Graphics Programs Uncover Secret PINs

Errtu76 writes "The BBC is running a story stating that, among other programs, The Gimp and Photoshop have been identified as possible tools for uncovering PINs via the mail." From the article: "The researchers collected lots of so-called Pin mailers and then tested how secure they were. Many were defeated using bright lights shone at an angle on to the paper. Other Pins could be read by scanning the letter and then adjusting some of the image qualities in popular programs such as GIMP, Adobe Photoshop and Paintshop Pro."

It's become sentient

OMFG the Gimp icon just looked at me

Re:It's become sentient

[DenDave]

it's oogling us! Beware the gimp ain't asleep... other than that I love it when an article has a "Mr. Bond" my imagine runs wild and I can just see Sean Connery holding a sheet of paper into the light and saying "well I'll just get this off to Q, now get me another vodka-martini, shaken, not stirred.." BTW vodka martini shaken is absolutely delicious! Just make sure you get dry martini! hrmmm *thinking* it's friday, my pal the bartender is working tonight... yep.. time to don the white dinner jacket and light up a cuban... *mumbling* nobody does it better....

Re:It's become sentient

*takes a look at the gimp icon....waits....waits more more....screams like homer simpson and runs away*

Re:It's become sentient

You must be an interesting person to talk to. I think you went off topic like 5 times in a single comment.

Re:It's become sentient

chanting: I am evil homer I am evil homer I am evil homer

Re:It's become sentient

[too_poland]

And my w1nd0wz paint icon rebelled for not being mentioned by dropping brushes away ;(

Re:It's become sentient

[bombadillo]

Yeah , scared the crap out of me too! Only seems to do it during certain mouse movements.

Re:It's become sentient

[intangible]

I'd much rather have to deal with this gimp instead of the one from Pulp Fiction.

Re:It's become sentient

"BTW vodka martini shaken is absolutely delicious!"

Yeah - if you like a weak martini. Shaking chips the ice, and ruins a perfectly good drink.

Re:It's become sentient

[mrchaotica]

...Which is exactly why Bond specifies it as such. It's kind of a bad idea for someone with a job that dangerous to get plastered, don't you think?

Re:It's become sentient

[Gilmoure]

Only if 'e's a pansy who can't 'old 'is liquor!

Re:It's become sentient

[trentblase]

Dude, Bond is plastered the ENTIRE time he's on screen. Remember how in that one movie he slips up and gives the villian his real identity?

Re:It's become sentient

[Mehtuus]

Well Dr, I'm not sure yet what I should do. It's this Gimp guy, he just keeps gawking at me...

Re:It's become sentient

[the+way,+what're+you]

it's oogling us!

oogling

Re:It's become sentient

Shaking a martini also bruises the Gin.

Which is why you shouldn't order them shaken.

Re:It's become sentient

[mrchaotica]

He tells the villain his real identity in every movie -- that's his style.

Re:It's become sentient

[kaens]

And shaking the martini is going to somehow lower its alchohol content?

Re:It's become sentient

[mrchaotica]

Yes, because shaking causes the ice to break up and melt, and when that happens it dilutes the drink.

Re:It's become sentient

[kaens]

Right, but there's still going to be the same total amount of alchohol in it as there would be if it was stirred - just less in each sip.

He's still going to drink the entire glass right?

Re:It's become sentient

[mrchaotica]

But when it comes to alcohol, it's the concentration, not the total amount, that matters. I'm sure you know, for example, that you'd get much less impaired by having two beers with dinner than you would by having two beers by themselves.

Re:It's become sentient

[kaens]

Sure, but that's because with dinner I would have things in my stomach that absorb alchohol - like bread, and thus less would reach my system. If I drank two beers of any given brand on an empty stomach one day, and then drank two beers of the same brand the next day (again on an empty stomach) that I poured some more water into I would get just as drunk.

Re:It's become sentient

haha, i love it when you american trolls try to embarass your fellow men with something as harmless as some boobies.

Re:It's become sentient

[DenDave]

LOL!!! Ya know, I wish I was born 30 years earlier... I would have LOVED the 60's... Get drunk, spend a fortune at the casino and go home in an Aston Martin DB5 and shag the babe... *ringing sound* back to reality...

Re:It's become sentient

[DenDave]

Heck if it's friday and I am dire need of a drink and the weekend, I am sure I could manage 6 times..

1 out of 2

[suso]

Now, if only they'd make a program that let's me remotely break into people's mailboxes and steal their mail. Then I'd be all set.

Re:1 out of 2

[Asprin]

Unfortunately, I think your point is going to be lost on some people.

While the article certainly has a point in pointing out the problem, at least in this scenario the criminal has to hit his targets old school: manually and one-at-a-time. This is a time-consuming, slow process that forces them to be in the geographic neighborhood of their victims.

I am more concerned about security privacy issues with data stored online, where you can hack a database 3,000 miles away and get 10 million PINs in an afternoon. Now *that's* an increase in productivity.

Re:1 out of 2

[robslimo]

Agreed. I was wondering how this had anything to do with "Your Rights Online," but a remote mailbox exploit might do the trick.

Let's get cracking.

Re:1 out of 2

[rf0]

I've been seeing people recommending that you now write password down on postits on your montor as its actually more secure than most online passwords now days

rus

Re:1 out of 2

[ArsonSmith]

I use passwdgen and make 3-5 passwords and write them on sticky notes and stick to my monitor. Kinda funny when people ask, "Arent you the security guy?"

Re:1 out of 2

[apparently]

or get a job as a postal worker? I have people stealing Blockbuster Online dvds; what's to stop the same from stealing confidential mail?

Re:1 out of 2

[richlv]

mm. actually this is a pretty nice idea :)
supplying a false information has always been very efficient way for making enemy fail.

Re:1 out of 2

[Vlatro]

Absoloutly right. Watch out online, the mail is secondary to online purchases. Most Banks in my area require you to change the temporary PIN they mail you on your first ATM usage. You have to do it at the machine (which has a camera on you), and requires that you also physically have the card. The Temp PIN is useless for purchases, only to change your PIN. Other banks don't even send you your pin# in the mail, they send a card, then follow it days later with a telephone numeric code, or website login to setup your PIN. And No bank to my knowledge sends the pin at the same time as the card and does not include the actual card number with the PIN at all, making it useless, unless if you have both. Then anyone can buy a mailbox where the incomming dropbox has a lock. As i see it, you can spend an hour of your time lobbying in forums that wont be read by anyone in a position to change this problem, or you can buy a $6.00 lock for your mailbox. This incident is only one of many reasons you should secure your mail. Of course who wants to scan an envelope. I could just get you insurance information from your car while you sleep, and use that with a statement stolen from your mail to log in and get your credit card number online, right from your insurance company. I had to do that to retrieve my own number when my card was stolen. Just a policy number, and my customer code on the statement, and address, and a phone number. Thats all it took. I won't mention who I was going through for insurance, But I'm sure you've seen their commercials on TV. Don't get me wrong, the technology is there for highly secure online transactions. The trouble will always be how much effort is put into implementing it. But then talking is a much easier way to get info from people. Hell, I could just pick a name out of the phone book, call it up from a blocked number (Not my own), say I'm with the gas company and we're changing our billing policy, and installing new digital meters in homes. We are piolting this new system in your neighboorhood, and are offering a refund in credit for your last bill if you'd like to participate. You just link your card to the meter, it can be paid automatically, and without having to do semi-annual meter reads the new system will reduce your cost, and eliminate the need for you to worry about your bills. So what's your card number? Do that 20 times in an hour, and go on a cruise. Or call from a pay phone, pretending to be with the phone company. That way the caller-ID will display their name and make it even more convincing. Call the phone company first and get the name of someone in billing. Use their name when calling your mark, just incase they want to call back. That'll confuse any attempt trace the fraud back to you. There are millions of scams out there. Better off just paying cash for everything.

Re:1 out of 2

[jez9999]

Yeah! Any aspiring account-hacker would only ever think to try one of the passwords on the post-it note!

Re:1 out of 2

[danheskett]

I think the point is that none of the passwords on the sticky note are actually in use.

Re:1 out of 2

[Qil'elPhil]

I think the point is that none of the passwords on the sticky note are actually in use.

Which begs the really Zen-like question:

"If a password is not in use, is it really a password or just a bunch of letters and numbers (and whatever else you use)?"

Re:1 out of 2

[sjmurdoch]

While the article certainly has a point in pointing out the problem, at least in this scenario the criminal has to hit his targets old school: manually and one-at-a-time. This is a time-consuming, slow process that forces them to be in the geographic neighborhood of their victims.

Unless they have access to a major postal sorting office, or the one which is used by the banks to send out the PIN mailers. In which case they could get a very large number of PIN mailers very quickly. The problem in this case is not getting caught as there would be patterns of fraud which the banks would hopefully detect.

Re:1 out of 2

[Afrosheen]

It'd be better to take it one step further and setup your IDS or whatever security you have in place to send up big red flags when those false passwords are entered. You'd know immediately that someone has physical access and you could go bust some heads.

Re:1 out of 2

[algae]

What would be funny, is to write a little daemon that would instantly lock anyone using one of those passwords out of all the systems on your network, maybe by source IP.

Re:1 out of 2

[Kaz+Kylheku]

You know, they could send the PIN in two separate letters, in the form of two numbers that have to be added together modulo some power of 10. Both letters then have to pass through the thief's hands, which is harder. Actually you do already get two letters. Your PIN is mailed to you and your card is mailed to you. The number on the card could be that second number.

Since the PIN is useless without the card anyway, why not compute the PIN from the card number plus the additional secret sent in the other mail.

``To calculate your PIN, add 939536 to the last six digits of your client card number. Keep the last six digits of the resulting number, including any zero digits.''

Anticipated objection: if you can't follow these instructions, maybe shouldn't have a bank account. :)

For better security, some personal information could be included, like adding in the last six digits of your social insurance number or some other number, like the account number of your primary checking account or credit card or something.

Re:1 out of 2

[Spy+der+Mann]

Now, if the sticky notes were written in elven runes, that'd be something :)

Re:1 out of 2

Nah, elven runes are too well known. Maybe nyngillai, or some other really rare script.

Re:1 out of 2

[YoungHack]

> I use passwdgen and make 3-5 passwords and write them on sticky notes and stick to my monitor. Kinda funny when people ask, "Arent you the security guy?"

