Announcement

Collapse
No announcement yet.

RFID Braclets possible security risk

Collapse

Ad Widget

Collapse
This topic is closed.
X
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • [Chat] RFID Braclets possible security risk

    So I am by no means an expert in anything even close to "hacking," but I have heard that RFID chips are very easy to exploit and use to gather information. Again, I have no experience doing this, I am only aware of what I have read and been told. That being said, from the last Micechat Podcast, RFID seems like it will be a major component of the NextGen system, with the biggest ability of the whole system being able to but your credit card on the "My Magic" wristband or card. Again, I have no actual knowledge of how the system will work (if RFID will be used to transmit credit card data or if another interface would be used), but I am interested to hear from someone who does have a background using this technology.

    Am I completely off base here, or is there any truth to my thoughts? I certainly don't want to begin a witchunt here accusing Disney of leaving sensitive information out in the open, especially since they haven't done anything of the sort yet lol.

    "Your cadaverous pallor betrays an aura of foreboding. Perhaps you sense a disquieting metamorphosis occurring? Is this room actually stretching, or is it your imagination"

  • #2
    Re: RFID Braclets possible security risk

    Originally posted by ewokrights View Post
    So I am by no means an expert in anything even close to "hacking," but I have heard that RFID chips are very easy to exploit and use to gather information. Again, I have no experience doing this, I am only aware of what I have read and been told. That being said, from the last Micechat Podcast, RFID seems like it will be a major component of the NextGen system, with the biggest ability of the whole system being able to but your credit card on the "My Magic" wristband or card. Again, I have no actual knowledge of how the system will work (if RFID will be used to transmit credit card data or if another interface would be used), but I am interested to hear from someone who does have a background using this technology.

    Am I completely off base here, or is there any truth to my thoughts? I certainly don't want to begin a witchunt here accusing Disney of leaving sensitive information out in the open, especially since they haven't done anything of the sort yet lol.

    I understand you concerns, but Disney is more than likely aware of all the vulnerabilities of RFID, most likely though the chip will just store an encrypted authorization code, and that code is then connected to disney's internal system which would have your credit card on file and all details and such. I can assure you that all private information would be store on an internal disney server or a 3rd party security firm and not on the RFID CHIP sensor itself. Disney can do this as the "My Magic" credit card checkout would be a feature on Disney properties only, and not normal stores.

    Additionally Disney has been attaching guests photos to tickets now with iPhones that have scanners attached, when they enter the turnstiles. I can guarantee they will continue todo this, so when that RFID sensor is used it will show a picture of the person attached to that ticket. Also the RFID feature is currently only set to be used with regular tickets, and not Annual Passholders, so the chance of someone steeling your RFID info within the 5 or 7 days your at the park is pretty slim.
    Last edited by BradleyC; 01-24-2013, 11:04 AM.

    Comment


    • #3
      Re: RFID Braclets possible security risk

      I think that Disney will have a way to prevent people to take their braclets home and hacking into the network. Possibly (I have no knowledge of how is works, this is my guess) it might work by just as a emploee badge does where just has a number on it and it lets u in by the badge number and athoritization code. Disney will have an onsite database (hint all the new wires) that will store all this info. There will be nothing on the band itself. Also there will be two data bases one for WDW and one for DL.
      Check out my work on openstreetmap.org
      http://www.openstreetmap.org/?lat=33...om=17&layers=M

      Comment


      • #4
        Re: RFID Braclets possible security risk

        Bingo. They've indicated that guest info and details, including your credit card info, will be stored locally on their servers, not on the RFID bracelet. The RFID bracelet will simply be a guest ID# that they then use to identify you as the person in their system.

        Now, technically, someone could read and spoof that ID#, thereby allowing them to make purchases, etc in the same manner that you could. But of course, that would only work during the time your ID is active, such as during your vacation. They couldn't actually get your credit card number or anything.

        Comment


        • #5
          Re: RFID Braclets possible security risk

          I am sure that Disney has thought about all the concerns you mentioned OP. I am sure that they would do a firewall and close it off to prevent hacking etc,in fact i am sure that if they thought it was such a threat they would not even be considering it. But what do i know!

          Comment


          • #6
            Re: RFID Braclets possible security risk

            I forget which thread it was but this was covered already. Basically the way corporations secure customer data has to follow what is called PCI compliance. This is the field I work in for my company. All the awesome stories you see on the news don't really make people feel good about security. What everyone should know is that the programs in place stop way more than the local news would ever care to talk about. There will be a number of protocals in place that NONE of us will know about to protect your data.
            These are some of my favorite TRs I have posted

            DL 55th BDAY trip report
            My company had a special night at the park
            WdW trip report with WWoHP
            NYE 2011 trip report
            Mice Chat 7th anniversary
            Leap year 24 hour report
            New DCA trip report
            NYE 2012
            HKDL trip report

            Comment


            • #7
              Re: RFID Braclets possible security risk

              From what I understand the super personal stuff, like credit card information, is an optional feature for the bracelets. That is one plus.
              Merrily on our way to nowhere at all.











              Comment


              • #8
                Re: RFID Braclets possible security risk

                So what biggsworth just said : i am not worried about my info being hacked. I'm just not worried!

