Disney’s RFID "Magic Band" arrives on the FCC

[danlb_2000]

Ok, I tried to stay out of this debate but since I am LE and work the cyber crimes side of things, I have to say I don't really like this idea. Since they let people bring computers into the park or you can get a full blown Windows OS on a tablet and Apple having a tablet coming out soon, what is going to stop people from cloning your RFID and going spending crazy in the park? I mean with a laptop and a little hacking knowledge, I mean very little, RFID isn't hard to clone. I know y'all say your info is stored in database in another computer that the RFID is telling it to access but if I clone your RFID and you have your credit card attach, they could go crazy shopping in the parks. I guess I am just being paranoid. Yes, I think they would be easy to ID and possibly catch with all the cameras in the park but it is still a pain in the rear end.

It's kind of like having all the info on your room key hanging out of your pocket with it unencrypted. Because it doesn't sound like it will have enough power for any type of super encryption. Also, yes it has your name on it, but how many times have you been asked to for your ID when you swiped your room key. Me personally once in many many uses.

The question is would skimming the numbers that allow you to make purchases with the wristband really be a worthwhile venture for a thief, especially since you can only use this to make purchases in the parks? I can't really see thieves spending the money for the equipment needed to do this, then paying to get into the parks, just to fraudulently by park merchandise. Also, you would have to to have a way of programming this information back into another one of these bracelets to be able to get away with using it in a store.

 

[DisneyJoe]

Ok, I tried to stay out of this debate but since I am LE and work the cyber crimes side of things, I have to say I don't really like this idea. Since they let people bring computers into the park or you can get a full blown Windows OS on a tablet and Apple having a tablet coming out soon, what is going to stop people from cloning your RFID and going spending crazy in the park? I mean with a laptop and a little hacking knowledge, I mean very little, RFID isn't hard to clone. I know y'all say your info is stored in database in another computer that the RFID is telling it to access but if I clone your RFID and you have your credit card attach, they could go crazy shopping in the parks. I guess I am just being paranoid. Yes, I think they would be easy to ID and possibly catch with all the cameras in the park but it is still a pain in the rear end.

Let's say that you do clone the RFID info. Given that info, how do you access the Disney system? How do you log into it? Does that login info come along with the RFID info, or, is there something else in the bracelet that aids in that system access that is not sent along with the RFID info that you can clone? If there is a challenge/response from the Disney system, how do you reply to that?

Couldn't the system be disabled if it detects multiple logins from the same RFID info? i.e. detecting the clone and use of duplicate ID's?

Also, safeguards are in place for Disney resort guests who tie credit cards to their KTTW cards - $500 for value resorts, $1000 for moderate resorts, $1500 for deluxe and deluxe villas.

 

[SJFPKT]

The question is would skimming the numbers that allow you to make purchases with the wristband really be a worthwhile venture for a thief, especially since you can only use this to make purchases in the parks? I can't really see thieves spending the money for the equipment needed to do this, then paying to get into the parks, just to fraudulently by park merchandise. Also, you would have to to have a way of programming this information back into another one of these bracelets to be able to get away with using it in a store.

Ahh, all you would have to spend would be about 25-30 dollars to be able to do it. Have you seen how much Disney Park stuff goes for on E-Bay. What if I bought tickets at World of Disney and sold those on E-Bay, that could be quite profitable, cause you know the average Joe is going to buy them and then be severely disappointed when they get there and found out they have been deactivated because they were purchased fraudulently. I have seen all sorts of scams and really what this would be equivalent to is stealing your room key but now all I would have to do is stand in a busy line, say soarin and let the computer and reader in my backpack do the work.

 

[stlbobby]

Ok, I tried to stay out of this debate but since I am LE and work the cyber crimes side of things, I have to say I don't really like this idea. Since they let people bring computers into the park or you can get a full blown Windows OS on a tablet and Apple having a tablet coming out soon, what is going to stop people from cloning your RFID and going spending crazy in the park? I mean with a laptop and a little hacking knowledge, I mean very little, RFID isn't hard to clone. I know y'all say your info is stored in database in another computer that the RFID is telling it to access but if I clone your RFID and you have your credit card attach, they could go crazy shopping in the parks. I guess I am just being paranoid. Yes, I think they would be easy to ID and possibly catch with all the cameras in the park but it is still a pain in the rear end.

