Security Threats & Technologies of Organization

The modern organization, being highly networked, is constantly under threat from harmful software and from the malicious intent of certain people. Viruses and worms are rampant and infect millions of computers, wreaking heavy damage on data and productivity. Malicious coders, called crackers, also attack organizations to infect them or steal data or money. Some crackers simply attack the services of organizations to bring them down or make them ineffective.

Many technologies have evolved to address the threats from the internal and external environment of the organization. These technologies protect data by encrypting it or protect organizations by monitoring the incoming and outgoing network traffic.

Wireless technology is used by many organizations, and it poses unique security challenges. Managing security means ensuring the organizational users’ confidentiality, authentication, integrity, and access to digital resources.

Security management involves managing people, technology, and processes – all of which impact and determine security – from the perimeter of the network to the client’s computer.

---

Security Threats Faced by Organization

All modern organizations use information systems that are networked and connected to the external world via the internet. Though this brings access to a vast ocean of useful information and services, it also poses a tremendous security challenge.

The threats to the modern information systems environment are many and varied. Security threats arise from malicious software that enters the organization from outside, from internal users who have malicious intent, or from accidental loss or exposure of internal information. The sections below explain some of the threats faced by organizations.

• Malware
  
• Cracking and Espionage
  
• Phishing and Identity Theft
  
• Denial-of-service Attack

Malware

Malicious external software poses a threat to the security of organizations come in many forms. One of the most widely prevalent threats is that of viruses which are software packages that harm the organization’s information technology assets. Viruses typically enter the organization through various applications of the internet or devices such as USB memory sticks and then spread within the network to many hosts. Millions of viruses harmfully impact computer systems.

A cousin of the virus is the worm, another malicious software application that spreads relentlessly across networks and chokes them up. A third type of malicious software is called Trojans, or Trojan horses. Trojans typically reside in the computer and allow malicious software or users from outside to invade the computer and use its resources.

Spyware is a type of software that also resides in the computer and secretly relays information about the usage of the computer to agents outside. A common term used to describe the various kinds of malicious software mentioned above is malware. Malware is a massive security problem for Chief Information Officers (CIOs) of organizations and requires careful planning and large investments to manage. Analysts estimate that huge losses worldwide are caused by malware.

The loss is computed based on productivity lost owing to downtime of computers, the costs for cleaning up and replacing data, the costs for additional security measures, and the costs from direct loss of business. Commercial firms lose data if malware enters their premises, and it costs them much to clean up, but they also lose their reputation as a firm among their clients and partners. Managing security is thus a very high priority for organizations.

The impact of malware on businesses and organizations is massive. It runs to billions of dollars on a worldwide scale, and in 2016 the estimated economic losses were about $450 billion. Depicts the sources of economic losses from cybercrime across the world.

Examples of Malware

A worm is an autonomous software that acts by penetrating computers and networks by mainly replicating itself. Each unit of the worm finds security loopholes to enter networks or individual computers, replicates itself so that its copies can seek out other computers and network components to infect, and each instance of the worm then continues its work. Worms as such do not do any harm to the infected computer system or network components; they simply consume storage space and network bandwidth while they propagate and spread.

Worms spread very rapidly when they infect a system. A famous worm, known as the SQL Slammer, started to propagate rapidly in a few minutes. It multiplied and spread across the network, and also opened pathways for its progeny to follow. This led to an explosive growth of malware in the systems of the infected organization and paralyzed and crashed many systems.

ILOVEYOU Worm

The ILOVEYOU worm, also called the ‘love bug’ by the media, gathered much attention from around the world for the havoc that it wrought in major organizational systems. ILOVEYOU appeared in May 2000 and spread rapidly across Microsoft email servers. It was a worm that came as an attachment in an email message, with the subject line of the message reading ‘I Love You’.

If the recipients opened the attachment by double-clicking on it, the worm would fire a program that allowed it to replicate itself, and further look up all the addresses in the recipient’s Windows mailbox and send itself to them. Thus, the worm replicated itself through email.

The worm used a particular weakness of the Microsoft email server and clients, that of allowing, by default, users to run programs that had been sent as an attachment to them. Users, however, were not aware of this weakness, as the attachment showed up as a text message, with a ‘.txt’ extension (thus indicating that it could not be executed), where the user tried to see the text by double-clicking on it. Microsoft Corporation was heavily criticized for this error in design and soon remedied it by disallowing email attachments to be executed as a default.