That is so funny, I'm definitely going to do that when I get to the office on Monday.

Re:1 out of 2

[Kazoo+the+Clown]

I keep a postit on my monitor with a bunch of nonsense words that don't mean anything. I figure anyone trying to hack in will waste an enormous amount of time trying to figure out what they unlock...

Re:1 out of 2

[Drachemorder]

" Now, if the sticky notes were written in elven runes, that'd be something :)"

Been there, done that.

Re:1 out of 2

What a fucking great idea! That way any smarty-pants who knows about it can lock you out of your own computer by simply signing in with one of the bogus passwords! That's pure genius! I can't possibly imagine why no one ever thought of that before!

Re:1 out of 2

Congratulations, you are paranoid.

Re:1 out of 2

[Takumi2501]

While the article certainly has a point in pointing out the problem, at least in this scenario the criminal has to hit his targets old school: manually and one-at-a-time. This is a time-consuming, slow process that forces them to be in the geographic neighborhood of their victims.

Or work for the post office.

I am more concerned about security privacy issues with data stored online, where you can hack a database 3,000 miles away and get 10 million PINs in an afternoon. Now *that's* an increase in productivity.

Agreed.

Re:1 out of 2

Wow. 555-GTSE may not even BE a phone number!
My brain became a lump of molecules and energy for a nanosecond. Wait it's happening again. +++ath
NO CARRIER

Re:1 out of 2

[kaens]

No, it's not a password - it's just a bunch of characters, that serves the double purpose of being a deterrent to people trying to get your password. It's not a password for the exact reason that it is not being used. Yeah I know, sense of humor's out the window.

Don't tell me...

[It+doesn't+come+easy]

No one knew until now that scanning a document in black and white and adjusting the black/white threshold value can make it easier to read marginal text? Wow. Sounds like a patent application to me. Whatever.

Re:Don't tell me...

[toddbu]

I've been using this technique to read old receipts printed with that stupid ink that seems to fade away whenever it gets warm (in your pocket, in the sun, etc.) Like you, I wouldn't call this "news".

PIN Number

Maybe people will quit calling them Personal Identification Number numbers.

Re:PIN Number

And the ever-popular Vehicle Identification Number number.

Re:PIN Number

But how else will I get money from the Automated Teller Machine machine?

Re:PIN Number

[maxwell+demon]

Not to forget the popular Liquid Crystal Display display.

Re:PIN Number

[Alibloke]

Also add to the list Network Technology technology

Re:PIN Number

[Mr.+Underbridge]

Only after people quit making that lame-assed joke.

Re:PIN Number

Not to mention Cascading Style Sheet style sheet...

Re:PIN Number

[afidel]

And the Networkin Interface Card card. Oh yes and my personal favorite, every time I boot a 2k server I see built on NT (New Technology) Technology.

Re:PIN Number

[Fahrvergnuugen]

Or how about "Built on NT Technology" right in the win2k startup screen.

Re:PIN Number

[syrinx]

How else will we access our accounts in the ATM machines, other than by putting in our PIN numbers and reading the LCD display?

Re:PIN Number

[erlenic]

I was once told by some old-school technicians, the ones who remember the pre-network days, that NIC used to stand for network interface controller. And when you put one of those controllers on a card...

I've always wondered if they were making it up.

Re:PIN Number

[worthb]

A while back I was watching "Navy NCIS" when a news alert from the CNN network said that a storm at the NASA agency had hit the VAB building.

Re:PIN Number

Sounds like something the Department of Redundancy Department needs to take care of.

Re:PIN Number

Nope, you're wrong! They really mean it!

PIN Number -- Personal Identification Naked Numbers

Re:PIN Number

[Gordonjcp]

Quite often the actual interface was separate from the controller. The bit that talked to the bus was a different board (for different machines) than the bit that talked to the wires (for different protocols).

A bit like the SCSI controllers where there's a SCSI interface that plugs into the machine, then a SCSI interface that connects to a plain vanilla ST506-type drive...

Re:PIN Number

[Errtu76]

or Domain Name Server server

Re:PIN Number

[ajwitte]

Domain Name System server

Re:PIN Number

[Ced_Ex]

Also Human Immunodeficiency Virus virus.

Re:PIN Number

[Errtu76]

really! wow, i always thought it was 'server' .. Thank god i didn't 'correct' too many people :)

Re:PIN Number

[Ansonmont]

Don't forget using a book's ISBN number to find a title. Perhaps the grandparent of the current PIN name redundancy. Calling Mr. Saffire?

Re:PIN Number

"Maybe people will quit calling them Personal Identification Number numbers."

They dont -- people call them "PIN numbers", to distinguish them from "pins", which are physical objects used in sewing, machining, etc.

ATM servicing companies probably don't really want people to take 'put your pin into the ATM machine' too literally

And why call them PIN at all, when they're a password and not a username?

Re:PIN Number

[geekster]

Ooooh, all this IT technology jargon is making me dizzy!

Re:PIN Number

[nitelifer]

Ever replaced your NIC card?

Re:PIN Number

shaddap before i send you to the Emergency Room Room

Re:PIN Number

SCSI interface... hey, there's another one!

Re:PIN Number

[VMEbus]

Or as someone mentioned the other day the Automated Teller Machine machine (the thing that dispenses ATMs).

Re:PIN Number

[igny]

May be they will use a new abbreviation, PINN.

Re:PIN Number

[SpotBug]

My local ATM machine has a CRT tube, not an LCD display.

Re:PIN Number

I suppose you could call it a PI number but then everybody would be trying to enter 3.14159... in the AT machine...

Re:PIN Number

[xtracto]

Man... I really hate those TLA acronyms...

Re:PIN Number

Well, the reason is that when one is talking about just a PIN, or an LCD, one often uses them as an adjective instead of a noun to avoid ambiguity.

"Make sure to keep your PIN safe" could confuse a person, illiciting a response such as "why the hell do my thumbpins [or whatever other pins owned] need to be safe?" Whereas, make sure to keep your PIN number safe is a whole lot more inambiguous.
And there is the reason: disambiguation.

Re:PIN Number

And the Automated Teller Machine machine!

Re:PIN Number

You mean "Liquid Crystal Digit display" (a display with liquid crystal digits), and the guy complaining about "Domain Name Server servers" means "Domain Name Service servers" (servers that provide the domain name service). Many of these expressions sound less stupid if you know what the abbreviations actually mean. Making up incorrect expansions in order to sling mud, causes one to lose ground.

Re:PIN Number

[Fareq]

or Network Interface Card card
or Universal Product Code code

Re:PIN Number

[pclminion]

Dammit, this stupid ATM machine won't take my PIN number! And the LCD display is all messed up. Somebody call in the SWAT team!

Re:PIN Number

[flux]

ITYM 'Automatic ATM machines', 'Personal PIN number' and 'Liquid LCD display' (hmh, the last one has a bit more unnatural sound..), HTH.

Re:PIN Number

[schon]

the LCD display is all messed up.

Maybe it's a problem with the RAM memory?

Re:PIN Number

[Elwood+P+Dowd]

Special Weapons and Tactics is pretty well accepted now.

Re:PIN Number

How about using our computers built on NT technology after hooking up our NIC cards?

Re:PIN Number

[Macdude]

Not to forget the popular Liquid Crystal Display display.

Or up here in Canada, the popular Royal Canadian Mounted Police police.

Re:PIN Number

[bitweever]

Or the Compact Disc disc.

Re:PIN Number

And the Sahara Desert (Sahara == Desert)

Re:PIN Number

[maxwell+demon]

Except that LCD really stands for Liquid Crystal Display.
What exacty should a "Liquid Crystal Digit" be? That term doesn't make any sense to me.

Re:PIN Number

"TLA acronymns." Isn't that a bit redundant?

Re:PIN Number

[Mad+Merlin]

...and the ever popular AGP Port.

Re:PIN Number

[loimprevisto]

::sigh::

Where's the +1 redundant when you need it?

Better recourse

[Alex+P+Keaton+in+da]

Hopefully though, this discovery will further bring to light all the lax security that companies that control our personal information have. It would be nice to see data brokers and banks start to care about security a little more.
And the fact that if your info gets out and someone exploits it, it is such a hassle to clear your good name/credit.
That being said- locks only keep honest men out... In the military locks are known as "delaying devices"
If someone wants your info, and are willing to break out the scanner and start graphics manipulation to get it, well, they are likely to get it. But wouldn't it just be easier to hit strangers about the head with a sock of nickels and take their cash?

Re:Better recourse

[Jeff+DeMaagd]

That being said- locks only keep honest men out... In the military locks are known as "delaying devices"

I think the "delaying devices" is exactly the key to their usefulness though. Every bit of difficulty in cirvumventing a device is useful in making it less worth a criminal's time to bypass it.

Sometimes I get the sense from the Slashdot crowd that something isn't worth doing because perfection is impossible, perfect security being a prime example. I would like to ask, does that mean we quit using security measures? Do the people that say that leave their cars, homes and possessions unlocked? It would seem that is the logical conclusion of such an argument. If a person truly believed it the argument., then locking things is something a person doesn't do.

Re:Better recourse

[avalys]

locks only keep honest men out

An honest man keeps himself out.

Re:Better recourse

[Alex+P+Keaton+in+da]

Sometimes I get the sense from the Slashdot crowd that something isn't worth doing because perfection is impossible, perfect security being a prime example. I would like to ask, does that mean we quit using security measures?
I believe you and I are on the same page. My point is, that no security is perfect. Not that it means we shouldn't secure our possesions, but rather that if someone really wants something, and is willing to go to any means to get it, then they are likely to succeed...
My point was that any security can be defeated, and if people are willing to break out the scanner and learn photoshop, they are likely to get what they want through that or other means.
We all need to decide for ourselves what we believe our personal level of security needs to be, whether it is a wide open door, or a deadbolt lock. What does worry me, are people who have our info without our experessed permission (i.e. data brokers) and are lax with security...

Re:Better recourse

[cowbutt]

Sometimes I get the sense from the Slashdot crowd that something isn't worth doing because perfection is impossible, perfect security being a prime example.