It's kind of like having all the info on your room key hanging out of your pocket with it unencrypted. Because it doesn't sound like it will have enough power for any type of super encryption. Also, yes it has your name on it, but how many times have you been asked to for your ID when you swiped your room key. Me personally once in many many uses.

Is it possible that the cashiers will have a picture of the proper guest pop-up for identification purposes? That's how my gym ID works. I don't really know, but that would solve a bunch of issues right there.

 

[SJFPKT]

Let's say that you do clone the RFID info. Given that info, how do you access the Disney system? How do you log into it? Does that login info come along with the RFID info, or, is there something else in the bracelet that aids in that system access that is not sent along with the RFID info that you can clone? If there is a challenge/response from the Disney system, how do you reply to that?

Couldn't the system be disabled if it detects multiple logins from the same RFID info? i.e. detecting the clone and use of duplicate ID's?

Also, safeguards are in place for Disney resort guests who tie credit cards to their KTTW cards - $500 for value resorts, $1000 for moderate resorts, $1500 for deluxe and deluxe villas.

I honestly doubt there is a challenge to it. It probably works just like and proximity access card. I am not saying it will be done, but I am just saying it makes it easier. Like I said when you see all the stupid scams I have you get paranoid. Heck I won't even let a waitress walk off with a credit card

 

[stlbobby]

I am not at all opposed to this idea, but what I don't understand is so much worry about wearing the band for a trip. It seems pretty obvious to me that you get one band at the beginning of your trip and you will wear it until you go home. It won't be detectable to prevent transfer.Why is that such a big deal this already happens at other theme parks, hospitals, bars, and many other access control venues. Sometimes these have RFID sometimes not, but actually wearing a bracelet for admission is an old idea.

I'm sure there will be allowances for guests without arms and other medical issues, and I imagine there will be an alternate method of ticketing for those who object to wristbands, but I bet they make it so inconvenient that everyone will jump on the wristband bandwagon.

 

[DisneyJoe]

Couldn't the system be disabled if it detects multiple logins from the same RFID info? i.e. detecting the clone and use of duplicate ID's?

This is how I would implement security into the system. If I detected multiple logins from the same RFID device ID, I'd raise a warning flag in the system, maybe force a physical check of a driver's license etc before allowing a purchase.

 

[unkadug]

I honestly doubt there is a challenge to it. It probably works just like and proximity access card. I am not saying it will be done, but I am just saying it makes it easier. Like I said when you see all the stupid scams I have you get paranoid. Heck I won't even let a waitress walk off with a credit card

How many scams do you currently have?

 

[SJFPKT]

How many scams do you currently have?

Sorry trying to walk out the door. Left out the word "seen"

 

[G00fyDad]

Ok, I tried to stay out of this debate but since I am LE and work the cyber crimes side of things, I have to say I don't really like this idea. Since they let people bring computers into the park or you can get a full blown Windows OS on a tablet and Apple having a tablet coming out soon, what is going to stop people from cloning your RFID and going spending crazy in the park? I mean with a laptop and a little hacking knowledge, I mean very little, RFID isn't hard to clone. I know y'all say your info is stored in database in another computer that the RFID is telling it to access but if I clone your RFID and you have your credit card attach, they could go crazy shopping in the parks. I guess I am just being paranoid. Yes, I think they would be easy to ID and possibly catch with all the cameras in the park but it is still a pain in the rear end.

It's kind of like having all the info on your room key hanging out of your pocket with it unencrypted. Because it doesn't sound like it will have enough power for any type of super encryption. Also, yes it has your name on it, but how many times have you been asked to for your ID when you swiped your room key. Me personally once in many many uses.

You can do this with credit cards and debits cards as well. So why is there a big fuss about it being done with arm bands? Heck, your cards don't need to be hanging out in the open either. They can be several layers deep in a purse.

And I am sure that the arm band is going to be an opt in or out thing. You will probably still have the option to not use it.

 

[G00fyDad]

Actually, it is quite correctly spelt offence.

If your were to pay attention, Tam is a denizen of the United Kingdom. "English" is a language created there. Citizens of the United States of America [I won't call you "Americans" because that ignores the fact that the vast majority of the people in the Americas do not live in your country] have bastardized a perfectly good language and now apparently have the audacity to chastise those who created the language for using it correctly.

[/thread drift]

Standing corrected. And I was chastising (apparently wrongly) him only to irritate a thread agitator.

 

[SJFPKT]

You can do this with credit cards and debits cards as well. So why is there a big fuss about it being done with arm bands? Heck, your cards don't need to be hanging out in the open either. They can be several layers deep in a purse.

