Consolidate all RFID cards
January 19, 2014 2:30 PM Subscribe
I hate having all these keys, credit cards, library cards, etc, etc. What's the best way currently to consolidate them? What technology is in the near future?
This is for a course project to produce a new product. The project is not really focused on technology but I would like it to still be technologically accurate and feasible. I tried background researching all this, and there's just so much info, I worry I'm overlooking things, or the things I'm thinking are already out there (this is not my area of expertise).
I'm thinking a system like any of the following:
1. Instead of each distributor giving you a new card, they only give you the RFID tag that you consolidate onto a larger device, kinda like a sticker. Then you tap your single card, which activates whatever relevant tag it needs. Would the various tags interfere with each other? This would make it really easy to adopt and not many changes need to be made.
2. Is there some reprogrammable device that you can just add new information to the chip every time you need it. I'm imagining having a chip to access my apartment, but then my work can just add new information to the chip to give me access to the work building, instead of giving me another entry device. If there is a security breach, the apartment or work can easily reprogram my chip. I already have such a device for my apartment, but is it realistic to have every ID I have be consolidated onto one chip?
3. People are moving towards having NFC technology in smartphones. Does this make all the above irrelevant?
Any information, search words for more information, or ideas are welcome. I'm trying to figure out a system that's easy to adopt for the consumer, and worthwhile for the company. Is this area already so saturated and that it's not a worthwhile project?
This is for a course project to produce a new product. The project is not really focused on technology but I would like it to still be technologically accurate and feasible. I tried background researching all this, and there's just so much info, I worry I'm overlooking things, or the things I'm thinking are already out there (this is not my area of expertise).
I'm thinking a system like any of the following:
1. Instead of each distributor giving you a new card, they only give you the RFID tag that you consolidate onto a larger device, kinda like a sticker. Then you tap your single card, which activates whatever relevant tag it needs. Would the various tags interfere with each other? This would make it really easy to adopt and not many changes need to be made.
2. Is there some reprogrammable device that you can just add new information to the chip every time you need it. I'm imagining having a chip to access my apartment, but then my work can just add new information to the chip to give me access to the work building, instead of giving me another entry device. If there is a security breach, the apartment or work can easily reprogram my chip. I already have such a device for my apartment, but is it realistic to have every ID I have be consolidated onto one chip?
3. People are moving towards having NFC technology in smartphones. Does this make all the above irrelevant?
Any information, search words for more information, or ideas are welcome. I'm trying to figure out a system that's easy to adopt for the consumer, and worthwhile for the company. Is this area already so saturated and that it's not a worthwhile project?
Response by poster: That's actually a pretty cool hack. I'm thinking beyond barcodes though, because something I'm also trying to overcome is needing to find the exact thing I need, and aligning it to the reader (as is the case with bar codes and physical keys).
Basically, I just want my tapping keyfob to hold all my entry, ID, and credit card info, and be able to add more when needed. I want to be able to have it work even if I'm not too careful about alignment, and through another material (ie plastic cover, or leather wallet)
Thoughts on overcoming security breaches and having my one device stolen are also welcome.
posted by lacedcoffee at 2:39 PM on January 19, 2014
Basically, I just want my tapping keyfob to hold all my entry, ID, and credit card info, and be able to add more when needed. I want to be able to have it work even if I'm not too careful about alignment, and through another material (ie plastic cover, or leather wallet)
Thoughts on overcoming security breaches and having my one device stolen are also welcome.
posted by lacedcoffee at 2:39 PM on January 19, 2014
Coin is the hot new kid on the block.
From the FAQ:
Q. What is a Coin?
A. Coin is a connected device that can hold and behave like the cards you already carry. Coin works with your debit cards, credit cards, gift cards, loyalty cards and membership cards. Instead of carrying several cards you carry one Coin. Multiple accounts and information all in one place.
Q. How do I get my cards onto a Coin?
A. Our mobile app will allow you to add, manage and sync the cards that you choose to store on your Coin. The process of adding card information to the mobile app is very simple and is done by taking a picture or two and swiping your Coin through a small device we provide you with.
posted by barnone at 2:45 PM on January 19, 2014 [1 favorite]
From the FAQ:
Q. What is a Coin?
A. Coin is a connected device that can hold and behave like the cards you already carry. Coin works with your debit cards, credit cards, gift cards, loyalty cards and membership cards. Instead of carrying several cards you carry one Coin. Multiple accounts and information all in one place.