Some slashdotters may rail against anything other than perfect security, but I think a fair amount of Slashdot vitriol is directed at security measures that are disproportionate in impact or cost compared with the risks they are nominally intended to mitigate.

Re:Better recourse

[rknop]

Hopefully though, this discovery will further bring to light all the lax security that companies that control our personal information have. It would be nice to see data brokers and banks start to care about security a little more.

Heh. Hopefully.

More likely, it will bring calls to limit these nefarious tools that can be used for criminal purposes. We already are paranoid about color printers running off images of dollar bills. Now we'd better make laws saying that any image processing program must contain checks against this sort of thing.

I will not be surprised if that response is seriously proposed.

Hell, under the DMCA, it may be illegal to download Gimp now. After all, it is a tool that has been demonstrated to break an effective security measure (the paper around a PIN number), although the PIN number may not be IP and thus may not be covered under the DMCA.

But we also have the Grokster case as precedent to allow us to hold the Gimp developers responsible for this use of their tool.

-Rob

Re:Better recourse

[MindStalker]

Believe it or not there are plenty of honest but foolish people who will walk through a door that is not locked and assume this is ok. For instance I had a honest but strange indian (from india) neighbor who would come over and simply walk in un-announced if the door wasn't locked. We assumed it was just a cultural thing, but strange never the less.

Re:Better recourse

I had a honest but strange indian (from india)

No need to be so redundant. If you had meant the other kind you could have just said 'injun' or 'red man'

Re:Better recourse

[tehcrazybob]

An honest man keeps himself out.

Locks keep honest men honest.

Re:Better recourse

[Have+Blue]

"Integrity means doing the right thing when no one is watching." -anonymous

Re:Better recourse

[ThePilgrim]

And the fact that if your info gets out and someone exploits it, it is such a hassle to clear your good name/credit.

But thats the point. It's hassle to you. It don't affect the bottom line

Or if it does it's not enougth to get worked up about

Re:Better recourse

[ArsonSmith]

No, Locks keep lazy men honest.

Re:Better recourse

['nother+poster]

Or the value of the item being protected. Spending $20 to protect something valued at $.20 and charging $21 is fairly stupid and annoying.

Re:Better recourse

[cdn2k1]

No, beer keeps honest men lazy.

Re:Better recourse

But wouldn't it just be easier to hit strangers about the head with a sock of nickels and take their cash?

If I had a sock full of nickels, I wouldn't need to take cash from strangers by force.

Re:Better recourse

[NewStarRising]

Applies to computers, too. I know plenty of hackers (white-hat for the main...) who not only assume, but argue ferociously on two points:
1) If it is not locked, I am inherently invited in.

2) A closed door is an insult, a locked door an outrage.

They don't seem so zealous of me appearing in their bedroom at 3am.

Re:Better recourse

[vingt]

If you had meant the other kind you could have just said 'injun' or 'red man'

Unless you speak from within a West Indian (Caribbean) community in America - in which case you actually distinguish between West Indian, East Indian, and American Indian. Bearing in mind that a West Indian (nationality) can still be East Indian (by descent).

Hmmm, I wonder if a Cherokee could marry an East Indian West Indian and create a simply Indian household?

Re:Better recourse

[Frank+T.+Lofaro+Jr.]

Well in the military, "denial devices" are not something you'd ever want to encounter, so "delaying devices" is usually what you use. :)

Hitting strangers with a sock of nickels isn't Slashdot worthy. Hiting them with a sock full of RFID identification tags is. :)

Re:Better recourse

[superyooser]

"Character is doing the right thing when nobody's looking. There are too many people who think that the only thing that's right is to get by, and the only thing that's wrong is to get caught." - J.C. Watts

Re:Better recourse

Damn right!

If I see a wallet in a locker and no people/camera is in sight, I'll steal it, take the cash and dump the wallet in the nearest zone where no people/camera is in sight.

But I'm not gonna lift 1 finger to cut open a lock just to see what's inside...

That's the honest truth.

Re:Better recourse

[Seumas]

Nobody ever got rich off character and honesty.

Re:Better recourse

[slavemowgli]

The core of the Grokster ruling was that the court thought that company's business model was, basically, built around copyright infringement. This alone makes it obvious that the ruling can't be applied to the GIMP - there is no company, ergo no business model at all, and even if there was, it's quite clear that the primary purpose of the GIMP is image editing.

It's good to be wary, but you're either paranoid or sensationalist here (or maybe both).

Re:Better recourse

[WilliamSChips]

Google seems to be doing pretty well with "Do no evil"

Re:Better recourse

[bprime]

That happened to me once! I was just standing there, right by the ATM machine, after entering in my PIN number, and BAM! I was KO'd by some spook with a sock full of RFID identification tags!

Re:Better recourse

[ArsonSmith]

No beer makes me pissed!!

Other ways

[rf0]

They do say of course you need the card which is right but at the same time organised gangs will quite happily put card readers in ATM machines and pick the details and clone your card

Re:Other ways

[op12]

Anyone else bothered when people say ATM Machine and PIN Number? It's just ATM and PIN. Otherwise, you're saying Automated Teller Machine Machine.

Re:Other ways

I think attaching card readers to cash machines is getting to be a risky business these days, far too many people are keeping an eye out for them.

And hence..

[domipheus]

And hence the reason for sending the pin seperately from the card becomes clear.

Nothing to see here... yet again.

Re:And hence..

[NatasRevol]

Nothing to see here... yet again.

Maybe it's just me, but I think you're missing the point of TFA.

Re:And hence..

[too_poland]

... or typing pin when requesting card on terminal in bank. Twice :>

Re:And hence..

[stefanvt]

In Belgium my bank (Fortis and probably all others) doesn't send out the pins anymore. They let you collect your card at the bank and let you put in a pin right there and then.

Re:And hence..

[Fishstick]

Yep -- Washington Mutual in the states has the same thing (recently switched over after being mistreated by Citibank for years).

They activate your bank card by swiping it and then you enter your desired pin twice and then you are done. Nothing mailed, no waiting. Done.

I've been pretty happy with my new bank (plus the woman who helped me is a hottie).

Re:And hence..

[Council]

Yeah, and you go to all that trouble to help people, and this happens:

http://www.google.com/search?hl=en&lr=&q=%22my+pin +is+1000...9999%22&btnG=Search

Mail security?

[Splintax]

I think one of the issues here is mail security.

I mean come on, how expensive is it to get a damn lock on your mailbox? :-\

Re:Mail security?

[schtum]

Yeah, I was just wondering how these "researchers" went about "collecting" PIN mailers for their experiment.

Re:Mail security?

I've lost a couple of credit cards in the post over the last twelves months - dodgy posties - it appears a common problem in the UK. Now have my cards delivered to the local bank office and pick them up myself.

I digress but I also lost £100 worth of xmas presents thanks to Royal Mail staff on xmas eve last year. Because I was at work, they thought it was a good idea to leave the parcels in my refuse bin at 8am. Guess what happens at 9am every Friday.....

Re:Mail security?

My sister had her identity stolen. Her mail was stolen repeatedly, and when she complained to her landlord, he explained that it was against the laws of the City of Boston to change the building's mailboxes, because it was a historic building. Now, he may have been full of sh*t, but the point is we can't always rely on security by old-fashioned physical means. The point of the article was that someone can read your PIN without opening the envelope, so you'd have no idea it had been read. Still, as a criminal enterprise, it's probably not worth it. As other posters have said, you're better off just pulling a knife and taking the cash as the victim leaves the ATM. Or just take the card, and don't worry about the PIN. Most ATM cards these days have credit card logos on them, so the PIN is only needed to get cash, not for purchases. I can't remember the last time my signature was checked for a credit card purchase.

Re:Mail security?

[renderhead]

Amen! I have a lock on my mailbox, and not only does it stop unsrupulous people from stealing my mail, it also prevents the mailman from delivering any more bills. It's win-win!

Re:Mail security?

[David+Horn]

In the UK, your post is usually pushed through your door, rather than abandoned in a mailbox for the world to inspect.

Most thefts occur in the Post Office.

Re:Mail security?

[dieScheisse]

how do they get their mail trucks so close to the front door to be able to do that?

ooooooh, your post(wo)men must WALK! I don't think I've ever seen my postman get out of his truck.

Re:Mail security?

[Guppy06]

"Her mail was stolen repeatedly, and when she complained to her landlord, he explained that it was against the laws of the City of Boston to change the building's mailboxes, because it was a historic building. Now, he may have been full of sh*t"

He was; mailboxes are technically federal property.

Did she talk to law enforcement about the missing mail? It is rather suspicious that he'd look for excuses to avoid changing the mailboxes when he himself, not having anyplace else to go during the day, would be in the best position to find out when it is and is not safe to remove mail from a tennant's mailbox.

Re:Mail security?

[sjmurdoch]

I am one of the researchers involved. Initially we used PIN mailers which we received for our own accounts. Later on, when the PIN mailer manufacturers were co-operating with us, they sent us test samples. However I think all but one image in the report (PDF 767kB) are from live accounts, but the PINs are obviously now changed.

Re:Mail security?

[Zatar]

I have a locking mailbox and it isn't all that it's cracked up to be.

Unless you live at an apartment complex with a huge block of locking mailboxes that the mailperson has a master key for, they won't carry around a key to YOUR mailbox. Therefore they must have a way of depositing the mail into your mailbox without a key. There are a number of ways to accomplish this.

The most effective is to have a slot they can stuff letters into that will then fall into a locked area that you have the key to. This requires a fairly large and unwieldy unit (won't fit onto the nice row with your neighbors mailboxes, if you have that) and means that they can't deliver any packages that don't fit through your letter slot.

The other popular method is to have a mailbox door that will open once and then locks when you close it. This is what I have. One problem is if anyone (say, a thief) opens the door before the mailperson does, the mail cannot be delivered. They then typically just leave the mail on the ground or your porch, which isn't very secure. Sufficiently resourceful thieves could do this on purpose. This is also a problem if you forget to get yesterday's mail. Another problem with this method is that it requires the mailperson to close the mailbox door firmly to engage the lock. Frequently they are leaning out of their little trucks and just barely close the mailbox door leaving it unlocked. Someone could examine the mail inside and put it back and lock the door themselves, leaving you feeling secure even though your mail has been stolen/seen. A third problem is many of these locks rely on things like little hanging flanges that use gravity to latch the lock into place. If the mailbox can be moved (by, say, pulling the whole thing out of the ground), you can tilt it over and unlock the unit and put it back without the owner knowing anything is wrong.

