated...INNA POLIAKOVA «5 key legal issues of outsourcing agreements to be negotiated...
INNA POLIAKOVA «5 key legal issues of outsourcing agreements to be negotiated...Lviv Startup Club
 
2015 Albin Zuccato - Sentors frukostseminarium om dataskydd
2015 Albin Zuccato - Sentors frukostseminarium om dataskydd2015 Albin Zuccato - Sentors frukostseminarium om dataskydd
2015 Albin Zuccato - Sentors frukostseminarium om dataskyddsentormss
 

Mais procurados (17)

CrimiNee!
CrimiNee!CrimiNee!
CrimiNee!
 
Data Analytics and the Legal Landscape: Intellectual Property and Data Protec...
Data Analytics and the Legal Landscape: Intellectual Property and Data Protec...Data Analytics and the Legal Landscape: Intellectual Property and Data Protec...
Data Analytics and the Legal Landscape: Intellectual Property and Data Protec...
 
Itl startups cloud meetup
Itl startups cloud meetupItl startups cloud meetup
Itl startups cloud meetup
 
Traditional non traditional ways to protect your intellectual property
Traditional non traditional ways to protect your intellectual propertyTraditional non traditional ways to protect your intellectual property
Traditional non traditional ways to protect your intellectual property
 
David Hall | The Accidental Criminal: Common Security Laws You Could be Breaking
David Hall | The Accidental Criminal: Common Security Laws You Could be BreakingDavid Hall | The Accidental Criminal: Common Security Laws You Could be Breaking
David Hall | The Accidental Criminal: Common Security Laws You Could be Breaking
 
Changing legislation – General Data Protection Regulation (GDPR) and librarie...
Changing legislation – General Data Protection Regulation (GDPR) and librarie...Changing legislation – General Data Protection Regulation (GDPR) and librarie...
Changing legislation – General Data Protection Regulation (GDPR) and librarie...
 
Presentation for NAG seminar
Presentation for NAG seminarPresentation for NAG seminar
Presentation for NAG seminar
 
Investigative powers in practice – PORTUGAL – November 2018 OECD GFC
Investigative powers in practice – PORTUGAL – November 2018 OECD GFCInvestigative powers in practice – PORTUGAL – November 2018 OECD GFC
Investigative powers in practice – PORTUGAL – November 2018 OECD GFC
 
Uwip Cert011306
Uwip Cert011306Uwip Cert011306
Uwip Cert011306
 
Cyber crime DAV Vasant Kunj New Delhi
Cyber crime DAV Vasant Kunj New DelhiCyber crime DAV Vasant Kunj New Delhi
Cyber crime DAV Vasant Kunj New Delhi
 
Cyber Crime - What is it?
Cyber Crime - What is it?Cyber Crime - What is it?
Cyber Crime - What is it?
 
Trustworthy Infrastructure for Personal Data Management
Trustworthy Infrastructure for Personal Data ManagementTrustworthy Infrastructure for Personal Data Management
Trustworthy Infrastructure for Personal Data Management
 
Common structural issues in sector specific M&A transactions
Common structural issues in sector specific M&A transactionsCommon structural issues in sector specific M&A transactions
Common structural issues in sector specific M&A transactions
 
W5a profibus pa device configuration using fdt, andy smith
W5a profibus pa device configuration using fdt, andy smithW5a profibus pa device configuration using fdt, andy smith
W5a profibus pa device configuration using fdt, andy smith
 
ECTA - Notification and Takedown in Italy
ECTA - Notification and Takedown in ItalyECTA - Notification and Takedown in Italy
ECTA - Notification and Takedown in Italy
 
INNA POLIAKOVA «5 key legal issues of outsourcing agreements to be negotiated...
INNA POLIAKOVA «5 key legal issues of outsourcing agreements to be negotiated...INNA POLIAKOVA «5 key legal issues of outsourcing agreements to be negotiated...
INNA POLIAKOVA «5 key legal issues of outsourcing agreements to be negotiated...
 
2015 Albin Zuccato - Sentors frukostseminarium om dataskydd
2015 Albin Zuccato - Sentors frukostseminarium om dataskydd2015 Albin Zuccato - Sentors frukostseminarium om dataskydd
2015 Albin Zuccato - Sentors frukostseminarium om dataskydd
 

Destaque

Cavablar e-jurnalı,say 2.
Cavablar e-jurnalı,say 2.Cavablar e-jurnalı,say 2.
Cavablar e-jurnalı,say 2.Elvin85
 
Actualiteiten wbp
Actualiteiten wbpActualiteiten wbp
Actualiteiten wbpConsiderati
 