The ILOVEYOU worm harmed the systems too as it made changes to the Windows registry so that it would always be invoked when the system was booted up. (The Windows registry is a set of files that holds configuration and running instructions for the personal computer; it is part of the operating system.) Furthermore, the worm replaced many types of image and document files (files with extensions such as ‘.jpg’ or ‘.doc’) with copies of itself.

It was later detected that the worm originated in the Philippines, written by two college dropout computer programmers. They wrote the entire worm in the Visual Basic scripting language and released it through their local internet service provider (ISP). From the Philippines, the worm spread to Hong Kong and then on to the rest of the world through email attachments.

At its peak, it choked up systems across large organizations, including government departments, defense establishments, and commercial institutions. It also affected many systems in India. It is argued that the worm used social engineering to spread, as human users were enticed to click on the email messages sent to them and thus propagate it. At the time of its release, this worm was declared the most virulent malware ever.

The Philippines government apprehended the programmers who had released the worm but was unable to prosecute them as there was no law in the Philippines, at that time, which explicitly banned the creation and release of worms.

The two programmers were set free after a mild punishment, however, the government was prompted to enact a law to address such crimes. In India too, in the year 2000, the IT Act was passed by the Parliament to provide legal support to authorities to monitor and prosecute cybercrime.

Conficker Worm

The Conficker worm was detected in late 2008, and soon became one of the deadliest worms in computing history. The worm propagates only via the Windows operating system by relying on its vulnerabilities such as shared folders and insecure passwords.

Users who had insecure passwords, such as dictionary words, or had shared folders with others without carefully protecting them, or left their computers unsecured while on the network, were the prime targets that inadvertently enabled the worm to spread.

The Conficker worm works by first entering a system through the internet as an email attachment, through USB memory sticks, or through shared files. After entering a system, it maps out the other computers on the network, particularly those that have insecure passwords or non-updated security software. It then sends replicas of itself to these computers and continues bringing the new computers to its network.

The Conficker worm is supposed to use all known infection techniques to spread itself; it also downloads patches for itself from the servers of its authors to continue propagating against efforts to control it!

The Conficker worm affected almost 9–15 million computers in dozens of countries around the world. Of these, India was reported to be in the top 10 affected countries, as computed by an anti-virus software firm. The worm affected major government and defense departments such as the French Navy, the armed forces of Germany, and the City Council of Manchester.

The worm was often updated by its authors, and specialists around the world confirm that there are at least five different versions of it that attack different vulnerabilities in Microsoft-based personal computers. The Microsoft Corporation has responded by releasing several patches and security updates for its operating system and also announced a large prize to anyone who can give information on the perpetrators of the worm.

Cracking and Espionage

The words cracking and hacking are often used interchangeably. Cracking is the act of breaking into computers or computer networks illegally. This is usually done by expert programmers who find ways to break into networks by identifying weaknesses in their security or by uncovering passwords or some such method that is not strictly legal. The programmers’ intention of doing so is often mischief to show how clever they are at breaking secure systems. Sometimes their objective is to steal information, digital resources, or money.

Hacking also refers to the same act, but sometimes hacking is also done for useful reasons, known as ethical hacking, where expert programmers break into systems to expose weaknesses rather than do any harm. Although the two terms are now confused, technically, many people believe hackers are always ethical and are the most competent at programming.

In the current business environment and with the widespread use of e-commerce, cracking has assumed very large dimensions. Many countries have passed laws to address cybercrime, which most directly refers to the acts of cracking to steal money or digital assets. The estimates of different agencies vary, but the underlying story is the same – millions of dollars are being stolen from banks, credit card firms, e-commerce firms, governments, and private businesses by crackers.

For example, in 2010 some crackers from Ukraine cracked the security of a bank in the USA and did systematic wire transfers to move money from the bank to a bank in Ukraine. This was done with the connivance of some bank employees. In another example, some crackers broke into a credit card firm’s databases and removed information about thousands of users. This information was then sold to marketing agencies that wanted to target the users with customized sales.

Cracking is done in many ways, most of which exploit some weakness, human or technological, in the security of systems. One method of cracking is reverse engineering, where crackers identify the kind and type of system that is being used and then uncover its security mechanism. For example, some crackers who wanted to steal from gambling machines in casinos in Las Vegas, the USA, first identified the type and manufacturer of the machines being used.