There are probably other locking techniques, but those are the two I've seen.

If you are really concerned about the security of your mail, you really ought to get a post office box...

Scratch-off lottery tickets?

If someone owned a convience store, wouldn't it be possible to scan the un-scratched tickets looking for the "big winner" without having to pay for them all?

Re:Scratch-off lottery tickets?

[Paul+Neubauer]

Something similar happened at least once. It took two people. One at the store to pull the reel of tickets and one with access to some medical machine. They looked through the roll with the medical scanner, took out and bought the winning tickets and put the broken up roll back. They were caught when someone else at the store noticed that the roll had several odd breaks. And probably that someone was a little too lucky.

Re:Scratch-off lottery tickets?

There's part of a safety awareness program at work with card that have questions and scratch-off areas for the answers and the point value of a card (build up enough point, get a gift certificate to stores or restaurants). A good bright LED flashlight will let you see which answer is right if there's any doubt.

Re:Scratch-off lottery tickets?

[gcatullus]

Not in Massachusetts at least - it is the barcode on teh back of the ticket that determines whether the ticket is a winner. The authorization machine at teh store scans the ticket. If teh machine scans more than two losing tickets in a 24 hour period it automatically shuts off until a lottery employee turns it back on.

Re:Scratch-off lottery tickets?

[meatbridge]

they were scanning the part of the ticket covered in scratch off to see through it for winning numbers, not scanning for a winner with the barcode reader.

Re:Scratch-off lottery tickets?

[exp(pi*sqrt(163))]

They were caught when someone else at the store noticed that the roll had several odd breaks.

Presumably most people who tried this scam were actually intelligent not to give themselves away like this and that we only know about the people who come from the lower 1% percentile of stupidity.

Re:Scratch-off lottery tickets?

In the UK, a shopkeeper was rubbing off the "Void if removed" panel and keeping the winning cards. The punters buying the cards took a while to notice the missing bit, since it didn't affect the gameplay.

He was caught, but I don't know if the problem has been fixed.

Re:Scratch-off lottery tickets?

[gcatullus]

The part of the ticket covered in scratch off material doesn't really tell you too much. You would have to scan the entire ticket and know exactly what you are looking for, e.g. ten horse shoe shapes or numbers that match other numbers in a set area or winning poker hands. Some hardcore lottery players only scratch a small which has a three letter code. This three letter code is placed in a different spot on each "brand" of ticket, and will tell the player if they are a winner. It might be possible to view that, but for winners over $500.00 the code is a "losing" combination. The lottery also bills you for the tickets when 3/4 of the winners for that book have been cashed. Since the books return more to teh state than they pay out - the store would be paying out more money immediately, until they sold teh rest of the book. It would seem that this would be about as valuable as making counterfiet $1.00 bills.

Re:Scratch-off lottery tickets?

[glesga_kiss]

I think you miss the point. They use the imaging technique to see under the foil scratch-off thing, without scratching it off. That pretty much tells you what you have won, that's the point! You never tried holding it up to a light, just to see if you could spot a winner?

Re:Scratch-off lottery tickets?

[gcatullus]

Sorry for being obtuse, but what I am saying is that even if you "could" easily read right behind the entire scratch off foil, it would be a big waste of time to manually view each image. The return for your time wouldn't be worth it, because there is a low percentage of winners and they are more difficult to read than a simple PIN number. Automating the process with some sort of OCR would be a tough project because the tickets aren't regular. The tickets all have differnt layouts, and unless you had samples of the big winners you wouldn't know what to scan for. I am not saying that this couldn't be done, just saying that I can't see it being feasible.

Re:Scratch-off lottery tickets?

[dieScheisse]

Assuming the scanning process actually works and is easy enough, say I have a roll of 'Match 3 and Win!' tickets. I scan each ticket, looking underneath the foil for 3 matches...say the 10th card I scan has 3 matches for a $500 prize. I tear that card out to keep as a winning card and join the split cards (in some near undetectable way). Wash, rinse repeat. I now have a collection of winning cards that I can cash in.

Say it takes 5 hours to scan all the tickets and I manage to collect $3000 in winning tickets. I just made myself $600/hour for my efforts.

What's not feasible about that?

Re:Scratch-off lottery tickets?

[SpotBug]

They should have just marked the winning tickets in some subtle way and then purchased and redeemed them as they came off the roll in the normal process of selling them. Customers that bought more than one ticket at a time might end up with one of you winning tickets, but it's still better. Or, when a winning ticket was getting close to the end of the roll (like within 3 tickets of being bought), you could just go ahead and buy the losers too.

Re:Scratch-off lottery tickets?

[WillyMF1]

What's not feasible about that?

Its not feasable until someone tells me what kind of scanner! :)

Re:Scratch-off lottery tickets?

[aneuryzm]

Similar system in Kentucky as well, tickets can be identified as winners/loosers by scanning the barcode on the back. Only here you can scan as many loosers as you want, the only downside being you are randomly prompted to enter a serial number listed under the foil scratch-off. The machine shuts down if a number is not provided or an incorrect number is entered to many times consecutively.

Re:Scratch-off lottery tickets?

[rob_squared]

What you do, is note the numbers of maybe the highest 2, maybe 5 winners on that book. And during each shift watch for numbering on those tickets, when they get maybe 5-10 away, buy one beyond the winning ticket. If you miss one of the numbers in sequence, wait for the next one. No suspicion, lots of money. Not saying it's right, because its not. Just noting that I'd bet its happend before, only the dumb criminals get caught.

Re:Scratch-off lottery tickets?

[plover]

In Minnesota, the winning tickets are validated by a barcode scanner hooked up to the lottery commission's network. When the lottery first began, we had several stores where employees tried scanning the back of all the tickets, looking for the winners. They were caught almost immediately, and I believe they have implemented some technology now that locks them out if they try it.

Securely store or shred

[Winterblink]

Me, whenever I get one of these things I either shred the bejesus out of it or store it in a secure place. I NEVER trust the trash for things like this, or even receipts from places I use my credit card. Lots of them still print the whole number on the paper. :/

Re:Securely store or shred

[simcop2387]

i never liked shredding, sure it deters the common theif but its still a puzzle and like a puzzle it can be put back together, i usually turn them into paper mache (i don't know how to spell that) after shredding so that the fibers themselves aren't attached anymore. makes for a VERY difficult puzzle if you ever wanted them back.

Re:Securely store or shred

[Winterblink]

Some pizza places still give out those carbon swiper receipts... I usually dunk it in some water so the ink bleeds, then mash it up before tossing out.

But if you get a good shredder (one of those diagonal cross cut ones for instance) it can be a total bitch to get the stuff back together.

Re:Securely store or shred

[MartinG]

I photocopy mine to 900% size and tape them up in all my windows.

People say I am a looney, but I don't know. Who is to say anyone will even look at my windows anyway?

Re:Securely store or shred

[MindStalker]

Yep I just got a CD shedder the other day for deleting our buisness backups. I wonder if its possible to puzzle together the bits and reconstruct anything???.

Re:Securely store or shred

Isn't printing the whole number now illegal under the Fair Credit Reporting Act? (As of, like, a few months back?)

Re:Securely store or shred

[Armadni+General]

Nah, when you shred a CD, you not only separate it, but much of the metallic data-storage surface falls off. Also, right around the cut lines, it starts to peel. Any disc that goes through one of them is pretty much done for.

Re:Securely store or shred

[hackstraw]

Lots of them still print the whole number on the paper. :/

And the carbons and whatnot are carefully filed in the trash together.

Going through your trash, I might get something interesting.

Going through a restaurant's or other store's trash, odds are I'll get many interesting things.

Re:Securely store or shred

[Penguin+Programmer]

I just put them in my fireplace pile and a few times a year we actually have a fire and it all goes up in smoke.

Just as effective as a shredder, with nearly twice as much chance of getting you laid!

Re:Securely store or shred

[SomeGuyFromCA]

the message is clear. burn it.

[sig reply] i've never heard of anyone conducting a stickup with siege weaponry before! [/sig reply]

Re:Securely store or shred

[eison]

Who still prints the whole number?

In America, or abroad?

Re:Securely store or shred

[DRobson]

I've heard that you can still recover items burnt to a large degree (think big military groups doing this). Best method is to burn it, then add it and water to a mortar and pestle.

The other alternative my crypto lecturer suggests is to shred then eat everything...

Re:Securely store or shred

Well, I can vouch for America, but I'm willing to bet it happens everywhere due to stores that are too small to have upgraded any sort of technology recently. I get my full number printed out on the receipts from the local comic book shop.

Re:Securely store or shred

[glesga_kiss]

i never liked shredding, sure it deters the common theif but its still a puzzle and like a puzzle it can be put back together

Paper mache is completely unnessesary. If someone was out to get you to the point they are reconstructing your sheddings, it would be much easier for them to pick your home lock and get the details off a statement while you are in work. Burning etc is overkill, just shred them in with a whole pile of other shreddings, e.g. use the office shredder.

Re:Securely store or shred

[fdiskne1]

I just take care to totally mix up my shreddings and only empty it 1/4 to 1/2 at a time. I figure it's unlikely an entire document will end up in the same haul of garbage and the dumpster diver is unlikely to get the info they want. Anyone putting THAT much effort into getting my personal stuff is obviously out to get ME and not just a random attack. In that case, I've got bigger things to worry about that the crook finding out my credit card number.

Re:Securely store or shred

[Ed_Pinkley]

Before I got a shredder I did the same except I rolled the mashed up receipt into a dirty disposable diaper and tossed that out. :)

You can also shred a document into multiple containers and throw each one away one a different day or even in a different location.

Re:Securely store or shred

[sjmurdoch]

I am one of the authors of the report (PDF 767kB) which the BBC article is about. It deals with tamper-evident PIN mailers, which try to stop people who intercept PINs in the mail from reading the PIN without the legitimate recipient from knowing.

Shredding or otherwise destroying the PIN mailer after you receive it is a good idea, but this attack is about what happens before you receive it. If you don't destroy the mailer before throwing it out, you don't need to use any tricks like scanning since, once tampered, it is easy to read. You only need to use these if you want to read someone's PIN then put it back in the mail, without disturbing the tamper detection.