Q. How do I get my cards onto a Coin?
A. Our mobile app will allow you to add, manage and sync the cards that you choose to store on your Coin. The process of adding card information to the mobile app is very simple and is done by taking a picture or two and swiping your Coin through a small device we provide you with.
posted by barnone at 2:45 PM on January 19, 2014 [1 favorite]
You might want to read about Coin. It is magnetic-strip-based, not RFID. But the FAQs detail a lot of the security features, such as the card deactivating if separated from your phone for a defined period of time.
posted by payoto at 2:47 PM on January 19, 2014
posted by payoto at 2:47 PM on January 19, 2014
Response by poster: That's such a nifty device, I might even consider it for myself. Something I dislike about magnetic strips though is that I'm constantly trying to figure out which way to swipe it, a usability issue I want to overcome, so I'm thinking no magnetic strip (I also see that many credit card companies are adopting technologies beyond magnetic strips, so I'm wondering if that's on it's way out). I also want this to work for those smart card accessed things and keys especially.
posted by lacedcoffee at 2:55 PM on January 19, 2014
posted by lacedcoffee at 2:55 PM on January 19, 2014
A magnetic strip encodes one piece of information that doesn't change. Some - but not all - RFID cards don't just send out one static piece of information but are dynamic and intelligent in their responses to other devices.
With things like payment systems, if the device were to give out all the data it holds it would be giving out all the information that someone would need to impersonate you, like skimming a credit card. Instead a card in a payment system should be able to handle the negotiations of the current transaction without giving away balances, account numbers, or encryption keys.
Under these circumstances, it would be hard or even impossible to create a third-party device that could glean all the information from some RFID or NFC devices, and this is by design. For cards that have these kinds of smarts, you'd have to work with the manufacturer to design a mechanism by which the information can be transferred from card to card.
There are probably RFID implementations that are not this advanced, but the security conscious part of me is really hoping that this is the exception and not the norm.
posted by tkolstee at 5:04 PM on January 19, 2014
With things like payment systems, if the device were to give out all the data it holds it would be giving out all the information that someone would need to impersonate you, like skimming a credit card. Instead a card in a payment system should be able to handle the negotiations of the current transaction without giving away balances, account numbers, or encryption keys.
Under these circumstances, it would be hard or even impossible to create a third-party device that could glean all the information from some RFID or NFC devices, and this is by design. For cards that have these kinds of smarts, you'd have to work with the manufacturer to design a mechanism by which the information can be transferred from card to card.
There are probably RFID implementations that are not this advanced, but the security conscious part of me is really hoping that this is the exception and not the norm.
posted by tkolstee at 5:04 PM on January 19, 2014
This is one of those problem spaces where the difficult part is not the technology, the difficult part is being compatible with all the existing technologies that already cover the same space.
It's all well and good to say you're "thinking beyond barcodes", or that you don't like magnetic stripes -- but the whole issue is that most of the things people already use depend on those or on other pre-existing technologies (such as mechanical tumblers).
Part of creating a new product is making sure it can be fits into the world that exists before your product is introduced. Because if it doesn't, nobody will use your new product.
It's pretty easy to invent a new protocol that will do what you describe; there are dozens of different ways to do it -- but that does the opposite of achieving your goal of consolidating the existing keys, credit cards, library cards, etc.; it just adds yet another different kind.
“I have seen your commits in the great repository,” said the master, drawing a long knife which she placed at his throat. “Where once there had been a hundred styles, there now are a hundred and one.”
posted by ook at 5:24 PM on January 19, 2014
It's all well and good to say you're "thinking beyond barcodes", or that you don't like magnetic stripes -- but the whole issue is that most of the things people already use depend on those or on other pre-existing technologies (such as mechanical tumblers).
Part of creating a new product is making sure it can be fits into the world that exists before your product is introduced. Because if it doesn't, nobody will use your new product.
It's pretty easy to invent a new protocol that will do what you describe; there are dozens of different ways to do it -- but that does the opposite of achieving your goal of consolidating the existing keys, credit cards, library cards, etc.; it just adds yet another different kind.
