.

Disney and RFID bracelets.....

<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1661

Joined: Mon Jan 29, 2007 2:59 pm

Post Tue Jan 08, 2013 4:47 pm

Disney and RFID bracelets.....

Whose briliant idea is it to put RFID bracelets on hundreds of thousands of 'visitors', linked to credit card info...  This can only get worse...  :-\

http://news.discovery.com/tech/disney-world-track-fantasy-130108.html#mkcpgn=rssnws1
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Wed Jan 09, 2013 10:28 am

Re: Disney and RFID bracelets.....

Even without the credit card info, I still don't like when companies gather info on my purchases and shopping habits.

But I guess we get monitored all the time now...
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

Grendel

User avatar

Full Member
Full Member

Posts: 246

Joined: Thu Aug 28, 2008 8:48 am

Location: Colorado Springs, CO

Post Wed Jan 09, 2013 10:59 am

Re: Disney and RFID bracelets.....

WANT!

But then again, I'm a HUGE Disneyworld nerd.

FTA: "My Disney Experience that will enable users of MyMagic+ to select three FastPasses for rides" - that's huge for anyone going there.

In short, this would definitely suck me in and give up my CC info / shopping preferences / etc. Shame on me, but a big enough carrot and people will do anything (including me, it seems).  :-[
- Thomas Wilhelm, MSCS MSM
ISSMP CISSP SCSECA SCNA IEM

Web Site:
  • http://HackingDojo.com
Author:
  • Professional Penetration Testing
  • Ninja Hacking
  • Penetration Tester's Open Source Toolkit
  • Metasploit Toolkit for Penetration Testing
  • Netcat Power Tools
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1661

Joined: Mon Jan 29, 2007 2:59 pm

Post Wed Jan 09, 2013 2:45 pm

Re: Disney and RFID bracelets.....

Yeah...  I can see the 'draw', but I also foresee HUGE issues, liability, and headache in their future...
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

rattis

User avatar

Hero Member
Hero Member

Posts: 1172

Joined: Mon Jul 27, 2009 1:25 pm

Post Wed Jan 09, 2013 4:06 pm

Re: Disney and RFID bracelets.....

I agree with Haybusa, how hard will it be to clone and rewrite on something else. wear one of those running id holders like the one here.

Not like you have to leave the park. If done right, a Crym could charge lots of crap to someone, and it'll be harder to dispute with the company. small enough charges don't have to show id. And think if that Crym was someone working at the park, in that micky costume. Ask little Billy how long they're there for, making small talk, and suddenly know how long he has to use that family's account

I think that this shows that Disney is out of touch slightly. they only think of this from the privacy side. didn't see anything talking about the fraud side.
OSWP, Sec+
<<

ziggy_567

User avatar

Sr. Member
Sr. Member

Posts: 378

Joined: Tue Dec 30, 2008 1:53 pm

Post Wed Jan 09, 2013 4:30 pm

Re: Disney and RFID bracelets.....

I don't have any further information about how Disney plans to implement this, but fraud within the parks would be very easy to detect. They're using RFID to track visitors. Each RFID chip will be uniquely identifiable, so they would be able to detect you pulling Fast Passes at the Magic Kingdom while simultaneously shopping at Downtown Disney.

The question is, will they implement fraud detection in the system? If the fraud becomes rampant enough that they're losing money, they will.
--
Ziggy


eCPPT - GSEC - GCIH - GWAPT - GCUX - RHCE - SCSecA - Security+ - Network+
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1661

Joined: Mon Jan 29, 2007 2:59 pm

Post Wed Jan 09, 2013 7:33 pm

Re: Disney and RFID bracelets.....

Agreed that, if done right, they'll hopefully at least minimize their exposure.  For instance, a user in line for a ride with a 'quick pass' from their bracelet VERY likely isn't in a store half-way across the park, at the same moment.  Still, with the sheer number of the bracelets that could potentially be in use, daily, it's a guarantee that someone WILL exploit things, somehow.  

