Page 1 of 2 12 LastLast
Results 1 to 15 of 29
  1. #1

    • New Member
    • Offline

    Join Date
    Nov 2012
    Location
    Ontario, CA
    Posts
    29

    RFID Braclets possible security risk

    So I am by no means an expert in anything even close to "hacking," but I have heard that RFID chips are very easy to exploit and use to gather information. Again, I have no experience doing this, I am only aware of what I have read and been told. That being said, from the last Micechat Podcast, RFID seems like it will be a major component of the NextGen system, with the biggest ability of the whole system being able to but your credit card on the "My Magic" wristband or card. Again, I have no actual knowledge of how the system will work (if RFID will be used to transmit credit card data or if another interface would be used), but I am interested to hear from someone who does have a background using this technology.

    Am I completely off base here, or is there any truth to my thoughts? I certainly don't want to begin a witchunt here accusing Disney of leaving sensitive information out in the open, especially since they haven't done anything of the sort yet lol.


  2. #2

    • SORCERER
    • Offline

    Join Date
    Aug 2012
    Location
    Anaheim
    Posts
    188

    Re: RFID Braclets possible security risk

    Quote Originally Posted by ewokrights View Post
    So I am by no means an expert in anything even close to "hacking," but I have heard that RFID chips are very easy to exploit and use to gather information. Again, I have no experience doing this, I am only aware of what I have read and been told. That being said, from the last Micechat Podcast, RFID seems like it will be a major component of the NextGen system, with the biggest ability of the whole system being able to but your credit card on the "My Magic" wristband or card. Again, I have no actual knowledge of how the system will work (if RFID will be used to transmit credit card data or if another interface would be used), but I am interested to hear from someone who does have a background using this technology.

    Am I completely off base here, or is there any truth to my thoughts? I certainly don't want to begin a witchunt here accusing Disney of leaving sensitive information out in the open, especially since they haven't done anything of the sort yet lol.

    I understand you concerns, but Disney is more than likely aware of all the vulnerabilities of RFID, most likely though the chip will just store an encrypted authorization code, and that code is then connected to disney's internal system which would have your credit card on file and all details and such. I can assure you that all private information would be store on an internal disney server or a 3rd party security firm and not on the RFID CHIP sensor itself. Disney can do this as the "My Magic" credit card checkout would be a feature on Disney properties only, and not normal stores.

    Additionally Disney has been attaching guests photos to tickets now with iPhones that have scanners attached, when they enter the turnstiles. I can guarantee they will continue todo this, so when that RFID sensor is used it will show a picture of the person attached to that ticket. Also the RFID feature is currently only set to be used with regular tickets, and not Annual Passholders, so the chance of someone steeling your RFID info within the 5 or 7 days your at the park is pretty slim.
    Last edited by BradleyC; 01-24-2013 at 11:04 AM.

  3. #3

    • Disneyland 20 year APH
    • Offline

    Join Date
    Sep 2012
    Location
    Brea, Ca
    Posts
    1,050

    Re: RFID Braclets possible security risk

    I think that Disney will have a way to prevent people to take their braclets home and hacking into the network. Possibly (I have no knowledge of how is works, this is my guess) it might work by just as a emploee badge does where just has a number on it and it lets u in by the badge number and athoritization code. Disney will have an onsite database (hint all the new wires) that will store all this info. There will be nothing on the band itself. Also there will be two data bases one for WDW and one for DL.
    Check out my work on openstreetmap.org
    http://www.openstreetmap.org/?lat=33...om=17&layers=M

  4. #4

    • DL College Program 97/98
    • Offline

    Join Date
    Feb 2008
    Posts
    130

    Re: RFID Braclets possible security risk

    Bingo. They've indicated that guest info and details, including your credit card info, will be stored locally on their servers, not on the RFID bracelet. The RFID bracelet will simply be a guest ID# that they then use to identify you as the person in their system.

    Now, technically, someone could read and spoof that ID#, thereby allowing them to make purchases, etc in the same manner that you could. But of course, that would only work during the time your ID is active, such as during your vacation. They couldn't actually get your credit card number or anything.