“I have seen your commits in the great repository,” said the master, drawing a long knife which she placed at his throat. “Where once there had been a hundred styles, there now are a hundred and one.”
posted by ook at 5:24 PM on January 19, 2014
You seem to be focusing on the consumer but not the companies. For a lot of companies they have signed agreements/leases for specific equipment, or set up systems that require magnetic stripes, or RFIDs, or chips so that changing it requires a systemic change that may be expensive and time-intensive to implement. They don't have the agility to respond to something new unless you absorb their cost of implementation and guarantee their security.
For example, I work in a library that uses RFID for books but still scans barcodes for the actual library cards because of concerns over privacy (and seeing all the problems we have had with RFID over the past eight years I would say those concerns are VERY warranted). Many companies/organizations also are expected to have stricter controls on privacy/distributing information through legislation and/or financial consequences (I'm thinking specifically of financial institutions where a security breach could cost them millions as well as destroy their credibility).
There is also the problem of not "pushing" info down to the chip. For example, I use an RFID chip card (PRESTO) to ride public transit. The machines in the actual buses only communicate once a day with the server (around 3am). So if I load my chip card online with an interact transfer/online banking it will take 24-48 hours for that information to get to the machines on the bus and thus to my card (not to mention the MANY problems people have had with payments disappearing).
For me though, he main concern would be that the one device has access to my front door, my workplace door, my bus pass, my debit cards etc without any security on it like a password. At least if I lose my work pass I only have to immediately deal with the one possible security breach and close it quickly. If I lost a multiple-use pass I would have to prioritise all the possible breaches, contact each organisation individually (taking fifteen minutes for each one at least). While I am cancelling my debit card/pay pass they are in my house rifling my drawers etc.
posted by saucysault at 5:26 PM on January 19, 2014
For example, I work in a library that uses RFID for books but still scans barcodes for the actual library cards because of concerns over privacy (and seeing all the problems we have had with RFID over the past eight years I would say those concerns are VERY warranted). Many companies/organizations also are expected to have stricter controls on privacy/distributing information through legislation and/or financial consequences (I'm thinking specifically of financial institutions where a security breach could cost them millions as well as destroy their credibility).
There is also the problem of not "pushing" info down to the chip. For example, I use an RFID chip card (PRESTO) to ride public transit. The machines in the actual buses only communicate once a day with the server (around 3am). So if I load my chip card online with an interact transfer/online banking it will take 24-48 hours for that information to get to the machines on the bus and thus to my card (not to mention the MANY problems people have had with payments disappearing).
For me though, he main concern would be that the one device has access to my front door, my workplace door, my bus pass, my debit cards etc without any security on it like a password. At least if I lose my work pass I only have to immediately deal with the one possible security breach and close it quickly. If I lost a multiple-use pass I would have to prioritise all the possible breaches, contact each organisation individually (taking fifteen minutes for each one at least). While I am cancelling my debit card/pay pass they are in my house rifling my drawers etc.
posted by saucysault at 5:26 PM on January 19, 2014
I've designed my own re-programmable RFID cards with the goal of having just one (125 KHz) RFID card. I wrote the IDs from various cards that I carry (different offices, etc), but the way the HID ProxCard readers work it is not possible to cycle through different codes. Once it has a two valid, identical reads in a row, it stops polling until the card is removed. With an external button I could have it select different codes, but that would have required removing the card from my wallet to select the right one.
With high frequency cards (13.56 MHz), some of the devices have collision detection and you could fake it out as if it were multiple cards. I haven't tried experimenting with this yet.
posted by autopilot at 5:27 PM on January 19, 2014 [2 favorites]
With high frequency cards (13.56 MHz), some of the devices have collision detection and you could fake it out as if it were multiple cards. I haven't tried experimenting with this yet.
posted by autopilot at 5:27 PM on January 19, 2014 [2 favorites]
Two useful details which I glommed from an account of one of Bunnie Huang's hacks:
Some RFID systems conflict with others if they are in close proximity (in his case, transit passes from different municipal systems -- they might be using some of the same backend tech, perhaps?)
Some RFID systems require penetration (similar to a magstrip swiper) while others just require proximity, which definitely poses some limitations to the form factor.