They purchased similar machines, removed the central processing unit (CPU) from them and, through reading the assembly language code written in the CPU, discovered how the CPU determined when to release a straight flush of cards that would earn a lot of money for the player. They did this by finding a flaw in the random number generator (software for finding a sequence of numbers that are random) and then replicated how the chip computed numbers and the sequence in which they would appear.

This allowed them to predict accurately when the required number would appear and the machine would display a straight flush. Using this method the crackers were able to win millions of dollars from the casinos over several years (until one of the crackers was caught).

Another method used by crackers is that of social engineering, which is the manipulation of unsuspecting users to extract private information from them. Here, the trick is to exploit the insecurity and lack of knowledge of human users. For example, one common trick crackers use is of calling an unsuspecting user over the phone, pretending to be operators from a local bank, in which the user has an account, or from an ISP, which the user accesses, and asking him/her about any technical problems. Users often give away details about their account names, and possibly, passwords without verifying who the callers are. In other cases, crackers join as employees of computer firms to visit users’ homes on support calls.

They note down details of accounts used, account names, and other details such as the names of the user’s family members. People often use the names of their family members as passwords, which helps crackers to break into their accounts from remote locations. Unsuspecting home users, in particular, are vulnerable to such social engineering as they are not aware of the value of maintaining security.

Social engineering is also used in organizations where crackers befriend employees and ask about their everyday work in casual conversation. They can identify security procedures, operating hours, the nature and type of security software used, the names of key employees, and often the Internet Protocol (IP) addresses of important servers.

Using this knowledge they can hack into the servers of such organizations. There are several examples of banks, schools, and government departments where crackers have used these techniques to break into systems and steal information or use these systems to break into other systems.

Another reason why crackers break into organizations is for industrial and political espionage. After breaking into a system, crackers leave behind the software that forwards email messages from key individuals to certain destinations that they can access later, or simply log in and read and download files. Cracking for espionage and warfare is now common practice in countries such as the USA and Israel, as shown in the Stuxnet case study at the beginning of this chapter. This is also known as cyber warfare.

The intelligence agencies of the USA routinely monitor the online traffic of the defense departments of rival nations. The extent of this espionage is not revealed, however, reports suggest that this is quite widespread.

Phishing and Identity Theft

Phishing is another cybercrime that is perpetrated through social engineering. Phishing is done with fake websites that masquerade as real ones. A typical scenario for phishing is as follows: Person A receives an email message from his/her bank, saying that he/she has to upgrade his/her login and password details for security reasons. The email also provides a link on which A can click and be directly transferred to the bank’s website.

A does click on the link and is taken to a web page that looks entirely like his/her bank’s page. He/she types in his/her login and password and finds that he/she is not able to enter the page and only gets an error message. What has happened is that A has been directed to a fake website that has a similar appearance to that of the bank. When A types in his login name and password into the space provided on the web page, he/she has inadvertently given away vital personal information to somebody.

In the above case, the phishing attack only went to the extent of extracting the victim’s login name and password. In many cases, fake sites are designed to extract more details from the victim. The idea of phishing is identity theft, where crackers are manipulating unsuspecting users into revealing personal details that they can exploit later.

In a case in India, crackers had sent an email asking users to log into the Indian Income Tax Department’s website and enter their details. The crackers had gone into great detail to ensure that the fake website looked as authentic as possible, thus, not raising any suspicion among users who had been directed there.

Another form of identity theft takes place through snooping and keylogging. As many people in India still use public internet cafes in urban and semi-urban areas, many crackers use keylogging software to steal their data. A keylogger is a software that when installed stays in the random access memory (RAM), and keeps a record of all keystrokes on the keyboard.

When customers in an internet cafe sit at a computer with a keylogger installed, all the keys they press to do their work are recorded, creating a clear record of all the text they have typed in. The crackers can later extract all private details, such as account login names, passwords, bank account numbers, etc. from the logs available in the software. In a case in Bangalore in 2007, a team of thieves used keylogging software to obtain the identities and passwords of over 100 people from internet cafes and used this information to transfer out over Rs 1.2 million (about USD 27,000) from 28 bank accounts.

Denial-of-service Attack

A denial-of-service (DoS) attack is a method by which crackers pull down or slow down the services of a website. Attacks of this sort make the website appear to be slow and unresponsive to normal users. DoS attacks are typically targeted at famous websites such as Amazon.com or Yahoo.com, as also against the government and institutional websites.