  5. #5

    • Sock Puppet
    • Offline

    Join Date
    Jan 2011
    Location
    orange county,ca
    Posts
    6,499

    Re: RFID Braclets possible security risk

    I am sure that Disney has thought about all the concerns you mentioned OP. I am sure that they would do a firewall and close it off to prevent hacking etc,in fact i am sure that if they thought it was such a threat they would not even be considering it. But what do i know!

  6. #6

    •   
    • Minion
    • Offline

    Join Date
    Apr 2009
    Location
    SF Bay Area, California, United States
    Posts
    2,666

    Re: RFID Braclets possible security risk

    I forget which thread it was but this was covered already. Basically the way corporations secure customer data has to follow what is called PCI compliance. This is the field I work in for my company. All the awesome stories you see on the news don't really make people feel good about security. What everyone should know is that the programs in place stop way more than the local news would ever care to talk about. There will be a number of protocals in place that NONE of us will know about to protect your data.

  7. #7

    • The doctor is in
    • Offline

    Join Date
    Aug 2012
    Location
    1,014 miles away
    Posts
    2,540

    Re: RFID Braclets possible security risk

    From what I understand the super personal stuff, like credit card information, is an optional feature for the bracelets. That is one plus.
    Please... put Guardians of the Galaxy in Tomorrowland.













  8. #8

    • Sock Puppet
    • Offline

    Join Date
    Jan 2011
    Location
    orange county,ca
    Posts
    6,499

    Re: RFID Braclets possible security risk

    So what biggsworth just said : i am not worried about my info being hacked. I'm just not worried!

  9. #9

    • New Member
    • Offline

    Join Date
    Nov 2012
    Location
    Ontario, CA
    Posts
    29

    Re: RFID Braclets possible security risk

    Quote Originally Posted by biggsworth View Post
    I forget which thread it was but this was covered already. Basically the way corporations secure customer data has to follow what is called PCI compliance. This is the field I work in for my company.
    Quote Originally Posted by sgtfox View Post
    Bingo. They've indicated that guest info and details, including your credit card info, will be stored locally on their servers, not on the RFID bracelet. The RFID bracelet will simply be a guest ID# that they then use to identify you as the person in their system.
    Those are two very good points. I figured that video was more than a few years old, therefore security has come a long way since then. If no information other than a Guest ID# or some other ID form is stored on the bracelet, then someone with a RFID reader wouldn't be able to get much. I know one reason the parks probably won't ever implement guest accessible Wi-Fi is because of the huge risk to guests. It is so easy to sit on an open network and gather personal information passively. I never check bank statements or even purchase things online when on an open network.

  10. #10

    • No Disassemble!
    • Offline

    Join Date
    Dec 2011
    Location
    San Diego
    Posts
    792

    Re: RFID Braclets possible security risk

    Quote Originally Posted by sgtfox View Post
    Now, technically, someone could read and spoof that ID#, thereby allowing them to make purchases, etc in the same manner that you could. But of course, that would only work during the time your ID is active, such as during your vacation. They couldn't actually get your credit card number or anything.
    This is where having guest's photos attached to the NextGen accounts will pay off big time. Even the whole fastpass itinerary idea appears to be setup to deter spoofers from being able to run around the park using a fake band to abuse the fastpass system.
    Many Bothans died to bring you these fastpasses.

  11. #11

    •   
    • Minion
    • Offline

    Join Date
    Apr 2009
    Location
    SF Bay Area, California, United States
    Posts
    2,666

    Re: RFID Braclets possible security risk

    Quote Originally Posted by ewokrights View Post
    Those are two very good points. I figured that video was more than a few years old, therefore security has come a long way since then. If no information other than a Guest ID# or some other ID form is stored on the bracelet, then someone with a RFID reader wouldn't be able to get much. I know one reason the parks probably won't ever implement guest accessible Wi-Fi is because of the huge risk to guests. It is so easy to sit on an open network and gather personal information passively. I never check bank statements or even purchase things online when on an open network.
    Without getting too technical and giving away my company secrets for wireless transactions here is how it works. You buy something wirelessly on lets say your phone. That info is then encrypted and transmitted over the network which is also encrypted to a payment server which is also encrypted and locked down behind firewalls. From there the bank is contacted through a goverenment regulated line and the trans action happens. This happens behind a firewall and is also you guessed it encrypted on both ends too. We have multiple companies that encrypt and protect our data so that we have redundancy in case one was to fail the other is still in place. There is a lot more to it but hopefully you get the idea.