Re:Securely store or shred

[Winterblink]

hahahaha, I never thought of disposing of it as toxic waste like that. :) That's a great idea.

Re:Securely store or shred

[MrP-(at+work)]

It should still be possible to read some data though, I mean if an important password is stored in just ~50 bytes of the cd, it may still be accessible if someone really wanted to try I say microwave the cd first, then shred That's secure, and FUN!

Re:Securely store or shred

[vinn01]

Certain three letter US goverment departments could reconstruct the shredded bits enough to read useful information.

Because other goverments can do the same thing, they all incinerate what they shred.

vb

Re:Securely store or shred

[MindStalker]

Well its government data to begin, its really surprising that government agencies don't secure peoples confidential info very well. Us shredding backups is something we do on our own, not something that really checked into from the upper level.

two sheets of mylar

[Speare]

I've always wondered why they didn't just slip some mylar film into those mailers. Mylar was designed in wartime as radar chaff, but is more likely seen today as the bag around your snack or a helium balloon.

The existing patterned ink method was adopted because of cost, but really, tacking some mylar onto the form would be cheaper than tacking those thick plastic fake credit cards into those credit offers they flood you with. Yeah, I know: marketing budget can afford fake credit cards but the operations budget can't afford mylar for security.

Re:two sheets of mylar

[Mignon]

Mylar was designed in wartime as radar chaff

How well does it work at blocking CIA mind-control rays? I'm worried that my tinfoil hat isn't up to the task against their post-9/11 spy satellite upgrades.

Re:two sheets of mylar

[maxwell+demon]

Don't worry. The fact that you still worry shows that mind control still doesn't work. It's when you stop worrying, then you should worry.

Re:two sheets of mylar

[Pig+Hogger]

I've always wondered why they didn't just slip some mylar film into those mailers. Mylar was designed in wartime as radar chaff, but is more likely seen today as the bag around your snack or a helium balloon.

If you look carefully, metallized mylar is not opaque (mylar itself is quite transparent), just like any sufficiently metal film.

Re:two sheets of mylar

Don't worry. The fact that you still worry shows that mind control still doesn't work. It's when you stop worrying, then you should worry.

But what if THEY are making you worry about the wrong things to distract you from the discovering the aweful truth?!? :-)

(I'm not sure what's so aweful about truth, but the guys in tinfoil hats seem to universally agree it's really bad....It's probably 'cause of a conspiracy of some sort..)

Re:two sheets of mylar

[KillerBob]

Whatever happened to security envelopes? I mean, they shouldn't be the only thing protecting such information, but you shouldn't overlook the usefulness of opaque windowless envelopes.... Use 28lb paper with a 100% coverage of toner (not ink) or some other material that's black and opaque, and you can't read the contents of the envelope without opening it.

When dealing with that kind of information, I'd be happy to spend an extra $0.05 on the mailer....

Re:two sheets of mylar

How well does it work at blocking CIA mind-control rays? I'm worried that my tinfoil hat isn't up to the task against their post-9/11 spy satellite upgrades.

It doesn't matter to me. Btw...you need to find or dream up better porn. That 'Cowboy Neil' fellow has you beat hands down.

John Jones

CIA, Special Agent, Parnoia Division

Re:two sheets of mylar

[Frank+T.+Lofaro+Jr.]

Google knows the truth!

Re:two sheets of mylar

[sjmurdoch]

I am one of the authors of the report (PDF 767kB) which the BBC article is about. The report is not about looking through the envelope to read the PIN, but to read the PIN off paper which is designed to be tamper evident.

The envelopes that PINs in the UK are sent in are deliberately indistinguishable from ordinary bank letters. This is to help prevent criminals from being able to easily pick them out from the rest of the mail. Being able to read through these is not very helpful, since they are easy to obtain and so you just open the letter and replace it with another.

I think you are talking about the type of mailer which came in a special envelope, either pressure-sealed or printed using carbon-paper. These are quite rare in the UK and have been replaced by laser-printed PIN mailers, which are the subject of our report.

With these, the PIN is printed on specially designed paper which should hide the PIN until a tab is removed or a coating scratched off. Doing this leaves evidence, so you cannot simply put this back into the mail in a new envelope. What our report showed is that it is possible to read the PIN in some cases, without tampering it.

Re:two sheets of mylar

Are you just trying to whore today?

I've read 2 seperate, but somewhat identical posts from you so far.

Re:two sheets of mylar

Mylar the polymer is transparent, yes. But once it has been metallized it is opaque. What do you mean sufficiently metal film is no opaque? Any metal film, greater than about 5nm will have almost zero transparency. I think the parent was talking about the metallized film.

Re:two sheets of mylar

[MiKM]

But what if the mind-control satellites are designed to make you worry to give you a false sense of security?

Next you'll tell us...

[Gopal.V]

To carry your ATM card in tin-foil faraday cage because it can be read by a device hidden in your office elevator ?.

PIN codes are just there to protect a person's card from random pickpocketing. Also this "exploit" needs access to the mail containing the PIN , before the user reads it and changes it. It is very unlikely that somebody will be able to do this easily - the obvious suspects being your kid brother who signed for your credit card when it came at your home and your shopping crazy sister. It needs very clear physical access on day-to-day basis.

This belongs in the same category as mothers steaming opening letters - maybe you should read Saki's shock tactics about how to handle that scenario.

Re:Next you'll tell us...

Not tinfoil, you'll have to use Mu-metal, since you want to shield it from magnetic fields.

Overhyped title

[Iriel]

The key point of this article (before the industry response) is not about some great new way to use photo editing software to steal someone's PIN number. The majority of it discusses the dangers of using new methods of mailing PIN and passwords that can be read by the HUMAN EYE, sometimes with no more technology than the ability to tilt the paper and shine a bright light.

The problem is not with the gimp or photoshop, but poor printing techniques that could put your 'secure' password information at risk with the simplest of methods. It still deserves a mention in YRO because I've even had a few letters mailed to me with PIN information like this. The letter had already been partially broken on one side due to handling, and I could see the PIN in the sunlight through the thin sheet even though that thin sheet is meant to let you know if someone has tampered with your information.

Re:Overhyped title

[FuckTheModerators]

PIN number?
Don't you mean PIN number number number number number (repeating ad infinitum)?
To use at the ATM machine? Outside the CIA agency? Funny to see this in YRO online.

Re:Overhyped title

[LiquidCoooled]

The letter had already been partially broken on one side due to handling, and I could see the PIN in the sunlight through the thin sheet even though that thin sheet is meant to let you know if someone has tampered with your information.

Dude, that wasn't a problem with handling, the piece of paper really is telling you it has been tampered with, and from your description its happened more than once.
Inform the bank, and consider suing your post office for negligence at the very least.

Tamper evident packaging is effective in telling you something has been tampered with, you wouldn't drink from a new bottle with a pre-opened lid would you?

Re:Overhyped title

[Iriel]

Actually, all the mail was slightly torn on that edge for our house as well as several of our neighbors and we all called the PO with a nicer version of the typical WTF complaint. But thanks for the mention, it was over 6 years ago and that account has been closed for 3 anyways.

Thanks though ^_^

PS, yes the PO actually fired the problematic delivery person who had placed the last straw on the camel's back that day.

Re:Overhyped title

[Iriel]

Yes, I accidentally said PIN number once, and used PIN in the correct syntax twice afterwards in the same post. The reason that it was put in 'YRO online' (Your Rights Online online? sounds kind of hypocritical.) is because that has become (whether rightfully or not) the defacto category for all news about not only your rights, but your information and who may be getting to it. It has (evolved|twisted) into a category to cover personal security alerts and things of that nature.

Re:Overhyped title

[FuckTheModerators]

Just ribbing a little for PIN number. Hence CIA agency, YRO online, ATM machine. Same thing. Sarcasm.

I understand the reasoning for its placement. YRO was just a handy 3-letter acronym I could make redundant.

Re:Overhyped title

[Iriel]

I wasn't sure if you were being sarcastic or not. I've seen people actually flame someone else for errors in spelling, and totally blow it on thier own 'correction' post. In either case, this is why I try to use smileys or tags like Text does a shit job of conveying speech. ^_^

What the hell is GIMP?

[bigtrouble77]

Is anyone as shocked as I am that the original article actually mentioned GIMP? It's a great program and all, but not exactly a household name like photoshop. And it doesn't really bring up the most flattering visual images (pulp fiction comes to mind)... -BT

Re:What the hell is GIMP?

[Comboman]

Technology Reporting Rule #37: Only mention Open Source Software in a story if it has a negative connotation. Technology Reporting Rule #38: Throw in the names of some commercial software as well so it doesn't seem biased.

Re:What the hell is GIMP?

[Fnord666]

I believe Rule #38 also specifically states that the OSS must be mentioned first in the software list for proper emphasis and implicit indictment.

Kind of silly

[kevin_conaway]

I don't understand the practical applications of this attack outside the realm of academia.

So they can steal your mail? If they've stolen it, why not just open it and read the pin?

If someone is targetting you to steal your money, they would have to steal the pin number and then check back every day to see if the card came. Doesn't seem very practical to me.

Re:Kind of silly

[SimilarityEngine]

Perhaps they could intercept your mail, obtain your PIN, place the letter back in your mailbox (so you have no reason to be on your guard or change your PIN), follow you carefully into town, steal your wallet (maybe without you knowing, but a simple mugging would do) ...

Far fetched? Depends on whether this little security hole becomes well known in the wrong circles. Also, where I work the same kind of system is use to protect wage-slips - which have employee payroll numbers, bank details, social security numbers etc. on, so there is potentially a broader problem here. Think I might have a word with my manager....

Re:Kind of silly

[Pig+Hogger]

So they can steal your mail? If they've stolen it, why not just open it and read the pin?

Because until the PIN is not delivered to the recipient, the card cannot be activated...

Re:Kind of silly

[sjmurdoch]

If there is no reason to worry about this exploit then why do banks spend so much money buying amper-evident mailers in the first place?

There are a number of defenses against mail interception and one of these is for the customer to notify the bank if they don't receive the PIN or the PIN is tampered. If this happens the card will be canceled. If a criminal can read the PIN then send it on to the legitimate recipient then the card will not be canceled until a lot later, after which time more fraud can be committed and evidence of the fraud has been lost.