Privacy and visibility in the sensor society
Privacy and visibility in the sensor societyPrivacy and visibility in the sensor society
Privacy and visibility in the sensor societyConsiderati
 
Cavablar-3
Cavablar-3Cavablar-3
Cavablar-3Elvin85
 
Cavablar 3
Cavablar 3Cavablar 3
Cavablar 3Elvin85
 
Yaddas qurgulari
Yaddas qurgulariYaddas qurgulari
Yaddas qurgularirovshane
 
Context Based Mediated E-Commerce Platform
Context Based Mediated E-Commerce PlatformContext Based Mediated E-Commerce Platform
Context Based Mediated E-Commerce PlatformMiguel Luis
 
Just4Style Woningfotografie
Just4Style WoningfotografieJust4Style Woningfotografie
Just4Style WoningfotografieJust4Style
 
Overal ICT en de gevolgen voor privacy
Overal ICT en de gevolgen voor privacyOveral ICT en de gevolgen voor privacy
Overal ICT en de gevolgen voor privacyConsiderati
 
linkedin - Bangalore Office - case study
linkedin - Bangalore Office - case study linkedin - Bangalore Office - case study
linkedin - Bangalore Office - case study Padam Interiors
 

Destaque (11)

Cavablar e-jurnalı,say 2.
Cavablar e-jurnalı,say 2.Cavablar e-jurnalı,say 2.
Cavablar e-jurnalı,say 2.
 
Actualiteiten wbp
Actualiteiten wbpActualiteiten wbp
Actualiteiten wbp
 
Privacy and visibility in the sensor society
Privacy and visibility in the sensor societyPrivacy and visibility in the sensor society
Privacy and visibility in the sensor society
 
Cavablar-3
Cavablar-3Cavablar-3
Cavablar-3
 
Cavablar 3
Cavablar 3Cavablar 3
Cavablar 3
 
Yaddas qurgulari
Yaddas qurgulariYaddas qurgulari
Yaddas qurgulari
 
Context Based Mediated E-Commerce Platform
Context Based Mediated E-Commerce PlatformContext Based Mediated E-Commerce Platform
Context Based Mediated E-Commerce Platform
 
Just4Style Woningfotografie
Just4Style WoningfotografieJust4Style Woningfotografie
Just4Style Woningfotografie
 
Overal ICT en de gevolgen voor privacy
Overal ICT en de gevolgen voor privacyOveral ICT en de gevolgen voor privacy
Overal ICT en de gevolgen voor privacy
 
linkedin - Bangalore Office - case study
linkedin - Bangalore Office - case study linkedin - Bangalore Office - case study
linkedin - Bangalore Office - case study
 
Succession “Losers”: What Happens to Executives Passed Over for the CEO Job?
Succession “Losers”: What Happens to Executives Passed Over for the CEO Job? Succession “Losers”: What Happens to Executives Passed Over for the CEO Job?
Succession “Losers”: What Happens to Executives Passed Over for the CEO Job?
 

Semelhante a A balanced perspective on RFID

Retail Excellence Ireland - Cyber Threats 2015 Overview
Retail Excellence Ireland - Cyber Threats 2015 OverviewRetail Excellence Ireland - Cyber Threats 2015 Overview
Retail Excellence Ireland - Cyber Threats 2015 OverviewOCTF Industry Engagement
 
Data protection by design and by default on the blockchain
Data protection by design and by default on the blockchainData protection by design and by default on the blockchain
Data protection by design and by default on the blockchainAlexandra Giannopoulou
 
ISSA Atlanta - Emerging application and data protection for multi cloud
ISSA Atlanta - Emerging application and data protection for multi cloudISSA Atlanta - Emerging application and data protection for multi cloud
ISSA Atlanta - Emerging application and data protection for multi cloudUlf Mattsson
 
QA Fest 2017. Per Thorsheim.GDPR - An overview and its relevance for QA
QA Fest 2017. Per Thorsheim.GDPR - An overview and its relevance for QAQA Fest 2017. Per Thorsheim.GDPR - An overview and its relevance for QA
QA Fest 2017. Per Thorsheim.GDPR - An overview and its relevance for QAQAFest
 
Unit 6 Privacy technological impacts.ppt
Unit 6 Privacy technological impacts.pptUnit 6 Privacy technological impacts.ppt
Unit 6 Privacy technological impacts.pptYäsh Chaudhary
 
Contracting for Better Cybersecurity
Contracting for Better CybersecurityContracting for Better Cybersecurity
Contracting for Better CybersecurityShawn Tuma
 
The EU Data Protection Regulation - what you need to know
The EU Data Protection Regulation - what you need to knowThe EU Data Protection Regulation - what you need to know
The EU Data Protection Regulation - what you need to knowSophos Benelux
 
