RFID wristbands for resort guests

[notnothin]

I don't understand. Sorry, I've never understood the public/private key issue. If the 'public' key from the band is programmed into Disney's system when you pick up the band, but the 'private' key is NEVER transmitted, how does the band get used?

The private key (onboard the wristband) is requested via a function call during the key exchange. If you're new to PKI/PKE, this may be a bit of a 'whoosh' moment as you try to wrap your head around the concept. After a little practice, it should be smooth sailing!

 

[YankeePrincess]

I personally love this idea. You don't have to wear the bracelet on your wrist and for those complaining about having to hold the bracelet elsewhere..what did you do with your KTTW?

I think that instead of complaining about it, you should try it out first. It seems that people just don't like change and don't want anything to do with it whether it is something good or bad.

 

[Belle102498]

By any chance do we know what these are going to be made of? I know this is a concern for alot of people with there being so many allergic reactions to many synthetic materials. Also, will they be a full circle wristlet? The picture makes them look like a "snap" bracelet that comes off very easily. I am always losing things or getting things stuck on my wrist. I can just imagine how many times I would have to replace these

 

[ccudmore]

The private key (onboard the wristband) is requested via a function call during the key exchange. If you're new to PKI/PKE, this may be a bit of a 'whoosh' moment as you try to wrap your head around the concept. After a little practice, it should be smooth sailing!

We need Alice and Bob (reference for all you PKI experts out there).

http://en.wikipedia.org/wiki/Public-key_cryptography if you're really interested.

 

[HeatherLassell]

I hate the idea of a wristband. With a passion. I do not wear wrist bands or bracellets of any sort because it drives me crazy having something on my wrist. I would hate it if I was forced to wear a wrist band. I'd rather a card I can put in my pocket any day!

 

[ccudmore]

By any chance do we know what these are going to be made of? I know this is a concern for alot of people with there being so many allergic reactions to many synthetic materials. Also, will they be a full circle wristlet? The picture makes them look like a "snap" bracelet that comes off very easily. I am always losing things or getting things stuck on my wrist. I can just imagine how many times I would have to replace these

I think people are jumping way ahead of themselves here. A fan site had some pictures of a purported leak. Disney has not announced anything. Nothing is confirmed as even happening. At this point it's all conjecture. Way to soon to say anything about what things are made of.

 

[Planogirl]

I hate tight things when it's hot. I would have to know more about this before I can judge it though.

 

[TLSnell1981]

RFID isn't very secure and people have had credit card information stolen just by walking past someone who has an RFID reader (hacker). Imagine what chaos that would create if someone got a hold of all your information that way, including access to your hotel room. I hate to be dramatic about it, but I would have a really hard time trusting RFID with as much of a target as it's become lately for hackers.

I've had my CC data skimmed....AND it happened at WDW!!! Surely, Disney will have extra security measures, otherwise...it could become a nightmare.

 

[FireDancer]

I hate the idea of a wristband. With a passion. I do not wear wrist bands or bracellets of any sort because it drives me crazy having something on my wrist. I would hate it if I was forced to wear a wrist band. I'd rather a card I can put in my pocket any day!

Well, the nice thing about RFID is it is a proximity technology as opposed to a contact technology. That means you can attach the bracelet to your belt or put it in your pocket and the reader should still pick it up.

As a PP stated, we are getting way ahead of ourselves. These things are just a rumor at this point as far as I know. I only posted because the important thing for Disney to keep in mind is that security has to be considered from the start and unfortunately that isn't always the case in these kinds of projects. I'm an I.T. director for a financial institution and my job is often being the security kill-joy in the room.

For the poster who asked about Disney's private key getting out one big advantage this system would have (again depending on design) is a built in key revocation protocol. Out in the world of SSL you have a hierarchy of certificate authorities and a multitude of web-browsers which makes it very hard to effectively revoke a certificate or key. I would think Disney would do a closed keying system meaning they could blacklist an escaped key immediately.

