Demand secrecy

 

If your employer asks you to use a tagged ID card, ask him or her what level of encryption they’ve included. If the security chief of your company just stares at you, that means there’s no encryption on your ID. That’s not surprising. Encryption is expensive and energy-intensive and may just not be cost-effective when it comes to distributing key cards to dozens or hundreds of employees. Politely point out that a kid with a $150 cloner in the parking lot could steal a VP’s identification and rob the company blind. After that, you’ll probably want to meekly accept the ID card and put it in your RFID-blocking wallet. You can’t force your company to do anything, but you can at least control access to the information contained in your own pocket.

Credit card companies are a different matter. They probably do include some encryption on their cards. More than likely it will be a challenge-response system (like a password) or an encryption algorithm the company developed in-house. Both types of protection are what is known as “pointless”—the challenge-response because it is vulnerable to a brute force attack (in which a computer randomly tries different key combinations until one works), and the in-house algorithm because it is not extensively tested and therefore could be broken at any moment. If company reps start giving you numbers like 128-bit or 150-bit, stop them and ask for the name of the algorithm. Look it up online. If you find a blog by a guy with a name like cr3d!td3^1l bragging about how he 0wnZ0r3ed that algorithm, throw your credit card into the first volcano you can find.

Demand that your credit card company switch to a tested strong encryption like PGP or the National Security Agency’s SHA-1 or SHA-2. Cut up the card they’ve given you (or just stab the chip in it with an icepick) and demand they send you a new one that’s actually immune to identity theft. If they refuse, cancel your account and go with a credit card company that’s interested in protecting its clients.