An outstretched arm and hand, dangling a set of keys from the thumb.

RFID’s Guilty Secret

Ever lost a hotel room card? Did you find it unsettling just how quickly it was replaced? And for no fee? Have you ever wondered how it works?

In your average hotel key card is a chip that contains nothing more than a tiny little radio wave processor and a small amount of data storage – around 1KB. Nothing else. Not even a battery. But when it comes into contact with a reader (on your hotel room door), the chip pulls just the amount of power it needs to spring to life, telling the door to unlock. This is basic Radio Frequency Identification technology (RFID) and it’s been around for a long time. And although it’s certainly evolved - some cards are more secure than others - RFID fundamentally remains unchanged since it first came into use in 1983.

Pocket-sized, convenient and everywhere

Its most well-known use is as the “magic white card” of office security passes and hotel room keys, but the technology is used to track and identify everything from library books to bus passes, casino chips to care home residents. It can fit into all sorts of formats, such as wristbands or keyrings. When connected to a source of money, RFID is perfect for metro cards or payment wristbands at festivals and amusement parks. In hospitals, it can keep vulnerable patients safe and secure or give peace of mind that newborns are precisely where they should be. Even Apple Pay uses a clever mobile version of RFID for contactless payments, which lets you switch it on and off as you use it.

The problem is that ubiquity is reassuring. Surely if everyone is using it, then it must be completely OK? Well, yes. And no. There are actually many types of RFID, all with different levels of security, so the type used really comes down to one decision: how much risk is ok? And like most things, this is where humans can make good or bad choices.

So, let’s go back to that duplicate hotel room card…

Not all RFID cards are the same, but it’s likely that in a hotel, as in most offices, the card will be the most cost-effective type on the market – old technology and just a few pence each – which is why they are readily replaced free of charge. The tiny amount of data storage on your room card may just hold a small crypto key that the door lock has been told to recognise. The staff use an RFID writer to apply this information to the new card and use lock management software to track check-ins and check-outs or deactivate old and mislaid cards. The hardware required to read and write hotel cards is fast and uncomplicated – this is where your slightly unsettled feeling comes from.

Writing these cards is easy. Copying them is easy too

The hacker at the bar

Cloning an RFID card can take from seconds to under a minute. The kit can be bought online for around €150 and easily hidden in a bag. As soon as the reader comes within 20cm of a card, depending on the type, they have everything they need to make a copy of it, gain access to your room and even bill to it. If duplicating a card is as simple as a fraudster standing next to you at the bar, why do we use them?

View of multi-storey office building from below
More often than not, RFID cards give access to buildings and the systems within them.

They’re useful. But they need a back-up plan

It’s a simple fact that the original RFID systems in buildings are restrictively expensive to update or replace. Which means that older technology RFID cards are more commonplace in offices, hospitals and even schools than they probably should be – not just to access the buildings but, more often than not, the systems within it. They give access to printers and let you pay for your lunch. But if you work at a bank or in a government department and your access card is cloned, the chances are the person responsible isn’t after your lunch money. So, responsible organisations that use RFID need a clear understanding of their level of risk that the particular card brings and may also build in secondary and tertiary security measures. This could be anything from multi-factor authentication to a full-blown security detail. Sadly, the level of vulnerability is often only understood after the worst has happened but getting the right type of RFID card in place – if you can – is the first line of defence.

But… if you have nothing or very little to lose, RFID is still a great piece of tech

It’s used for all sorts of helpful and fun stuff. It can be embedded in marathon runner’s bibs to track their race time or if your pet goes wandering, an implanted ‘chip’ with your contact information can reunite you. If your game is bad enough that lost golf balls are costing you a fortune, you can even buy trackable RFID versions. So far no-one has come up with a better, cheaper and more efficient solution to tracking and identifying – if anything, you can expect to see even more uses for RFID as time goes on, especially now it can be combined with sensors and integrated into the Internet of Things. Even worries around credit and debit card cloning are largely unfounded, as at present copying of a new, more secure card is restrictively expensive. But, as with previous iterations, that could quickly change. And that’s the guilty secret no-one likes to talk about: the first manufacturers of RFID cards claimed that they were impossible to duplicate… and we believed them. The truth is that tech moves fast, and first impressions aren’t everything – so, while one little white card may look much the same as another, it’s what’s inside that counts.

Written by Quentyn Taylor

Related Articles