For those of you who have propeller hats at home Steve Gibson who is a very well known security researcher did a podcast on RFID and security. It is episode 278 and you can find the transcript and links to the MP3 here.

 

[kaligal]

I hate the idea of a wristband. With a passion. I do not wear wrist bands or bracellets of any sort because it drives me crazy having something on my wrist. I would hate it if I was forced to wear a wrist band. I'd rather a card I can put in my pocket any day!

Ditto.

 

[kaligal]

Yes, I just have a hard time thinking this will roll out sans encryption. For those that say that security is typically an afterthought when implementing something of this scale, I have to guess that either you don't really work in IT or you work in a relatively small shop. I'm involved in the financial sector and I can tell you that security is always at the forefront of our decision making process. The "oh noes, hack!!!" crowd likely doesn't have a thorough understanding of either the technology and/or its nextgen capabilities.

I know nothing about computers or programming. I'm lucky I can use the DIS and that's the truth. I know lots and lots about some other things, but never learned (and prefer to remain ignorant regarding) anything to do with computer stuff.

But I do know that I've seen people who know about this stuff on TV saying that thieves can zap you while you're standing in line or walking down the street and have your credit card maxed out (or for those who carry their checking account around with them, have that drained) before the next time they pull the card out.

If "security is always at the forefront of our decision making process", why are people having their bank accounts drained before they go to lunch? I'm not trying to pick on you, I really want to know. And I hope you can explain that end of it without talking about computer stuff or trying to teach me what RFID stands for.

 

[eddiemcgarrigle]

I have a very similar technology for my car and if the wristband works half as well, it will be great.

Carrying a sleeping child back to your room after a long day in the park? No problem, your door will unlock as soon as you place your hand on the lever. No fumbling around for cards while you try not to wake your child.

I like the idea of being able to customise the bands. Decisions, decisions. Will it be a 'Yo Ho, Yo Ho' or a 'This Is Halloween'?

 

[raidermatt]

I know nothing about computers or programming. I'm lucky I can use the DIS and that's the truth. I know lots and lots about some other things, but never learned (and prefer to remain ignorant regarding) anything to do with computer stuff.

But I do know that I've seen people who know about this stuff on TV saying that thieves can zap you while you're standing in line or walking down the street and have your credit card maxed out (or for those who carry their checking account around with them, have that drained) before the next time they pull the card out.

If "security is always at the forefront of our decision making process", why are people having their bank accounts drained before they go to lunch? I'm not trying to pick on you, I really want to know. And I hope you can explain that end of it without talking about computer stuff or trying to teach me what RFID stands for.

Yes, this is possible. The contraption needed to do it can be a bit bulky, but like everything else, they are getting more efficient all the time.

I'm not an IT guy, but I have worked on the business side when it comes to RFID, and while I agree that security is a significant concern, it's always a risk balancing act. IT tells the business the technological options and associated cost and the business balances that against the anticipated losses and legal/compliance ramifications. Rest assured the end result leaves you with a relatively low chance of becoming a fraud victim, but it is definitley not air tight.

Because Disney's application of the technology would be different from a bank's application, and also because of the different customer environments, Disney's risk assessment would certainly be different as well. Chances are the end result will be similar though, there will be some risk of fraud but it will be low.

Of course, there is risk associated with the plastic kttw's also.

 

[fla4fun]

I'd love to have my AP on a band.

I don't know that I would. If the bands are not removable (and in order to prevent people from sharing tickets, I would think they would have to be non-removable) you would have to wear your AP year round. THAT would not be pleasant.

Now, if there was a way to link your hard ticket AP to the band when you are staying on property, and you would only have to wear the band when you are staying on property (and could still use your hard ticket AP for day trips) then that I could get on board with. Most of my trips with my AP are overnight, on site visits. But I do occasionally go to one of the parks for a day trip as well.

Or if there was a window where AP holders could take their AP and get a band for the day (or whatever period of time they were visiting WDW), that would also be an option. If you had to show your AP and ID, they would at least know it was you.

I imagine there's a lot of work to be done yet on this system.

 

[pilferk]

I know nothing about computers or programming. I'm lucky I can use the DIS and that's the truth. I know lots and lots about some other things, but never learned (and prefer to remain ignorant regarding) anything to do with computer stuff.

But I do know that I've seen people who know about this stuff on TV saying that thieves can zap you while you're standing in line or walking down the street and have your credit card maxed out (or for those who carry their checking account around with them, have that drained) before the next time they pull the card out.

If "security is always at the forefront of our decision making process", why are people having their bank accounts drained before they go to lunch? I'm not trying to pick on you, I really want to know. And I hope you can explain that end of it without talking about computer stuff or trying to teach me what RFID stands for.

Because Credit Card companies, specifically, decided to roll out a "feature" before thinking it through.

Most CC's that use RFID (especially AMEX) do NOT have a public/private key system on their cards. They have rudimentary security that is easily bypassed.

THAT'S the issue. More recent implementations have been able to overcome those shortcomings.

 

[pilferk]

Yes, this is possible. The contraption needed to do it can be a bit bulky, but like everything else, they are getting more efficient all the time.

RFID readers/receivers can be roughly the size of a key fob, now. If you add a transmitter and camera (in case you also want to swipe pins) they're about the size of a chalk board eraser. And can look as benign.

Getting their contents is as simple as hooking them (wither via wire or wirelessly) to an Iphone.

 

[pilferk]

I don't know that I would. If the bands are not removable (and in order to prevent people from sharing tickets, I would think they would have to be non-removable) you would have to wear your AP year round. THAT would not be pleasant.

Now, if there was a way to link your hard ticket AP to the band when you are staying on property, and you would only have to wear the band when you are staying on property (and could still use your hard ticket AP for day trips) then that I could get on board with. Most of my trips with my AP are overnight, on site visits. But I do occasionally go to one of the parks for a day trip as well.

Or if there was a window where AP holders could take their AP and get a band for the day (or whatever period of time they were visiting WDW), that would also be an option. If you had to show your AP and ID, they would at least know it was you.

I imagine there's a lot of work to be done yet on this system.

They have removable bands (they sort of look like those Lane Armstrong/Breast Cancer/"cause" type bracelets), rubber watch bands, "pleather" snap bracelets, paper stock (which are usually the non-removeable type), etc. There's lots of options.

And preventing sharing tickets would, I'd think, work like it does now: through biometric scan.

 

[McIntoshMango]

If you could take them off, I think they would be handy. I just don't like the plastic on my wrist feeling. If I could loop it through something else, again, it could be nice.

 

[ccudmore]

I know this is all speculation and conjecture, but I wanted to add one thing to the discussion about them being removable.

One of the reasons I could see them wanting to use RFID is so that they could do away with the finger scans. If you have people put on a wrist band that they can't remove, they could then theoretically just walk into the park (after the security check) without having to provide a fingerprint scan. There's no way to transfer the band so there's no need for the scan. There would still have to be some way of transferring unused days off of the band for non-expiring tickets but that wouldn't be hard to do.

However if the band could be removed, you'd still have to do the scans since there's no way to ensure that people haven't swapped bands. The pictures don't really seem to show one way or another but it's something to think about.

 

[Disneyadore]

I know this is all speculation and conjecture, but I wanted to add one thing to the discussion about them being removable.

One of the reasons I could see them wanting to use RFID is so that they could do away with the finger scans. If you have people put on a wrist band that they can't remove, they could then theoretically just walk into the park (after the security check) without having to provide a fingerprint scan. There's no way to transfer the band so there's no need for the scan. There would still have to be some way of transferring unused days off of the band for non-expiring tickets but that wouldn't be hard to do.

However if the band could be removed, you'd still have to do the scans since there's no way to ensure that people haven't swapped bands. The pictures don't really seem to show one way or another but it's something to think about.

No not at all. My local pool uses them. If I use mine it is "locked" for a certain amount of time. Could be one or two hours.
I think no one will have waiting his family members outside until the "locked time" is over.