Perhaps a required passphrase if in the stores, etc, to go with the bracelets, so that, at least then, there's MUCH less chance of excess abuse / spending.  At least that way, they'd really need to both 'drive by' scan the rfid AND shoulder surf, to get the passphrase.
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

rattis

User avatar

Hero Member
Hero Member

Posts: 1172

Joined: Mon Jul 27, 2009 1:25 pm

Post Wed Jan 09, 2013 9:49 pm

Re: Disney and RFID bracelets.....

I think it would depend how how they set the system up to begin with. The biggest thing I can think of, one family all using the same card. So that could mean that some are in one area, some in other buying at the same time. think Dad and son on the rides, mom and daughter shopping.

So, how much information do they need to actually make the sale. How much do they read. And what parts could be re-written.

If I knew more about rewriting the stuff, I'd love to get my hands on a couple just to see.
OSWP, Sec+
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Thu Jan 10, 2013 9:30 am

Re: Disney and RFID bracelets.....

We don't know how they will implement this system. It would be nice to get more details on their implementation.

Suppose they do something like this:
1) Only adults can have credit card info on their bracelets
2) 2 factor authentication: You need the bacelet and a 5 digit pins (for example)
3) There is a fraud detection mechanism in place
4) Once your holiday at Disney is over, the bracelet doesn't work anymore (so you couldn't buy anything with it at Disney Marketplace for example)
5) You can only allow a max of $500 per day (to limit the damages)
6) You are still protected by the credit card company insurance

We also have to keep in mind that the bracelet will only have an ID with it. So a potential thief couldn't use this information outside Disney's walls.

I believe that all these combined wouldn't be too bad. And don't forget, there are still pick pockets that can easily still your wallet while you wait in line...

What do you guys think?
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

rattis

User avatar

Hero Member
Hero Member

Posts: 1172

Joined: Mon Jul 27, 2009 1:25 pm

Post Thu Jan 10, 2013 3:36 pm

Re: Disney and RFID bracelets.....

I'm still wondering if you could just over write the cc info and go from there. All your other data matches, but charging to someone else's card.

As for the pickpockets, those are still around. Like anything else, you have to worry about the hotel staff, card skimmers, child abductors, etc. I just think that Disney is looking at weakening their security posture by chasing something easy to use.

Personally, and this is just my opinion, I don't think the magic kingdom bracelets will last long.
OSWP, Sec+
<<

Grendel

User avatar

Full Member
Full Member

Posts: 246

Joined: Thu Aug 28, 2008 8:48 am

Location: Colorado Springs, CO

Post Thu Jan 10, 2013 7:34 pm

Re: Disney and RFID bracelets.....

H1t M0nk3y wrote:We also have to keep in mind that the bracelet will only have an ID with it. So a potential thief couldn't use this information outside Disney's walls.


All the relevant information will indeed be in the system, not on the RFID. Yes, you can replicate the RFID signal, but unless it interacts with Disney's computers, the RFID info will be useless. It does look like they stamp a first name on the actual bracelet, but no last name.

There is also a pin required for purchases over $50, and if you don't want the RFID associated with a CC, you don't have to have them include it (similar with the room keys for those staying in a Disney resort). In fact, you don't have to have any information on it - in which case you just use it for fastpass+.
- Thomas Wilhelm, MSCS MSM
ISSMP CISSP SCSECA SCNA IEM

Web Site:
  • http://HackingDojo.com
Author:
  • Professional Penetration Testing
  • Ninja Hacking
  • Penetration Tester's Open Source Toolkit
  • Metasploit Toolkit for Penetration Testing
  • Netcat Power Tools
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1661

Joined: Mon Jan 29, 2007 2:59 pm

Post Thu Jan 10, 2013 10:30 pm

Re: Disney and RFID bracelets.....

That sounds much more thought out.
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH

Return to Opinions

Who is online

Users browsing this forum: No registered users and 0 guests

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software