Network Security
Network SecurityNetwork Security
Network SecurityManoj Singh
 
The Internet of Things
The Internet of ThingsThe Internet of Things
The Internet of ThingsAnh-Dung LE
 
Privacy for tech startups
Privacy for tech startups Privacy for tech startups
Privacy for tech startups Marc Gallardo
 
Ravi i ot-security
Ravi i ot-securityRavi i ot-security
Ravi i ot-securityskumartarget
 
Presentation on Information Privacy
Presentation on Information PrivacyPresentation on Information Privacy
Presentation on Information PrivacyPerry Slack
 
Lecture 7---Security (1).pdf
Lecture 7---Security (1).pdfLecture 7---Security (1).pdf
Lecture 7---Security (1).pdfZeeshanMajeed15
 
e-SIDES workshop at EBDVF 2018, Vienna 14/11/2018
e-SIDES workshop at EBDVF 2018, Vienna 14/11/2018 e-SIDES workshop at EBDVF 2018, Vienna 14/11/2018
e-SIDES workshop at EBDVF 2018, Vienna 14/11/2018 e-SIDES.eu
 

Semelhante a A balanced perspective on RFID (20)

Cyber Threat Overview for Euro IT counsel
Cyber Threat Overview for Euro IT counselCyber Threat Overview for Euro IT counsel
Cyber Threat Overview for Euro IT counsel
 
Tradesecrets
TradesecretsTradesecrets
Tradesecrets
 
File000154
File000154File000154
File000154
 
Christopher Biedermann, EmiTel Ltd: Cybersecurity and the Internet of Things
Christopher Biedermann, EmiTel Ltd: Cybersecurity and the Internet of ThingsChristopher Biedermann, EmiTel Ltd: Cybersecurity and the Internet of Things
Christopher Biedermann, EmiTel Ltd: Cybersecurity and the Internet of Things
 
Krishna kumar singh
Krishna kumar singhKrishna kumar singh
Krishna kumar singh
 
Retail Excellence Ireland - Cyber Threats 2015 Overview
Retail Excellence Ireland - Cyber Threats 2015 OverviewRetail Excellence Ireland - Cyber Threats 2015 Overview
Retail Excellence Ireland - Cyber Threats 2015 Overview
 
(Spring 2012) RFID and Security Vulnerabilities
(Spring 2012) RFID and Security Vulnerabilities(Spring 2012) RFID and Security Vulnerabilities
(Spring 2012) RFID and Security Vulnerabilities
 
Data protection by design and by default on the blockchain
Data protection by design and by default on the blockchainData protection by design and by default on the blockchain
Data protection by design and by default on the blockchain
 
ISSA Atlanta - Emerging application and data protection for multi cloud
ISSA Atlanta - Emerging application and data protection for multi cloudISSA Atlanta - Emerging application and data protection for multi cloud
ISSA Atlanta - Emerging application and data protection for multi cloud
 
QA Fest 2017. Per Thorsheim.GDPR - An overview and its relevance for QA
QA Fest 2017. Per Thorsheim.GDPR - An overview and its relevance for QAQA Fest 2017. Per Thorsheim.GDPR - An overview and its relevance for QA
QA Fest 2017. Per Thorsheim.GDPR - An overview and its relevance for QA
 
Unit 6 Privacy technological impacts.ppt
Unit 6 Privacy technological impacts.pptUnit 6 Privacy technological impacts.ppt
Unit 6 Privacy technological impacts.ppt
 
Contracting for Better Cybersecurity
Contracting for Better CybersecurityContracting for Better Cybersecurity
Contracting for Better Cybersecurity
 
The EU Data Protection Regulation - what you need to know
The EU Data Protection Regulation - what you need to knowThe EU Data Protection Regulation - what you need to know
The EU Data Protection Regulation - what you need to know
 
Network Security
Network SecurityNetwork Security
Network Security
 
The Internet of Things
The Internet of ThingsThe Internet of Things
The Internet of Things
 
Privacy for tech startups
Privacy for tech startups Privacy for tech startups
Privacy for tech startups
 
Ravi i ot-security
Ravi i ot-securityRavi i ot-security
Ravi i ot-security
 
Presentation on Information Privacy
Presentation on Information PrivacyPresentation on Information Privacy
Presentation on Information Privacy
 
Lecture 7---Security (1).pdf
Lecture 7---Security (1).pdfLecture 7---Security (1).pdf
Lecture 7---Security (1).pdf
 
e-SIDES workshop at EBDVF 2018, Vienna 14/11/2018
e-SIDES workshop at EBDVF 2018, Vienna 14/11/2018 e-SIDES workshop at EBDVF 2018, Vienna 14/11/2018
e-SIDES workshop at EBDVF 2018, Vienna 14/11/2018
 