One type of DoS attack relies on the three-step handshake of connection-oriented protocols. A connection-oriented protocol, such as Hypertext Transfer Protocol (HTTP, the protocol used for reading web pages), requires that the sender first send a connection request, the server responds to this with an acknowledgment and then the sender sends a specific request for a page.

After the second step, the server waits a specified amount of time for the third-step request from the sender, and then times out (which means it stops waiting). Web servers that deal with a very large number of clients, such as those of Amazon.com or Google.com, are capable of handling a few thousand requests per second. For each request, they follow the three-step handshake and then continue with providing the information.

Crackers exploit this handshake by sending out a request – the first step – to which the server responds, and then the cracker client does nothing, letting the server time out the connection request. During a DoS attack, such requests are sent by the thousand and for each of them the server waits a few seconds and times out, effectively doing nothing. However, legitimate users seeking information from these sites have to wait in a queue to be served.

Crackers create DoS attacks by manipulating web servers (which attack other servers) to send many connection requests. They also change the IP address of the requesting server by spoofing the address. IP spoofing is a trick by which packets sent to the victim server are given a fake IP address so that it appears that the server is receiving requests from many different IP addresses and not from a single machine of the cracker.

However, IP spoofing is easy to detect, so crackers use multiple machines to launch attacks, and also spoof the IP addresses. This makes it very difficult to identify the IP address of all the attacking computers and block them. This is known as a distributed DoS.

To launch a DDoS attack, crackers first have to capture and control computers from around the world. Typically, crackers enter networks, such as those of universities or government departments, which have many computers connected to the internet. If the security of these networks is not strong then crackers infiltrate and control many of these computers. These computers may be servers that are left running continuously on the campus or host computers that are never detached from the network and never shut down.

Under the control of crackers, these machines act as zombies or botnets that send service requests to the victim servers. As these zombies are located around the world and not owned by crackers, their identity is not spoofed. In many DDoS attacks, thousands of such zombies have been used to send requests to servers.

---

Security Technologies for Organization

Some of these technologies are explained below.

• Encryption
  
• Public-key Cryptography
  
• Firewall
  
• Virtual Private Network

Encryption

Encryption is a technology by which a message or data is transformed or translated into a form that is not easily readable by anyone. Encryption is an ancient technology, once used by kings and emperors to send coded messages to their commanders and confidants, particularly during times of war. An encrypted message could be apprehended or stolen by the enemies, but it would not be easy to decipher its contents. Encryption allows a message to be coded or scrambled, and also returned to its original by using keys.

In computing terminology, the original message to be encrypted is usually called plaintext, whereas the coded message is called a ciphertext (where cipher refers to a key). Consider a plaintext message – ‘send more tanks’ – that has to be encrypted. This message can be transformed by reversing the order of words and their letters as ‘sknateromdnes’.

In this example, the plaintext is the first phrase and the ciphertext is the second phrase (which does not make sense in the English language). In this case, the key is ‘reverse’. This is a rather trivial key for this particular example, but when used in conjunction with other keys it can create very effective encryption.

In the first example in the table, the key is to shift each character by five letters. This is done by considering all the characters in a row and looking at the character which is five places away from the one to be replaced. For example, the letter ‘s’ is replaced by ‘x’ which is five positions away from it in the first row of characters.

Public-key Cryptography

The weakness of symmetric key cryptography is the need to send across the key. Throughout the history of encryption, the problem that many have tried to solve is to have an encryption mechanism that does not require a key to be sent. Keys are the weak point in the encryption process because if a key is leaked, the message can easily be compromised. Senders have to go to extra lengths to ensure the key remains safe and secure.

Digital certificates are also used to authenticate the owner of a public key. Such certificates are issued by security agencies, such as Verisign, and assure that the user’s public key is being obtained from the designated source, and not from an imposter. Thus, the digital certificate associates the public key with an agency or person, or organization with a name, address, and other reliable identity data.

Authentication is also required to ensure that no one is impersonating the sender. For instance, if Chetan wants to send Bani a message pretending he is Alok, all he has to do is take Bani’s public key (easily available) and encrypt the message (the encryption method is also easily available) and send it to Bani. Since Chetan can sign the message as Alok, Bani cannot tell that it is not from Alok. Thus, Chetan can easily impersonate Alok.

Firewall

A firewall is a filtering and protection device that is usually a combination of software and hardware. A firewall protects the organization against malicious crackers and intruders. At a basic level, a firewall is a packet filter device that monitors both outgoing and incoming packets.

It is usually placed at the perimeter of the organization’s network, inside the router that connects the organization to the ISP and the internet. It is possible to write a set of rules in the firewall that check the content of packets and allow or disallow them. For instance, one can write a rule that specifies: ‘disallow all packets from youtube.com’. This rule will specifically check for packets whose source address is youtube.com and bar them from entering.

Packet-level filtering can be applied to packets of different protocols and services, to packets with specific source and destination addresses, and to packets using specific port numbers. It is quite common for organizations to ban traffic on port number 23, which is used for an internet application called Telnet. Telnet allows remote users to log in to machines within the organization, a practice that is considered to be insecure and that has been consequently banned.

A more advanced version of filtering is achieved through application-level filtering. Here, the system administrator has more flexibility in designing security policies. For example, in application-level filtering, a specific, trusted user can be allowed to access the Telnet facility, whereas other users can be barred from doing so.

This particular user may have established a need for this with the organization and is being permitted to do so. The user would have to be authenticated by the firewall through a login, and then can be allowed to use the application. This facility can be applied to all higher-level applications, such as email, file transfer, etc. by the firewall.

Although firewalls serve as very effective security devices, their one drawback is of slowing down traffic at the perimeter (every packet has to be examined, and this takes time). To overcome this drawback, firewalls are often built into the hardware and hence realize huge speed advantages. Some router manufacturers offer firewalls built into their products.

A technique known as deep packet inspection (DPI) is often used by many packet filtering devices. By this method, packets are inspected for their header information as well as the content. As the actual payload of a packet is inspected, DPI can uncover malware such as worms within packets, protect against DoSattackes, and harvest data for managing the security infrastructure. As DPI involves the inspection of data, it has led to issues of privacy and censorship.

Virtual Private Network

A virtual private network (VPN) is a technology that enables clients or employees of an organization, who are outside the network, to connect to the organization’s network securely. A VPN is a kind of ‘tunnel’ through which clients can connect to the organization’s network while using the public internet.

The need to use a VPN often arises when employees are traveling or working from home as telecommuters, and they use the internet to log into their computers at work. A VPN allows them to securely enter the A VPN connection relies on authentication and encryption.

Most organizations provide a VPN server to their clients or employees, who log into the server with a password that acts as the authentication. Once logged in, all the packet traffic flowing in the connection is encrypted, enabling the tunnel to be formed.

Since traffic on the internet is usually not encrypted and employees often log in from public internet kiosks, this mode of transmission allows a secure connection. VPN connections often can go through firewalls via a special channel, allowing users to connect to all the facilities and features available on the organization’s computing network.

For example, consider a protected network on an educational campus. Students on campus can access online facilities such as email, educational software, library software, publications, etc. while using campus computers.

When they are off-campus, such facilities are restricted as firewalls disallow outside users from accessing campus resources. This is where VPN servers are used. Students are given VPN accounts on this server, which lets them log in from outside, and once logged in, they can access all the digital facilities on campus.

---

Wireless Technology

In modern organizations, wireless devices and technologies proliferate. Examples of wireless devices include remote controllers for televisions or monitors (or key fobs for cars); wireless keyboards; wireless mice; laptops with Wireless Fidelity (Wi-Fi) connectivity; mobile phones; laptops and mobiles using Bluetooth technology; and Global Positioning Systems (GPS) client. All these devices rely on radio waves of different frequencies to connect to share information.

All the technologies available for wireless rely on specific ranges of radio frequencies, called the bandwidth or spectrum, and deploy different methods for sending and receiving messages. These technologies also have different capacities for carrying data, and varying distances to which the data can be carried.

For example, Bluetooth technology can transfer data over a few meters, whereas a WiMax router can send and receive data over many kilometers. Strong security issues are associated with wireless technologies. Given below are brief descriptions of some wireless technologies currently used by organizations.

• Wi-fi Routers
  
• Bluetooth
  
• Radio Frequency Identification (RFID)

Wi-fi Routers

Wi-Fi, which is a contraction for ‘Wireless Fidelity’, is a communication standard approved by the IEEE for wireless communication. Many devices use Wi-Fi, such as phones, laptops, and tablet computers. So this standard of communication has become very popular. Wi-Fi is popularly used with ‘hotspots’ or access points that are routers, which use the Wi-Fi standard to provide wireless internet connectivity.