                Comment


                • #9
                  Re: RFID Braclets possible security risk

                  Originally posted by biggsworth View Post
                  I forget which thread it was but this was covered already. Basically the way corporations secure customer data has to follow what is called PCI compliance. This is the field I work in for my company.
                  Originally posted by sgtfox View Post
                  Bingo. They've indicated that guest info and details, including your credit card info, will be stored locally on their servers, not on the RFID bracelet. The RFID bracelet will simply be a guest ID# that they then use to identify you as the person in their system.
                  Those are two very good points. I figured that video was more than a few years old, therefore security has come a long way since then. If no information other than a Guest ID# or some other ID form is stored on the bracelet, then someone with a RFID reader wouldn't be able to get much. I know one reason the parks probably won't ever implement guest accessible Wi-Fi is because of the huge risk to guests. It is so easy to sit on an open network and gather personal information passively. I never check bank statements or even purchase things online when on an open network.
                  "Your cadaverous pallor betrays an aura of foreboding. Perhaps you sense a disquieting metamorphosis occurring? Is this room actually stretching, or is it your imagination"

                  Comment


                  • #10
                    Re: RFID Braclets possible security risk

                    Originally posted by sgtfox View Post
                    Now, technically, someone could read and spoof that ID#, thereby allowing them to make purchases, etc in the same manner that you could. But of course, that would only work during the time your ID is active, such as during your vacation. They couldn't actually get your credit card number or anything.
                    This is where having guest's photos attached to the NextGen accounts will pay off big time. Even the whole fastpass itinerary idea appears to be setup to deter spoofers from being able to run around the park using a fake band to abuse the fastpass system.
                    Many Bothans died to bring you these fastpasses.

                    Comment


                    • #11
                      Re: RFID Braclets possible security risk

                      Originally posted by ewokrights View Post
                      Those are two very good points. I figured that video was more than a few years old, therefore security has come a long way since then. If no information other than a Guest ID# or some other ID form is stored on the bracelet, then someone with a RFID reader wouldn't be able to get much. I know one reason the parks probably won't ever implement guest accessible Wi-Fi is because of the huge risk to guests. It is so easy to sit on an open network and gather personal information passively. I never check bank statements or even purchase things online when on an open network.
                      Without getting too technical and giving away my company secrets for wireless transactions here is how it works. You buy something wirelessly on lets say your phone. That info is then encrypted and transmitted over the network which is also encrypted to a payment server which is also encrypted and locked down behind firewalls. From there the bank is contacted through a goverenment regulated line and the trans action happens. This happens behind a firewall and is also you guessed it encrypted on both ends too. We have multiple companies that encrypt and protect our data so that we have redundancy in case one was to fail the other is still in place. There is a lot more to it but hopefully you get the idea.
                      These are some of my favorite TRs I have posted

                      DL 55th BDAY trip report
                      My company had a special night at the park
                      WdW trip report with WWoHP
                      NYE 2011 trip report
                      Mice Chat 7th anniversary
                      Leap year 24 hour report
                      New DCA trip report
                      NYE 2012
                      HKDL trip report

                      Comment


                      • #12
                        Re: RFID Braclets possible security risk

                        I doubt with all the safety features they are installing in the park now, they would install an electronic system that isn't safe for peoples data and then open themselves to liability by encouraging people to link sensitive information to those electronic systems.
                        "Greetings, Starfighter! You have been recruited by the Star League to defend the Frontier against Xur and the Ko-Dan Armada."

                        Comment


                        • #13
                          Re: RFID Braclets possible security risk

                          I was wondering if it is similar to the Disney Cruise line's room keys, that also double as your credit card for any shopping needs on the ship?
                          Little and broken, but still good.

                          Comment


                          • #14
                            Re: RFID Braclets possible security risk

                            As an extra layer of security, if you do decide to link your credit card to your MyMagic+ wristband/card (which is optional), you will have to use a user-generated verification PIN on all purchases over $50.

                            Comment


                            • #15
                              Re: RFID Braclets possible security risk

                              Originally posted by ewokrights View Post
                              So I am by no means an expert in anything even close to "hacking," but I have heard that RFID chips are very easy to exploit and use to gather information....

                              ...Am I completely off base here, or is there any truth to my thoughts?
                              Notwithstanding the Disney fans who are unquestioningly embracing this Disney marketing initiative, there are indeed a number of legitimate concerns about the privacy and security of Disney's RFID system.

                              Some quotes from a letter to Bob Iger by Massachusetts Congressman Edward J. Markey:

                              "...The [RFID bracelet] plan raises a number of important questions about how the personal privacy of Disney's 30-million guests each year will be protected, particularly when it comes to kids and teenagers."

                              "...Widespread use of MagicBand bracelets by park guests could dramatically increase the personal data that Disney can collect about its guests."

                              "...As a Co-Chairman of the Congressional Bi-partisan Privacy Caucus, I am deeply concerned that Disney's proposal could potentially have a harmful impact on our children."


                              The concerns of the Congressman are well founded. Given the rise in corporate database theft, RFID password hacking and identity theft that is being reported with ever-increasing frequency, plus Disney's notoriety for doing things on the cheap and their chronically dysfunctional inter-division communication (e.g. the Monorail upgrade debacle), Disney's theme park division is the last company I'd trust with personal data.
                              Last edited by Mr Wiggins; 01-25-2013, 06:55 AM.
                              "With the acquisition of Marvel and now of Lucasfilm,
                              Disney may have finally found the grail. You don't need
                              imagination or art. All you need is a brand."

                              - Neil Gabler

                              Comment

                              Ad Widget

                              Collapse
                              Working...
                              X