And I am sure that the arm band is going to be an opt in or out thing. You will probably still have the option to not use it.

I agree, but where else can you find that kind of information in such a concentrated place? Not everyone has one on their credit cards, I don't. Like I said I am just playing devils advocate, that and I am paranoid about such things.

 

[G00fyDad]

I agree, but where else can you find that kind of information in such a concentrated place? Not everyone has one on their credit cards, I don't. Like I said I am just playing devils advocate, that and I am paranoid about such things.

Oh I get it. I'm not arguing at all. But the incentive may not be as high to go to WDW to do this. But then again.... that many people in one concentrated area. I can see it. But, I'll still do this arm band thing anyway. I never put charging privileges on my KttW card anyway. So all they would be able to do is clone my band and get into my room, if they followed me.

 

[ParentsOf4]

I agree, but where else can you find that kind of information in such a concentrated place? Not everyone has one on their credit cards, I don't. Like I said I am just playing devils advocate, that and I am paranoid about such things.

I'm on the technology side as well and, sadly, know that a system such as this would not be difficult to hack. I've dealt with too many teenagers/twenty-somethings who simply want to do it for the challenge, never mind the Eastern European/Third World companies who are intentionally hacking into systems.

I'm still trying to understand TWDC's motivation for this. What exactly does TWDC gain for itself by this new RFID system?

 

[DisneyJoe]

I'm on the technology side as well and, sadly, know that a system such as this would not be difficult to hack. I've dealt with too many teenagers/twenty-somethings who simply want to do it for the challenge, never mind the Eastern European/Third World companies who are intentionally hacking into systems.

I'm still trying to understand TWDC's motivation for this. What exactly does TWDC gain for itself by this new RFID system?

Detailed crowd pattern tracking for one, across the entire resort if they wish.

 

[Victor Kelly]

Yet people use their computers and cell phones and have no worries? We are in the digital age where everyone goes online to shop, browse, research, pay bills,etc. Same with our phones. We have phone numbers, contacts, contact info. The phone companies know who we call, when we call, how much we call, who we text, and when and how often. Pictures over the phone? LOL they know about those too. Our credit card and bank companies know where we shop, what we buy, when we buy it. Our libraries know what we read. Our grocery stores know what we buy and how much we buy it. Your kids information is computerized at their schools.

The government has access to this information whenever they want it. And so do foreign governments and companies by now.

If anyone thinks that this information is not available you are joking yourself. Fifteen minutes and a techno thief has your entire life in their hands. What about your trash? A treasure trove of information.

And people are worried about Disney? Come on, get a grip.

 

[MissM]

The question is would skimming the numbers that allow you to make purchases with the wristband really be a worthwhile venture for a thief, especially since you can only use this to make purchases in the parks? I can't really see thieves spending the money for the equipment needed to do this, then paying to get into the parks, just to fraudulently by park merchandise. Also, you would have to to have a way of programming this information back into another one of these bracelets to be able to get away with using it in a store.

Seeing as they just recently they caught the thieves who had been stealing merchandise and resort stays for four years - http://www.dailyfinance.com/2012/06/01/disney-world-scammers-scored-four-years-of-free-vacations/ - so to say there's no room for profit in stealing purchase information and/or credentials is incorrect. While the scam these criminals used is different in structure, it shows just one tiny way such things can be potentially massively profitable.

 

[ParentsOf4]

Detailed crowd pattern tracking for one, across the entire resort if they wish.

They already have collected reams of data. No one collects more data that TWDC. how does RFID benefit TWDC financially?

 

[G00fyDad]

They already have collected reams of data. No one collects more data that TWDC. how does RCID benefit TWDC financially?

By telling them in a far better fashion exactly where to squeeze more $ from you.

 

[Victor Kelly]

And.............Disney isn't going to protect the data? From what I see the government and other corporations are years behind in technology and using substandard protection for its databases.

We can go round and round on this issue, but our information is all over the internet. Have a facebook page? The thieves have everything they need about your family and friends, on ONE website. The cries of no privacy are out the door when we put our lives on facebook for all to see. What about all the photo websites people upload to? Worried about your kids safety? Why do parents put them up as a profile pictures?

Love that cell phone? Take it everywhere? GPS tracker, uploads to the internet, facebook, shopping, pay bills, chat on WDWmagic. Bingo, phones can be hacked as easy as a regular computer.