A typical hotspot in a home or office is connected by LAN cable to the internet. It allows devices such as laptops, mobile phones, and tablets to connect to the internet through it. The hotspot acts as a router as it allows the devices to share a pool of IP addresses, provided by the router, which allows the devices to communicate with the internet.

Wi-Fi routers are sometimes used in a mesh network. Here, the hotspots act as relay devices that carry forward the network connectivity from one device to another, therefore, only one device needs to have a connection to the internet through an ISP, and the others can relay and share this connectivity.

The Wi-Fi standard is specified by the IEEE 802.11 series of specifications. Each specification refers to a particular bandwidth and type of connection. For instance, one standard allows up to 54 Mbps of data traffic with a range of 100 feet within buildings. With clear line-of-sight outside buildings, such Wi-Fi routers can be detected several hundred meters away.

Connecting to Wi-Fi routers could be done in an unsecured manner, where anybody could simply lock into the signal available and use the connection. Or the connection can be secured, where gaining access to the router requires entering a password as authentication. Unsecured Wi-Fi routers have been a source of many security problems.

Bluetooth

This is another standard that is used to wirelessly connect devices. The Bluetooth standard connects devices such as mobile phones with headsets, laptops with printers, laptops with mice and keyboards, and so on. Bluetooth was created for connecting personal devices rather than connecting devices at home or in the office. As such the Bluetooth standard offers lower data transfer rates and operates over a short distance, however, it is a more secure method of communication.

Radio Frequency Identification (RFID)

Radio Frequency Identification (RFID) is a technology by which tiny radio receivers and transmitters are embedded in devices or objects from where they can be identified. These radio receivers and transmitters are typically embedded in ‘chips’ (tiny encasements), which can then be mounted practically anywhere. The RFID chips work with ‘readers’ that send out radio signals to find if any are available in the vicinity. Upon receiving the query radio signal, the chips respond by sending out a unique signature, which identifies them.

The RFID devices may be active or passive. Active devices require an energy source, like a battery, to broadcast signals. Whereas, passive devices can use the energy of the reader’s signal to respond. When objects are embedded with RFID chips they are said to be tagged.

Following are some examples of how RFID tags are used:

• The YES Bank, a large retail bank in India, uses RFID tags to identify its customers. In a YES Bank branch in New Delhi, in a neighborhood that typically has wealthy customers, YES Bank has given wallet cards with RFID tags on them to its high net-worth customers.
  
  When these customers enter the bank branch, a reader located near the entrance reads the RFID tag the customer has in his/her wallet or purse (or perhaps in a briefcase) and sends a signal to the branch operatives.
  
  The customer’s name, photo, profile, and brief banking history are immediately made available to the operative who will greet the customer and take him/her to a separate office to attend to their needs. High net worth customers appreciate this gesture as they like to be recognized and treated especially while visiting their bank, and it also saves their time.
  
  The challenge in implementing this technology was in ensuring that the reading signal can reach the RFID tag that the customer is carrying. The signal has a limited range (a few meters) and has to penetrate through clothing or any accessories the customer may have kept the card in. Furthermore, the identification has to be quick, the signal has to be decoded, matched with existing records, and the customer’s profile retrieved even as the customer walks the steps into the branch office.
  
  
• JustBooks is a private book-lending library that started in Bangalore in 2009 and has spread to many cities in India. The library works on a membership basis, where enrolled members walk into a JustBooks store in the neighborhood, and borrow books from the shelves. Members can have a fixed number of books borrowed at a time but have no restrictions on when they will have to return the books or how many they can borrow overall.
  
  Membership cards have RFID tags, as also all the books in JustBooks stores. After selecting the books they want, members can walk up to kiosks where they identify themselves with their cards, and then log the books they have selected, which are detected by their RFID tags. Members can thus check in and check out books without human intervention.
  
  The RFID tags are also helpful in locating books that have been misplaced from shelves in the store. The tags reveal the location of the books and these can be corrected by store employees.
  
  

Other applications of RFID tags include managing inventory in large warehouses by tagging all items, charging cars at toll plazas through RFID-tagged display cards (which can be read by readers placed at the toll gate), and for use on public transportation where RFID-tagged passes allow users to travel without having to purchase tickets.

There are now dozens of different types of applications to which RFID tags have been applied across the world. The prices of tags are quite low, owing to their mass production and they are likely to gain more uses in the future.