These are quite apart from the more standard concerns about privacy, etc., but it definitely seems like you would need a LOT of buyin and standards-definition from the various stakeholders. In this case, of course, the end consumer seems likely not to be a stakeholder (again).
posted by ivan ivanych samovar at 7:07 PM on January 19, 2014
Some RFID systems conflict with others if they are in close proximity (in his case, transit passes from different municipal systems -- they might be using some of the same backend tech, perhaps?)
Some RFID systems require penetration (similar to a magstrip swiper) while others just require proximity, which definitely poses some limitations to the form factor.
These are quite apart from the more standard concerns about privacy, etc., but it definitely seems like you would need a LOT of buyin and standards-definition from the various stakeholders. In this case, of course, the end consumer seems likely not to be a stakeholder (again).
posted by ivan ivanych samovar at 7:07 PM on January 19, 2014
Response by poster: Thanks all for the input, these are definitely factors I need to think about. My focus is on the end-user (because that is my area of study), but of course, various stakeholders need to be taken into account to make something feasible. Any other thoughts are welcome and appreciated.
My thought on magnetic strips is that so many companies are now offers those tapping cards that they are going to be the future. It's certainly possible I am wrong. Also, as far as security breaches, I'm thinking of offering a service similar to Coin, mentioned above, about it deactivating if not in close proximity to something else (ie phone).
Note this is not something I plan to build, just a thought experiment we are doing, but I want to make sure to address the concerns and have it technologically feasible.
In the very simple case, what stops us from just extracting the RFID from the smart cards we have, and taping them to one card (with the caveat we are super dextrous and don't damage the chip in the process)?
posted by lacedcoffee at 8:37 PM on January 19, 2014
My thought on magnetic strips is that so many companies are now offers those tapping cards that they are going to be the future. It's certainly possible I am wrong. Also, as far as security breaches, I'm thinking of offering a service similar to Coin, mentioned above, about it deactivating if not in close proximity to something else (ie phone).
Note this is not something I plan to build, just a thought experiment we are doing, but I want to make sure to address the concerns and have it technologically feasible.
In the very simple case, what stops us from just extracting the RFID from the smart cards we have, and taping them to one card (with the caveat we are super dextrous and don't damage the chip in the process)?
posted by lacedcoffee at 8:37 PM on January 19, 2014
In the very simple case, what stops us from just extracting the RFID from the smart cards we have, and taping them to one card (with the caveat we are super dextrous and don't damage the chip in the process)?
The fact that they'll be close enough together that reading a single chip will be next to impossible.
posted by kindall at 9:22 PM on January 19, 2014
The fact that they'll be close enough together that reading a single chip will be next to impossible.
posted by kindall at 9:22 PM on January 19, 2014
You might find Drop-Kicker's two posts on Coin, and the comments on them, interesting.
Also, I would be wary of assuming RFID is the future of credit cards. Two reasons:
Firstly, and anecdotally: although I do have a contactless credit card I very rarely encounter readers that have the matching logo; and even more rarely actually use them. I would not under-estimate the lag time in upgrading the huge existing infrastructure that relies on magstripe. (And note also that the "disruptive" Square technology so much adopted by new small businesses is... still magstripe.)
Secondly, I suspect that the huge Target breach, and I suspect a whole bunch of related breaches yet to be revealed, might be a tipping point towards demand for more secure credit card technology. That probably means less RFID, given scare stories about how sniffable it is; and more EMV aka Chip-and-PIN.
posted by We had a deal, Kyle at 9:45 PM on January 19, 2014
Also, I would be wary of assuming RFID is the future of credit cards. Two reasons:
Firstly, and anecdotally: although I do have a contactless credit card I very rarely encounter readers that have the matching logo; and even more rarely actually use them. I would not under-estimate the lag time in upgrading the huge existing infrastructure that relies on magstripe. (And note also that the "disruptive" Square technology so much adopted by new small businesses is... still magstripe.)
Secondly, I suspect that the huge Target breach, and I suspect a whole bunch of related breaches yet to be revealed, might be a tipping point towards demand for more secure credit card technology. That probably means less RFID, given scare stories about how sniffable it is; and more EMV aka Chip-and-PIN.
posted by We had a deal, Kyle at 9:45 PM on January 19, 2014
This thread is closed to new comments.
posted by yclipse at 2:33 PM on January 19, 2014