Also, if the criminal has access to your mail sorting office then intercepting both the card and PIN will be trivial. Mail non-receipt fraud costs £37.1 million in the UK for 2002, out of a total of £424.6 million total so this is a serious problem. My understanding is that most of the letters are intercepted in the sorting office rather than the customers house.

Re:Kind of silly

It isn't necessary to imagine all that. Some people could have a spouse that is about to leave them or an unruly teenager or a shady roommate or many other scenarios that don't require cloak and dagger to get their wallet.

UK Banks

[Detritus]

Aren't these the same banks that had a police officer prosecuted for attempted fraud because he inquired about some suspicious transactions in his bank account? The premise being that bank systems are secure and perfect, therefore the customer must be at fault.

I can see them taking the same attitude towards PINs. Any abuse must be the customer's fault, since no one else could have known the PIN.

Re:UK Banks

[Detritus]

I looked it up. It was Police Constable John Munden, Cambridgeshire, and the Halifax Building Society. He was prosecuted, convicted, and had the conviction overturned on appeal. See Risks Digest Volume 18: Issue 25.

Nothing new, really.

[Pig+Hogger]

Some 20 years ago, around Montréal, a lottery-scamming ring was uncovered, who operated with "pouch-type" lottery tickets (a ticket enclosed in an transparency-obfuscating enveloppe). They had a network of operatives who worked at convenience store, and swapped unknown tickets with "known ungood" tickets.

They were able to see through the enveloppe obfuscation using a slide projector as a bright light (and undoubtely a fair number of aspirins).

A better way....

[yoey]

An even better way of reading the PIN is to open up the envelope and look inside. One doesn't even need a computer for that.

Re:A better way....

[I+confirm+I'm+not+a]

An even better way of reading the PIN is to open up the envelope and look inside. One doesn't even need a computer for that.

Except, as soon as you've broken the seal you've effectively announced to the intended victim: "Beware! Your PIN has been compromised!"

Re:Bah.

[Ford+Prefect]

I presume the 'redundant' moderation was because you actually typed 'PIN numbers'.

Redundancy, geddit? Geddit? ;-)

...

I'm truly sorry...

Solution:

[woods]

Tiny tinfoil hats for the pin numbers.

Some journalists have no life

this is a NONE story. Really.

The usual /. Spin

[Xentor]

Yes, that's right... Big, powerful headline... Why not just say something like:

"All your pin are belong to GIMP!"

This has nothing to do with the graphics programs and everything to do with bad-quality printing methods.

Re:The usual /. Spin

[EnderWiggin99]

Perhaps the big news here is that GIMP was mentioned in a BBC article?

Once again, /. picks up the sense of urgency and isn't quite sure what to do with it, demean the topic, point out that it's true, throw out an anecdote about a friend, kick in some witty comment, etc. etc. :)

When will we collectively admit that we're not reading the comments for the topically-relevant information , just here to read, demean, and write crummy posts in forced-genuine NON-nerd fashion? And complain in-thread about just how bad the signal-noise ratio has gotten lately.

Something about a question and an answer cancelling each other out I'm sure...we all enjoy being here despite what we might try to make each other believe.

So yeah, great story, ra ra ra, slashdot sucks, Taco's actually a robot, 3: ??, etc. etc.

=)

My 100% effective solution

Wrap the PIN mailings inside bank notes. All these programs should have banknote scanning prevention as Uncle Sam mandates, so covering the mailings inside of bank notes should solve the PIN theft problem. If this causes the currency theft problem to rise, we can simple wrap the currency inside gold leaf.

secured mailboxes

Assuming the people at the post office follow the rules, those who have mail boxes with locks don't have this problem. In sub-divisions, it's common to have a central mailbox, which the mail carrier has a key to. Each person has a key to their own box. Yeah, I'm real worried about this stupid attack.

Re:Bah.

[Poromenos1]

Haha, probably. But then the mods were also redundant by modding it as redundant twice :p

Simpsons did it

[BlackCobra43]

Remember Homer's hilarious dilemma when choosing between a winning 500$ lottery ticket, which he saw using this very method, and a Yodel bar.

H - Man, that Yodel was so good..I wish I was eating it right now..

This wouldn't even be an issue....

[Rinzai]

This wouldn't even be an issue if we had Open Source PINs.

If they weren't secret, then it wouldn't matter how they were delivered. They could even be delivered on a large banner pulled by a 1950's-era tail-dragger Piper aircraft.

I mean, seriously, they're called (P)ersonal Identification Numbers, not (S)ecret Identification Numbers.

I'm going over to SourceForge right now to start the project. Anyone coming with me? (If someone else drives, I call shotgun!)

Re:This wouldn't even be an issue....

[hcdejong]

If they were public they'd be useless for authentication, genius.

Re:This wouldn't even be an issue....

[Rinzai]

Where would I be without your stunning insight?

I'd be exactly where I am now--a comedic genius who wrote a joke reply based on the Open Source movement, clearly intended as a satiric/ironic aside on the article in question.

Looks like all of those rumors about Continental Europe going through a humor drought are true. Quick, someone call the Red Cross and get some humor shipped to Europe right now! Mobilize the U.N.! Get some hot water, clean towels, and iodine and...no, wait, that's the thing when someone is giving birth. Never mind that last thing.

My rights *where*?

So what exactly does this article about snail mail have to do with my rights online, anyway?

Just Great!

[miTTio]

"Poor print exposing Pin numbers"

If some has my Personal Identification Number Number, they may use it in an Automatic Teller Machine Machine.

Re:Just Great!

[I+confirm+I'm+not+a]

If some has my Personal Identification Number Number, they may use it in an Automatic Teller Machine Machine.

This being a UK story, would they use the ATM Machine at the Trustee Savings Bank Bank?!

(The TSB was renamed to "TSB Bank" back in the 1980s, as a precursor to something or other boring and pointless)

Re:Just Great!

Lloyds Bank now own TSB so it's actually Lloyds TSB now (http://www.lloydstsb.com/)

Re:Just Great!

This should get modded `+5 Redundant'

Re:Just Great!

[I+confirm+I'm+not+a]

Lloyds Bank now own TSB so it's actually Lloyds TSB now

Dammit, your right. And Lloyds Trustee Savings Bank Bank had far more comedy potential... dammit!

Incidentally, I believe it was TSB wanting to shake off its Trustee status and become a fully fledged bank - that could merge/be taken over by other banks - that prompted the original change from TSB to TSB Bank?

Re:Just Great!

[rjw57]

This being a UK story, would they use the ATM Machine at the Trustee Savings Bank Bank?

I doubt it. They'd probably just use the cashpoint instead.

Criminal

[PhYrE2k2]

Opening or intercepting mail (at least in the US and Canada) not addressed to you is a criminal offense. So we're already talking criminals who have to commit an offense here in order to do so. At that point, why not open it? You're already stealing mail, you're about to steal a PIN number and hence some money from a bank where you'll be on video camera, who not just open the damn message- the person won't know for a few days that it's not arrived yet.

When did a criminal get this sudden hit of "oh my- what am I doing- I can't _OPEN_ this letter! I'll just scan it and see what i can find". This is someone who already intercepted mail and is about to commit fraud. Just open the envelope and call it a day.

FYI: From the Canada Post Corporation Act

Every person commits an offence who, except where expressly authorized by or under this Act, the Customs Act or the Proceeds of Crime (Money Laundering) and Terrorist Financing Act, knowingly opens, keeps, secretes, delays or detains, or permits to be opened, kept, secreted, delayed or detained, any mail bag or mail or any receptacle or device authorized by the Corporation for the posting of mail.

Every person commits an offence who unlawfully and knowingly abandons, misdirects, obstructs, delays or detains the progress of any mail or mail conveyance.

Re:Criminal

[MrRogers2]

*When did a criminal get this sudden hit of "oh my- what am I doing- I can't _OPEN_ this letter! I'll just scan it and see what i can find". This is someone who already intercepted mail and is about to commit fraud. Just open the envelope and call it a day.* They scan the mail, get the PIN, then *return* it to the mail box and no one is the wiser. They've got your pin and the CC company never calls to ask why you've not activated the card.

Re:Criminal

[PhYrE2k2]

Since when do credit cards need PIN numbers? Credit Cards to activate make you confirm key details like birthdate, phone number, and credit limit. The PINs are in the bank cards.

So as opposed to getting a credit card number (using your example), buying something, and ridding yourself of the card, you're going to hang on to the number and make purchases over the course of time and hope nobody notices stores they don't normally shop at on the list?

In general it sounds like we're talking about really dumb criminals who know how to use photoshop.

-M

Re:Criminal

Credit Cards don't have PINs? That's news to me here in the UK (& rest of Europe), where all of my cards, Credit & Debit, are Chip & PIN.

Why wouldn't a Credit Card need a PIN? You don't still do that old fashioned "Sign the slip at the sales counter" crap, do you?

Re:Criminal

[jonbryce]

Since Chip & Pin was introduced. The French have had it for about 10 years now, the British for about a year.

When you buy something in a shop, you put the card in a machine, enter the PIN number, and if the machine says the number is right, it takes your money and you take your goods.

Re:Criminal

[IngramJames]

Since Chip & Pin was introduced

And, IMHO, it's less secure than a signiture. Most shops have got these little PIN entry devices that allow anyone standing anywhere behind you to get a really good look at what your number is. Muggers now don't have to even be able to write; just to remember 4 numbers and leave the store.

If they could get the PIN entry secure, it would be a good system..

Re:Criminal

[apparently]

It's a man-in-the-middle attack, silly. Criminal steals mail, retrieves the valuable information, and forwards the untampered letter to the original recipient. If the criminal opens the mail, the recipient knows something is wrong, and the card gets cancelled.

Re:Criminal

[PhYrE2k2]

Around here they're only starting to bring them in, and it's mostly in localized trial areas. Credit cards still have no authentication beyond a signature and reconcilliation when you get your statement.

DEBIT cards (pulling money straight from your bank account) has a PIN. It sounds like that's what you're tlaking about.

Re:Criminal

[PhYrE2k2]

I know people who couldn't reproduce their signature if they tried 100 times, no two would look alike. With the right tools, a signature could be used to find style/patterns- fine.

