Risk
2/9/2009
11:40 AM
Dark Reading
Dark Reading
Products and Releases
Connect Directly
RSS
E-Mail
50%
50%

Sleeve Protects IDs From 'War Cloning'

Identity Stronghold's solution shown to be effective in preventing communications with RFID or contactless smart cards contained within the sleeve

There are numerous recent news reports about passport card cloning or "war cloning". The reports describe how a security researcher mounted an RFID reader and antenna in his car and drove around San Francisco capturing via radio waves the ID codes of several people's passport cards and enhanced drivers licenses. This is definitely a security and privacy issue. What many do not know is that federal and state officials were aware of this possibility. This very privacy issue is why the US State Department and state motor vehicle departments send out a Secure Sleeve' with every passport card or enhanced drivers license shipped. The enclosed instructions urge card holders to keep their passport cards in the protective privacy sleeve when not in use. This not only protects the sensitive electronics in the cards but blocks distance reading of any data contained on the RFID chip inside the cards.

The Secure Sleeve has been certified by the U.S. Government as an electromagnetically opaque sleeve and shown in testing by multiple, independent organizations to be effective in preventing communications with RFID or contactless smart cards contained within the sleeve. Based on these test results and the experience of having millions of Secure Sleeves in the market, Identity Stronghold believes the cards reportedly cloned by the researcher were not in the Secure Sleeve provided with the card. Had the cards been contained within the sleeve, they would not have been detected during the experiment.

Contactless and RFID technologies are being productively used in passports, credit cards, passport cards, government identification cards, company identification cards, enhanced drivers licenses, student identification cards, transit cards, TWIC cards and a growing list of other applications. However, this experiment is the latest in a list of events that demonstrate how the information stored within a card may be compromised if not protected with the appropriate layers of digital and physical security. The U.S. Government and many State Governments have taken a lead role in specifying the use of the Secure Sleeve or Secure Badgeholder as a physical security measure to complement the digital security measures incorporated into the cards. Other issuers of contactless and RFID enabled credit, payment, and identification cards such as banks, commercial security integrators, businesses, and international governments are beginning to follow the U.S. Government's proactive lead by providing their customers and citizens with protective sleeves as well. Further, many security-savvy consumers have taken the step of buying their own Secure Sleeves online at www.idstronghold.com.

The reported cloning of the passport cards should be viewed as a reminder that each entity involved in development, issuance, and use of such cards must take the proper steps to secure the information held within the card.

About Identity Stronghold Identity Stronghold (www.IDstronghold.com), based in Sarasota, Florida, is the leading supplier of physical security products for RFID and contactless smart cards. The Company's Secure Sleeve and Secure Badgeholder product lines combine innovative design and advanced materials to deliver the highest levels of form, function, and security.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Must Reads - September 25, 2014
Dark Reading's new Must Reads is a compendium of our best recent coverage of identity and access management. Learn about access control in the age of HTML5, how to improve authentication, why Active Directory is dead, and more.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-5485
Published: 2014-09-30
registerConfiglet.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via unspecified vectors, related to the admin interface.

CVE-2012-5486
Published: 2014-09-30
ZPublisher.HTTPRequest._scrubHeader in Zope 2 before 2.13.19, as used in Plone before 4.3 beta 1, allows remote attackers to inject arbitrary HTTP headers via a linefeed (LF) character.

CVE-2012-5487
Published: 2014-09-30
The sandbox whitelisting function (allowmodule.py) in Plone before 4.2.3 and 4.3 before beta 1 allows remote authenticated users with certain privileges to bypass the Python sandbox restriction and execute arbitrary Python code via vectors related to importing.

CVE-2012-5488
Published: 2014-09-30
python_scripts.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via a crafted URL, related to createObject.

CVE-2012-5489
Published: 2014-09-30
The App.Undo.UndoSupport.get_request_var_or_attr function in Zope before 2.12.21 and 3.13.x before 2.13.11, as used in Plone before 4.2.3 and 4.3 before beta 1, allows remote authenticated users to gain access to restricted attributes via unspecified vectors.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
In our next Dark Reading Radio broadcast, we’ll take a close look at some of the latest research and practices in application security.