RFID Braclets possible security risk

[ewokrights]

So I am by no means an expert in anything even close to "hacking," but I have heard that RFID chips are very easy to exploit and use to gather information. Again, I have no experience doing this, I am only aware of what I have read and been told. That being said, from the last Micechat Podcast, RFID seems like it will be a major component of the NextGen system, with the biggest ability of the whole system being able to but your credit card on the "My Magic" wristband or card. Again, I have no actual knowledge of how the system will work (if RFID will be used to transmit credit card data or if another interface would be used), but I am interested to hear from someone who does have a background using this technology.

Am I completely off base here, or is there any truth to my thoughts? I certainly don't want to begin a witchunt here accusing Disney of leaving sensitive information out in the open, especially since they haven't done anything of the sort yet lol.

[BradleyC]

So I am by no means an expert in anything even close to "hacking," but I have heard that RFID chips are very easy to exploit and use to gather information. Again, I have no experience doing this, I am only aware of what I have read and been told. That being said, from the last Micechat Podcast, RFID seems like it will be a major component of the NextGen system, with the biggest ability of the whole system being able to but your credit card on the "My Magic" wristband or card. Again, I have no actual knowledge of how the system will work (if RFID will be used to transmit credit card data or if another interface would be used), but I am interested to hear from someone who does have a background using this technology.

Am I completely off base here, or is there any truth to my thoughts? I certainly don't want to begin a witchunt here accusing Disney of leaving sensitive information out in the open, especially since they haven't done anything of the sort yet lol.

I understand you concerns, but Disney is more than likely aware of all the vulnerabilities of RFID, most likely though the chip will just store an encrypted authorization code, and that code is then connected to disney's internal system which would have your credit card on file and all details and such. I can assure you that all private information would be store on an internal disney server or a 3rd party security firm and not on the RFID CHIP sensor itself. Disney can do this as the "My Magic" credit card checkout would be a feature on Disney properties only, and not normal stores.

Additionally Disney has been attaching guests photos to tickets now with iPhones that have scanners attached, when they enter the turnstiles. I can guarantee they will continue todo this, so when that RFID sensor is used it will show a picture of the person attached to that ticket. Also the RFID feature is currently only set to be used with regular tickets, and not Annual Passholders, so the chance of someone steeling your RFID info within the 5 or 7 days your at the park is pretty slim.

[brianpinsky]

I think that Disney will have a way to prevent people to take their braclets home and hacking into the network. Possibly (I have no knowledge of how is works, this is my guess) it might work by just as a emploee badge does where just has a number on it and it lets u in by the badge number and athoritization code. Disney will have an onsite database (hint all the new wires) that will store all this info. There will be nothing on the band itself. Also there will be two data bases one for WDW and one for DL.

[sgtfox]

Bingo. They've indicated that guest info and details, including your credit card info, will be stored locally on their servers, not on the RFID bracelet. The RFID bracelet will simply be a guest ID# that they then use to identify you as the person in their system.

Now, technically, someone could read and spoof that ID#, thereby allowing them to make purchases, etc in the same manner that you could. But of course, that would only work during the time your ID is active, such as during your vacation. They couldn't actually get your credit card number or anything.

[Poisonedapples]

I am sure that Disney has thought about all the concerns you mentioned OP. I am sure that they would do a firewall and close it off to prevent hacking etc,in fact i am sure that if they thought it was such a threat they would not even be considering it. But what do i know!

[biggsworth]

I forget which thread it was but this was covered already. Basically the way corporations secure customer data has to follow what is called PCI compliance. This is the field I work in for my company. All the awesome stories you see on the news don't really make people feel good about security. What everyone should know is that the programs in place stop way more than the local news would ever care to talk about. There will be a number of protocals in place that NONE of us will know about to protect your data.

[DrFink]

From what I understand the super personal stuff, like credit card information, is an optional feature for the bracelets. That is one plus.

[Poisonedapples]

So what biggsworth just said : i am not worried about my info being hacked. I'm just not worried!