  12. #12

    • -
    • Offline

    Join Date
    Aug 2009
    Location
    Uijeongbu
    Posts
    6,609

    Re: RFID Braclets possible security risk

    I doubt with all the safety features they are installing in the park now, they would install an electronic system that isn't safe for peoples data and then open themselves to liability by encouraging people to link sensitive information to those electronic systems.
    "You can cut me off from the civilized world. You can incarcerate me with two moronic cellmates. You can torture me with your thrice daily swill, but you cannot break the spirit of a Winchester. My voice shall be heard from this wilderness and I shall be delivered from this fetid and festering sewer."

  13. #13

    • Just drawn that way
    • Offline

    Join Date
    Jul 2012
    Location
    L'empire de la Mort
    Posts
    272

    Re: RFID Braclets possible security risk

    I was wondering if it is similar to the Disney Cruise line's room keys, that also double as your credit card for any shopping needs on the ship?
    Little and broken, but still good.

  14. #14

    • Minion
    • Offline

    Join Date
    Nov 2009
    Location
    Los Angeles
    Posts
    1,184

    Re: RFID Braclets possible security risk

    As an extra layer of security, if you do decide to link your credit card to your MyMagic+ wristband/card (which is optional), you will have to use a user-generated verification PIN on all purchases over $50.

  15. #15

    • Senior Minion
    • Offline

    Join Date
    Jan 2005
    Posts
    8,890

    Re: RFID Braclets possible security risk

    Quote Originally Posted by ewokrights View Post
    So I am by no means an expert in anything even close to "hacking," but I have heard that RFID chips are very easy to exploit and use to gather information....

    ...Am I completely off base here, or is there any truth to my thoughts?
    Notwithstanding the Disney fans who are unquestioningly embracing this Disney marketing initiative, there are indeed a number of legitimate concerns about the privacy and security of Disney's RFID system.

    Some quotes from a letter to Bob Iger by Massachusetts Congressman Edward J. Markey:

    "...The [RFID bracelet] plan raises a number of important questions about how the personal privacy of Disney's 30-million guests each year will be protected, particularly when it comes to kids and teenagers."

    "...Widespread use of MagicBand bracelets by park guests could dramatically increase the personal data that Disney can collect about its guests."

    "...As a Co-Chairman of the Congressional Bi-partisan Privacy Caucus, I am deeply concerned that Disney's proposal could potentially have a harmful impact on our children."

    The concerns of the Congressman are well founded. Given the rise in corporate database theft, RFID password hacking and identity theft that is being reported with ever-increasing frequency, plus Disney's notoriety for doing things on the cheap and their chronically dysfunctional inter-division communication (e.g. the Monorail upgrade debacle), Disney's theme park division is the last company I'd trust with personal data.
    Last edited by Mr Wiggins; 01-25-2013 at 06:55 AM.
    "With the acquisition of Marvel and now of Lucasfilm,
    Disney may have finally found the grail. You don't need
    imagination or art. All you need is a brand."

    - Neil Gabler


Page 1 of 2 12 LastLast

Similar Threads

  1. Possible DCA Expansion Themes
    By ModHatter in forum Disneyland Resort
    Replies: 106
    Last Post: 12-04-2005, 01:18 PM
  2. Undercover Security
    By Tech_Disney in forum Disneyland Resort
    Replies: 100
    Last Post: 07-20-2005, 06:06 PM
  3. security checkpoint
    By idontneedaname in forum Disneyland Resort
    Replies: 70
    Last Post: 04-07-2005, 08:54 PM
  4. Should I Risk My Reputation?
    By Aladdin in forum MiceChat News Archive
    Replies: 12
    Last Post: 02-25-2005, 10:44 AM
  5. Your Plan to Ride Your Favourite Ride as Much as Possible
    By splashmountainfreak in forum Disneyland Resort
    Replies: 8
    Last Post: 01-18-2005, 07:15 AM

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •