Posted by Lori Ayre on May 7, 2013

If you haven't signed that RFID contract yet, you may want to set down your pen and check one thing....is the chip in your vendor's RFID tag capable of locking and password-protecting your content as well as the AFI and EAS registers?  If not, don't sign that contract.  Here's why....

NFC (near field communication) is that technology that allows you to do some interesting, convenient, new things with your smartphone. And when I say smartphone, I don't mean the iPhone which, so far, doesn't have an NFC component yet.  But the Samsung Galaxy, Motorola Droid Razr, and HTC Optimus (among others) all have the ability to utilize NFC technology.  

NFC is a kind of HF RFID technology, which is the same technology we use in our libraries.  But whereas our library tags can be read from 20 inches away or so, NFC communications only happen within a range of a half inch.  In other words, you essentially hold your phone up to the thing you want to communicate with.

The NFC applications that are starting to appear include storing your credit card information on your phones so you can "tap and pay," for storing tickets to events, keeping your personal information on the phone for easy access, and more.  The developments are coming a bit faster outside of the U.S. but we'll be seeing more and more soon --- especially if the iPhone 6 includes support for NFC.

The problem for libraries is that the more pervasive NFC becomes, the more likely our RFID-based systems will be hacked.  I've been told that there is already an application out there that allows a user with a Samsung Galaxy to mess with any unlocked 15693-compliant library tag.  And by mess with, I mean it can render it useless for library use by locking data that shouldn't be locked (e.g. checked in, checked out status) as well as reading and modifying the data on the tag.  Luckily, this application isn't readily available to the public.  It was developed by people interested in addressing the potential threat to our existing library RFID systems.

There will be lots more to say about this topic as more work is done to identify ways to remediate this threat while continuing to support the need for interoperability across systems.  We don't want to panic about this potential threat and set ourselves backwards in that regard.  It is important to find solutions that ensure libraries don't (again) get locked into vendor-specific, proprietary solutions. And, we want to move in the direction of using RFID to support more functions (e.g. ILL, acquisitions and receiving, inventory, location management, delivery tracking, sorting) rather than less. But to promote development of new functionality, we need to have standards that allow vendors to write code that will work across ILS products and for libraries to be able to mix and match equipment from vendors.

That said, it would be prudent to talk to your RFID tag supplier about the chip that is on the tags that are providing to you. Some of the newer ISO 18000-3, Mode 1 compliant tags from NXP have the option to lock and password protect several areas of the tag that may make a big difference down the line. The NXP ICODE SLIX supports password protecting the AFI and the EAS settings.  The NXP ICODE SLIX-S does the same thing plus it adds password protection tag data (meaning you could theoretically prevent an unauthorized reader from even reading what's on the tag).  

So, if i were you, I'd talk with my RFID tag supplier about moving to a tag that has one of these two new chips on it so you are ready to implement the modifications we may need to introduce to our library RFID standards down the line to provide another level of security. It will take some time to develop the right approaches and then we'll need our RFID vendors to implement the new security recommendations....but if you don't have a tag that supports the new recommendations, you'll be out of luck.