[ewokrights]

I forget which thread it was but this was covered already. Basically the way corporations secure customer data has to follow what is called PCI compliance. This is the field I work in for my company.

Bingo. They've indicated that guest info and details, including your credit card info, will be stored locally on their servers, not on the RFID bracelet. The RFID bracelet will simply be a guest ID# that they then use to identify you as the person in their system.

Those are two very good points. I figured that video was more than a few years old, therefore security has come a long way since then. If no information other than a Guest ID# or some other ID form is stored on the bracelet, then someone with a RFID reader wouldn't be able to get much. I know one reason the parks probably won't ever implement guest accessible Wi-Fi is because of the huge risk to guests. It is so easy to sit on an open network and gather personal information passively. I never check bank statements or even purchase things online when on an open network.

[G24T]

Now, technically, someone could read and spoof that ID#, thereby allowing them to make purchases, etc in the same manner that you could. But of course, that would only work during the time your ID is active, such as during your vacation. They couldn't actually get your credit card number or anything.

This is where having guest's photos attached to the NextGen accounts will pay off big time. Even the whole fastpass itinerary idea appears to be setup to deter spoofers from being able to run around the park using a fake band to abuse the fastpass system.

[biggsworth]

Those are two very good points. I figured that video was more than a few years old, therefore security has come a long way since then. If no information other than a Guest ID# or some other ID form is stored on the bracelet, then someone with a RFID reader wouldn't be able to get much. I know one reason the parks probably won't ever implement guest accessible Wi-Fi is because of the huge risk to guests. It is so easy to sit on an open network and gather personal information passively. I never check bank statements or even purchase things online when on an open network.

Without getting too technical and giving away my company secrets for wireless transactions here is how it works. You buy something wirelessly on lets say your phone. That info is then encrypted and transmitted over the network which is also encrypted to a payment server which is also encrypted and locked down behind firewalls. From there the bank is contacted through a goverenment regulated line and the trans action happens. This happens behind a firewall and is also you guessed it encrypted on both ends too. We have multiple companies that encrypt and protect our data so that we have redundancy in case one was to fail the other is still in place. There is a lot more to it but hopefully you get the idea.

[calsig31]

I doubt with all the safety features they are installing in the park now, they would install an electronic system that isn't safe for peoples data and then open themselves to liability by encouraging people to link sensitive information to those electronic systems.

[PetiteMortKvsh]

I was wondering if it is similar to the Disney Cruise line's room keys, that also double as your credit card for any shopping needs on the ship?

[F!an]

As an extra layer of security, if you do decide to link your credit card to your MyMagic+ wristband/card (which is optional), you will have to use a user-generated verification PIN on all purchases over $50.

[Mr Wiggins]

So I am by no means an expert in anything even close to "hacking," but I have heard that RFID chips are very easy to exploit and use to gather information....

...Am I completely off base here, or is there any truth to my thoughts?

Notwithstanding the Disney fans who are unquestioningly embracing this Disney marketing initiative, there are indeed a number of legitimate concerns about the privacy and security of Disney's RFID system.

Some quotes from a letter to Bob Iger by Massachusetts Congressman Edward J. Markey:

"...The [RFID bracelet] plan raises a number of important questions about how the personal privacy of Disney's 30-million guests each year will be protected, particularly when it comes to kids and teenagers."

"...Widespread use of MagicBand bracelets by park guests could dramatically increase the personal data that Disney can collect about its guests."

"...As a Co-Chairman of the Congressional Bi-partisan Privacy Caucus, I am deeply concerned that Disney's proposal could potentially have a harmful impact on our children."

The concerns of the Congressman are well founded. Given the rise in corporate database theft, RFID password hacking and identity theft that is being reported with ever-increasing frequency, plus Disney's notoriety for doing things on the cheap and their chronically dysfunctional inter-division communication (e.g. the Monorail upgrade debacle), Disney's theme park division is the last company I'd trust with personal data.