Biometrics and Implanted RFID Chips

Today Computerworld published an article about an office complex that is implanting RFID chips in employees’ hands to facilitate access.  While this was done on a voluntary basis, I find the idea troublesome on several levels.  The two biggest problems are this is a rather permanent body alteration, and that access to the complex is granted to those who are in possession of the RFID chip.

Within the US, the business environment is much too dynamic for such a permanent body altering solution.  Businesses move office spaces pretty frequently, and long term employment has become the exception, rather than the rule.  Will the business or office complex pay to have RFID chips removed when the business changes offices or an employee leaves?  What if the employee doesn’t want to have their hand cut open to remove the chip?  Who exactly is the owner of the RFID chip once it is implanted?  If a person’s hand is infected or damaged in the implantation or removal process, who is liable? These are just a few of the troubling questions that appear to have no easy answers.

The scariest issue is that to gain access to the office complex, one must be in possession of a hand with an RFID chip implanted in it.  Think on that one for a minute.  Here’s a hint, it doesn’t have to be one of your hands.  To gain access to the office complex is a simple three step process.  1.  Watch the office complex and identify an employee with an implanted RFID chip. 2. Kidnap said employee.  3.  Remove the appropriate hand.  Technical skill is not necessary, just the willingness to remove someone’s hand.  Physically removing body parts is the Achilles heal of all biometric security schemes.  Fingerprint readers are bypassed with garden shears.  Hatchets  bypass RFID readers looking for hands with implanted chips.  It is a gruesome idea, but a very simple attack to perform.

There are three traditional forms of identification; something I know, something I have, and something I am.  All three forms have one failure in common, they can all be taken.

Office complex implants RFID chips in employees’ hands