I'll have you know, I sign at least 50% of my Visa slips 'Daffy Duck' 'Bugs Bunny' 'root' 'whoami' and so on. The first two being the most amusing. Nobody checks it. The 15 year old operating the cash at the movie theatre throws it right into a drawer. The 17 year old at the clothing stores I shop at do the same. Nobody looks at it. At restaurants, you leave it on the table and walk away. Sometimes my friends will sign their own name on my slips when I run to go get something. So what if my credit card slip says 'Tracey' :)

The only time that will get checked is if I charge something back, and they ask the merchant for a copy of the Visa slip. Nobody stares at the signature- they look that there _IS_ a signature there.

Most of this is MERCHANTS not protecting themselves by checking the back of the card, but that's not my problem.

-M

Re:Criminal

[AvitarX]

Yeah, because window envelopes and printers to print on them are so hard to find.

I mean to go to the store and buy a security window envelope would be impossible.

More importantly I think the PIN is stored encrypted on the card, so you would need to swipe the card to get a working debit card anyway.

Re:Criminal

[dk.r*nger]

At that point, why not open it?

Because you want the victim to actually recieve the letter, activate the card and not be suspicious. Otherwise you'll just have the PIN of an inactive credit card, which is worth squat/zip/nada.

Mailing the PIN and relying on that it will arrive unread is an important part of the chain of trust on credit cards.

Re:Criminal

Well, you can use your other hand to hide which numbers you are pressing.

A mugger doesn't even need to see you sign your name to forge your signature as they can already see what it looks like, at least with chip and PIN they need a good view when you are typing your PIN in. So IMO even though it may not be very secure it is still more secure than a signature.

Re:Criminal

[glesga_kiss]

Criminal steals mail, retrieves the valuable information, and forwards the untampered letter to the original recipient.

Exactly. (Emphasis mine). Of course, you have someone mentioning getting windowed envelopes to repost it...what, is that guy like 12 years old or something? PIN numbers don't come in standard envelopes; they are more like wage slips in that they have to be torn open and that there is no way you are putting them back together.

If a PIN number arrives at mine and it looks as though it's been tampered with, the bank gets a phonecall and the card/pin are rendered useless. This task is all about attacking without being caught. Sure, you can blow up the safe, but it's not very covert!

Re:Criminal

The difference is that if I scan your envelope and then send it on to you, I now have your PIN and you don't know it.

If I tamper with the envelope, it's now blatantly obvious what's happened.

Re:Criminal

[PatHMV]

The difference is that, when the mail is stolen and open, the mail recipient will probably sooner rather than later discover the security breach, because they are expecting its arrival, and until it gets there they can't get money out of the ATM. So when it doesn't come in a few days, they call the bank who says they sent it, whoops, must have been stolen, cancel the card, issue a new one. If, on the other hand, the criminal scans the unopened mail and puts it back in the mail process, then the recipient gets everything, it looks good, and he goes out and starts using the card. Now the thief can quietly go along, occasinally checking the balance, then draining the account on payday, before anybody knows the card data has been stolen. Also, the data could be stolen by a post office employee who sneaks in a hand scanner. If that same employee were to physically steal and open mail, they'd be caught pretty quick when two dozen people downstream of that employee all complain that their mail was missing. But if the same employee doesn't steal the mail but just scans it, it will take much longer to discover them.

Re:Criminal

[IngramJames]

With the right tools

Granted. But here in the UK right now, the "right tools" for CC fraud are eyes and a place in the queue (or "line" as it is known West Of Here).

Not checking sigs is to the advantage of the customer; a disputed payment can have its signiture checked and a refund is then automatic. There's no talent required in typing in "6666", or whatever the PIN is.

That's my point. Signiture fraud: some skill required in most circumstances (in London most people used to check)

PIN fraud: no skill required, and no way to dispute payments - your ID was perfect.

Re:Criminal

[Guppy06]

"They scan the mail, get the PIN, then *return* it to the mail box and no one is the wiser. "

That's far more difficult than removing it. For the most part, when mail is stolen it's not directly from the mailbox so much as from the delivery person (there's no guarantee you'll find a PIN number in any one person's mail in the course of a day, a week, or even a month, but a truck full of mail is bound to have something, especially on the day Social Security checks are sent out).

And then assuming they use this method to inspect all this mail to find the useful things without opening it, the problem becomes making sure this mail gets to its intended destination in order to avoid the suspicion of the recipient. But the Postal Service knows damned well that a lot of mail was stolen. You cannot simply drop it off at a mailbox and expect it to get delivered the rest of the way: stamped mail can't already be cancelled and metered mail must have today's date. You can't hold a mailperson at gunpoint and give them mail to deliver, since you'll just piss off the Postal Inspectors even more (you should fear the law enforcement organizations that nobody's heard of).

Deliver it yourself? You stole the mail in mid-stream, not at the destination. You don't know what the recipient's schedule is (whether or not it's safe to deliver mail "early" or "late"), you can't follow around the mail carrier to get the letter delivered at "almost the same time" since the recently-robbed carrier will be more aware of being followed (or, worse yet, be an undercover Postal Inspector). And this is all assuming the intended recipient doesn't have a locking mailbox. The more time you wait trying to figure out the right time of day to deliver the mail, the more the recipient may get suspeicious, especially if Postal Inspectors have already gone around asking people on the delivery route if they'd seen "anything suspicious."

Re:Criminal

[sjmurdoch]

When did a criminal get this sudden hit of "oh my- what am I doing- I can't _OPEN_ this letter! I'll just scan it and see what i can find". This is someone who already intercepted mail and is about to commit fraud. Just open the envelope and call it a day.

If a criminal simply tampers the PIN mailer then the legitimate recipient will either notice not receiving his PIN or will see that it has been tampered. Hopefully this will be reported to the bank and the card canceled.

If the criminal can read the PIN without the legitimate recipient noticing, then the card will continue working until the account is emptied or the card owner receives a statement. This significantly increases the length of time a card can be used and, due to daily withdrawal limits, the amount of fraud that can happen.

You're already stealing mail, you're about to steal a PIN number and hence some money from a bank where you'll be on video camera,

Not all ATMs are covered by video cameras and criminals could specifically choose the ones which are not. They could also disguise themselves.

Re:Criminal

[RpiMatty]

Ummm no the banks don't assume the pin has been stolen. They assume it has been lost and simply resend it. At least thats what Citizins bank did. After waiting over a week called em and asked them what happened, so they sent another one. Only got one in the mail, not both. With HSBC if you loose your card they ask if you want to keep the pin, or get a new one... at least thats what happened to me.

Re:Criminal

On any bank card or credit card, the PIN is not on the card. Card number is encoded on the card. PIN is in the bank and in the mailing. The mailing should be destroyed by the recipient.

Re:Criminal

[sjmurdoch]

Cards in the UK are normally sent out with live PINs and do not require activation.

Re:Criminal

[sjmurdoch]

Of course, you have someone mentioning getting windowed envelopes to repost it...what, is that guy like 12 years old or something? PIN numbers don't come in standard envelopes; they are more like wage slips in that they have to be torn open and that there is no way you are putting them back together.

PIN mailers in the UK are sent out using normal envelopes, specifically to stop them looking unusual and easy to pick out from normal mail. Getting replacement envelopes is trivial – the security is in the tamper-evident stock on which the PINs are printed. It seems the security provided by these is not as good as was believed.

The wage-slip style mailers are quite rare in the UK. They are generally less secure, cost more and stand out in the mail system.

(I am one of the authors of the report (PDF 767kB) which the BBC article is about.)

Re:Criminal

[Fareq]

yes we do.

You have to activate your card when you first getting it by calling a special phone number.

You don't have to enter any secret info, but you do have to call from your home telephone number (or whatever telephone number you gave when applying for the card).

As for use... you can get a PIN for your credit card, but it's only used when you try to do a cash-advance transaction (use credit card like an ATM card).

Otherwise it's swipe, [sometimes show ID], and sign. and now some places (like starbucks) are lazy and don't ask for ID or signature... they figure it's worth it to just eat the loss on the small % of coffee-buyers who use stolen cards.

Re:Criminal

[Fareq]

precisely.

I don't worry that much about credit card fraud.

Because I'm not the one responsable... the merchants are.

Though, when shopping at less-reputable online shops I do use the virtual-account-number tool from my CC company... basically get a new card #, exp date, and credit limit for each transaction...

Re:Criminal

[ahknight]

Righteo. So it would appear we're raising hell over the symptom and not the problem. If getting the PIN gets you in then it might be time to reconsider the technology completely.

To activate my debit card I have to setup the PIN at the bank, get the card, and call in with my home phone. Failing the home phone bit I can enter my SSN/TPID and activate it remotely (at which point my bank sends another letter stating it was activated by SSN/TPID).

Stop worrying about the paper. Worry about the technology and weak security practices inherent in that process. My bank never prints my PIN on paper. Ever.

Re:Criminal

It's a BBC article, and most british credit cards have chip and pin, so they're also talking about credit cards.

Re:Criminal

[Macgyver7017]

The reason to not open it is so the intended recipient doesn't know the pin has been intercepted.

I thought this was obvious....

Re:Criminal

[glesga_kiss]

Well, I too live in the UK, and all three of my plastic cards have had new PIN's due to the chip&pin changes. All came with payroll style tear-apart things, however one or two may have been delivered inside an innocent envelope. I could check; some are in my "to be shredded" pile still. I have never seen one that wasn't in some proprietry and specific packaging that is obvious where tampering has taken place. Actually, I was impressed by one of the Visa ones I got, it was one of the peel-off sicky labels that you can't put back down as the pattern was completely destroyed by the removal.

Still, the original poster I replied to seemed to imply that you'd get a page of A4 in a windowed envelope with the PIN in plain text. :-)

Re:Criminal

[pete6677]

It would be really nice if US card issuers would get rid of this antiquated signature system. A PIN would at least provide security for people who are smart enough not to write the number on the card. Signatures provide NO security, especially when the signature is on the back of the card for any thief to use for practice. Showing a seperate ID is cumbersome and holds up checkout lines. A PIN would be so simple and effective.

Re:Criminal

[Maniacal]

This is for everyone who replied to this comment with something like "Because then the person won't know you know their pin and will go on business as usual".