Último

A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rick Flair
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 

Último (20)

A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 

A balanced perspective on RFID

  • 1. Security, RFID and Consumers RFID Security, Theory and Practice mr. dr. Bart Schermer RFID Platform Nederland
  • 2. About me • Secretary RFID Platform Nederland • Privacy specialist at ECP.NL • Partner at Considerati • Assistent professor at the University of Leiden (faculty of law)
  • 4. RFID Nederland “Stimulating the uptake of RFID technology and ensuring its responsible use” • Market initiative • 50 participants • www.rfidnederland.nl • www.watisrfid.nl
  • 5. Business drivers for RFID Realtime insight into business processes increases: •Efficiency •Security •Customer loyalty
  • 6. Why are these similar? Source: ADT Tyco
  • 8. RFID and the Public Opinion
  • 9. RFID vulnerabilities • Skimming / eavesdropping • Weak crypto • Tag reader authentication
  • 10. Security risks • Access to data on the chip (including possible keys) • Access to associated databases • Access to communication between tag and reader • Attack vector for databases (e.g. viruses, SQL injects) • Cloning (!!!!) • Possibility to follow / track trace people
  • 11. “Big Brother is watching you!”
  • 12. Privacy risks • Due to its invisible nature RFID can be used to surreptisiously gather personal data. • Companies can use this information to profile and classify customers • Companies can use this information to follow and track consumers throughout their daily lives • Companies can use invasive Minority Report style advertising
  • 13. The role of privacy • Information is power • (Personal) data is used to profile and classify consumers • Privacy is a means to maintain ‘economic equality’ between companies and consumers • Consumers (should) have a say in the processing of their personal data
  • 14. EU Privacy Law • Data Protection Directive (95/46/EC) • Telecom Privacy Directive (2002/58/EC)
  • 15. EU Privacy Law • Surreptitious gathering of personal data is a violation of the data protection directive (95/46/EC). • Using personal data for other purposes than for which they have been gathered is a violation of the data protection directive • Surreptiously monitoring and following people is a criminal offence (and where not, it should be). • Targeted advertising without prior permission from consumers is a violation of the data protection directive and the Telecom Privacy Directive (2002/58/EC).
  • 16. Example I: OV chipkaart • Mifare Classic (subscriptions etc.) / Mifare Ultralight (day tickets) • Hack Plotz & Nohl (reverse engineering -> skimming -> cloning) • Hack Radboud I (Mifare Ultralight) (skimming -> cloning) • Dutch Data Protection Authority warns GVB, NS • Hack Radboud II (Mifare Classic) (cryptoanalysis -> skimming -> cloning) • Press coverage differs from the facts • NXP (wrongfully) bashed for providing insecure chip • Security through obscurity worked for 13 years... See also: https://ovchip.cs.ru.nl/Event_history
  • 19. Incident driven response... • Consumer backlash (boycott) against technology • Motion to cancel the OV chipkaart • EU Recommendation on RFID & Privacy: - Mandatory privacy impact assesment - Opt-in for retail environment
  • 20. Observations • Emphasis on technology instead of application • Security issues and privacy issues are often confused • Business reality can differ from security reality - security through obscurity may make sense for a business - cost/risk analysis is leading, not 100% security • Solutions are currently viewed as either/or (e.g. opt-in for retail) • There is no integrated approach towards security and privacy
  • 21. The right tool for the job • 100% security is not always the most optimal economic decision • RFID should not be the only security measure • Focus on the problem, not the technology • What tool is most effective
  • 22. Suggestions • Clear(er) distinction between privacy and security - strengthen overall system security - create tools to enhance privacy (Privacy by design, PETs) - create tools to effectuate legal safeguards (consumer in control) • Security experts must educate businesses, consumers, policymakers and politicians (in English please) • Security, business processes, and legal safeguards must strengthen each other
  • 23. The way forward Companies should: • Use RFID in a responsible manner • Provide benefits not only to themselves, but also to consumers • Provide openness and transparency about the use of RFID • Provide a truly free choice for consumers Government should: • Create tools for the protection of privacy (PETs, RFID guardians, logo system) • Place the consumer in control • Monitor possible shifts in the balance of power, and correct where necessary Security experts and researchers should: • Try to translate their work in proper English (e.g. Jip and Janneke) • ...Keep up the good work
  • 24. Bart Schermer ECP.NL / RFID Platform Nederland Overgoo 11 2260 AG Leidschendam 070-4190309 bart.schermer@ecp.nl “RFID zal een grotere impact op onze samenleving hebben dan Internet heeft gehad” -- Prof. Cor Molenaar, voorzitter RFID Nederland Questions?