This article can also be found in the Premium Editorial Download "Information Security magazine: Keep today's threats close and tomorrow's closer."
Download it now to read this article plus other related content.
Many retailers and long-time RFID backers, including Wal- Mart and Best Buy, did not respond to interview requests. Several of Wal-Mart's leading suppliers, including Unilever and Kimberly-Clark, also declined to be interviewed. That may be because some companies have actually come to see EPC Gen 2 tags as security devices. The drug manufacturer Pfizer, for example, is using EPC Gen 2 as an anti-counterfeiting tool by placing RFID tags on bottles of Viagra.
The EPC Gen 2 tags themselves are easy to clone and scan surreptitiously, however, says RSA's Juels.
Sanjay Sarma, who co-founded the Auto-ID Center with Ashton, believes that people have unrealistic expectations about how secure RFID will ever be. The demo hacks of credit cards and other smart card and near field communication (NFC) systems show that companies are fooling themselves into thinking that RFID tags can act as mini-computers capable of high levels of network security.
"When people see [RFID credit cards] capable of being able to pass more data back and forth with a reader," says Sarma, "people start to salivate. But it will never be the same as a PC."
And unlike the smart card and NFC specifications, EPC was never designed to be more than a way for tags to wirelessly emit a unique numerical code to
identify an item.
"EPC has never held such illusions," said Sarma, who is also chief scientist at RFID software company OATSystems, whose customers include P&G, GlaxoSmithKline and Kimberly-Clark.
This was first published in January 2007