I have a question: WTF good is a pin number without the card?

The PIN on my card is 1507. My wifes is 1398. There ya go. You didn't even have to hack an envelope. Steal away. The only way this could be useful is if you already have the card or plan on obtaining it later through some sort of theft. In that case the cards will be reported stolen and deactivated before you can actually get good use out of the PIN.

MG

Re:Criminal

[DarkOx]

Umm yes, but most fraudsters want to avoid detection as long as possible. They may wish to return the mail to the box at a later date and this might well be simpler then creating an offical looking counterfit envelop. Just think of this, you never get bill X in the mail. You then call company X and ask where is my bill. After the conversing for a while they send you a new one. Now most of us would wonder if something was up and scrutinize that bill and subsequent ones for a time. This is not what the fraudster wants. Now think of this if that bill was a day late because it was removed and then replaced in your mailbox intact could you even know to be concerned?

Re:Criminal

[TigerNut]

A lot of point-of-sale cash registers print the card number onto the receipt. "Good" machines obliterate part of the number, but a lot of them don't, and so the thief could (1) take the PIN, then (2) wait until the user dumps his receipts in the trash, and then get the card number. Simply program that number onto a blank card, and you're set.

Of course this assumes that the user doesn't change the PIN as soon as they get the card... but a lot of folks don't.

Re:Criminal

[P3NIS_CLEAVER]

Pin fraud requires luck though. You need to be behind someone that you are willing to mug and see the pin. With signature fraud, the world is your oyster.

Re:Criminal

[SMS_Design]

If a PIN number is being delivered by mail, a credit card is almost certain to follow. Scan the PIN, then swipe the card envelope and figure out a way to scan the mag stripe thru the envelope. Perhaps a magstripe reader that does not have a bottom, so the full envelope could pass thru.

Now, all you have to do is wait a little while for the new card to be activated, use a mag stripe encoder to copy the data onto a new card, and hit an ATM for cash advance or just an ATM withdrawl in the case of a debit card.

Cash in pocket. Hell, you could do this in a neighboring town, then use some outdoor ATM to make the withdrawl. Approach the ATM completely covered up and the security tapes would just show an unidentified man making a withdrawl.

Re:Criminal

[jrumney]

Cards in the UK are normally sent out with live PINs and do not require activation.

Not by my bank.

Re:Criminal

[sjmurdoch]

Out of interest - would you mind saying which bank?

I do know of banks which require activation only from cardholders served by sorting offices for which a lot of fraud has been reported. This could be another possibility.

Re:Criminal

[jrumney]

Probably. They wouldn't deliver my card by mail because of the area I lived in. The bank is Lloyds-TSB.

Re:Criminal

[kylegordon]

Hold on whilst I trawl your trash for your card number, or clone your card whilst waiting on you at the local restaraunt....

DUSTER!

[bigattichouse]

I just discovered that duster cans (those little cans that blow dust out of your keyboard) when turned upsidedown will blow coolant.

Aim this coolant at a sealed envelope and it makes the paper transparent.

Re:DUSTER!

[bigattichouse]

forgot.. in a reasonably non-humid atmosphere, the fluid evaporates without condensing too much water.. leaving the envelope not too much worse for wear.

Re:DUSTER!

[Linker3000]

The 'old school' has been doing this with surgical spirit for decades.

Re:DUSTER!

[Timberwolf0122]

Interesting... and my ex's mail still comes via my house, Mwhahahahaha!

Re:DUSTER!

[Elwood+P+Dowd]

The 'old school' has been doing this with surgical spirit for decades.

It's called "letter bomb detector".

I THINK I'M ON TO SOMETHING HERE !

[RembrandtX]

If you hold a sealed envelope, over boiling water, it OPENS! Once it opens, if you close it back up and place it under a book, it will RESEAL!

God! someone should *DO* something about this .. oh wait, there are already laws in place making mail fraud illegal.

Gee .. nevermind.

Re:I THINK I'M ON TO SOMETHING HERE !

[I+confirm+I'm+not+a]

If you hold a sealed envelope, over boiling water, it OPENS! Once it opens, if you close it back up and place it under a book, it will RESEAL!

Not the PIN mailers in the UK - you need to either tear open the sealed envelope *inside* the outer envelope (which, I concede, could maybe be steamed open), or you need to GIMP the whole shebang (I feel durty just saying that...)

Re:I THINK I'M ON TO SOMETHING HERE !

[RembrandtX]

Yeah, most stuff now aways is the 'tear it open' variety.

My point is more along the lines of its illegal to tamper with mail in any way, the methods of which you use are immaterial.

In order to 'scan' the PIN number out, they first have to have illegal possession of your mail, or work for the post i suppose.

Re:I THINK I'M ON TO SOMETHING HERE !

[I+confirm+I'm+not+a]

Fair point. My point was more that these tossers are going to act illegally anyway - might as well force them to reveal their misdeeds (tear the envelope)... but I suspect we're circuitously agreeing with each other ;-)

Re:I THINK I'M ON TO SOMETHING HERE !

God! someone should *DO* something about this .. oh wait, there are already laws in place making mail fraud illegal.

Because we all know that outlawing something stops it from occurring!

Hey, better idea. We don't need police any more! Our laws are enough!

open it?

[jshaped]

so if you had possession of said pin (number) letter.... you could just open it!?
if you were trying to be discrete about it, a computer savvy thief could also repackage the contents.

Dr Nick

[kevin_conaway]

In the immortal words of Dr. Nick's Diet:

"If you're unsure about something, rub it against a piece of paper. If the paper turns clear, its your window to weight gain!"

Have fun eating greasy chicken and stealing PIN numbers

/ Thats right, I said PIN Number.

// On my way to the ATM machine.

Re:Dr Nick

[NewStarRising]

More fun from the Department Of Redundancy Department, and the fun they supply.

Re:Dr Nick

[yEvb0]

Did you go to Hollywood Upstairs Medical College, too?

RFC - SPIT and the digitalisation of all paper

[ACORN_USER]

I'm sick to death with paper and important papers in particular. I think that in this day and age, it is really a joke that I have worry about draws filled with crumpled and unread letters printed in red ink.

With all the fuss over identity theft and so forth, I propose SPIT ( Spit on PDA Id Tracking )which boils down to a Pocket PC's which you SPIT on. After your spit has been authenticated, you can use your snot key to decrypt all documents which were previously paper based!

Please feel free to contribute your own spit to this new project.

Whatever, the card would not be active

More interesting image processing techniques that will have an impact on the lives of people :

Refocus of an image via deconvolution :
http://www.bialith.com/Research/BARclockblur.htm

Face recognition :
http://www.face-rec.org/

optical flow analysis, scene reconstruction via photogrammetry... the list goes on.

Other Forensic uses for Photoshop and GIMP

[syntap]

Does anyone know of methods for other forensic uses of these, such as reading pen impressions on paper?

Exploit in search of a vulnerability

Let's be somewhat charitable to the premise that this vulnerability can be exploited for a second.

Let's say that you were in a position to profit from the knowledge of someone else's ATM PIN number. This would probably involve having their ATM card or a cloned copy of their ATM card. Let's further assume that you have access to their incoming mail, since that's a requirement for this vulnerability to matter. Finally, assume, for whatever reason, that this person has recieved a new PIN number by mail, and you are in possession of that document.

There are 2 possibilities here for what you can do now:
1.) Use photo imaging software to try and read the PIN number inside the enveope, then surreptitously place the envelope back in their mailbox.
2.) TAKE THE BLOODY ENVELOPE AND OPEN IT! Bank on the assumption that the mail isn't perfectly timed, and it will be a few days (or one large withdrawal) before they get concerned and call the bank.

Why would you NOT use 2? The only advantage of 1 is that they don't know you have their PIN number. But you're kind of advertising that fact whenever you actually exploit your knowledge and make a withdrawal or two, no?

I guess in case 1 you could make small withdrawals over time, hoping they don't catch on, but you won't get a whole lot of dollars before they notice checks start bouncing. The best exploit for having someone's card and PIN is to take the money and run--as much as you can before the fraud team is on to you.

What possible advantage is given to our would-be exploiter from putting the PIN number back in the mailbox unopened?

Wait a second..

[EiZei]

Do they actually send cards WITH pins anywhere? Some banks here even refuse to mail the damn thing..

Neighbors

[Kamiza+Ikioi]

"slow process that forces them to be in the geographic neighborhood of their victims."

This is very true. But lets not forget one of the oldest scams in the book. Ship bogus credit card products to an abandoned location with instructions to leave at the door. Only, with this, you could ship products to your neighbor's house (when you know they won't be there) with that neighbor's credit card and proper pin.

Because the number, pin, and address were all to the same person, it makes it much harder on the card holder to prove fraud. After all, the theif could even be standing on the porch to forge the signature to the UPS guy. The theif would have to have a set of brass balls to pull this off, but old targets are in many cases still the easiest targets. Most home mailboxes aren't locked.

Provide PIN over the phone?

[rfunches]

I don't see a reason why the PIN couldn't be provided over the phone using this system:

1. Send activation PIN through mail to be used for phone verification.
2. Computer system for phone verification provides the actual PIN over the phone if the phone number where the call originates matches the one on the account and correct activation PIN is provided.
3. If phone # or activation PIN does not match, call is connected to a CSR who must verify the caller's identity before releasing the PIN -- and the PIN is read over the phone by the computer, not the CSR, so they can't steal PINs from the inside.

I would think that this type of a system not only thwarts your average pickpockets and mail thieves, but also more ambitious criminals who are willing to go a step further. You'd have to 1) either fake the originating phone #, 2) break into the owner's home and get the actual PIN using their own phone, or 3) have personal details like last four of a SSN-type number, address, birthdate, etc., and by that time the problem is bigger than a stolen PIN.

Feel free to poke holes and criticise this; I thought of this on a whim and I'm not by any means an expert on security.

Re:Provide PIN over the phone?

> I don't see a reason why the PIN couldn't be provided over the phone...

Actually, this would be *really* cool!!!

Especially with those wireless phones without DECT, cus the PIN will just be radio broadcasted! :)

Re:Provide PIN over the phone?

[Charles+Dodgeson]

I would think that this type of a system not only thwarts your average pickpockets and mail thieves, but also more ambitious criminals who are willing to go a step further. You'd have to 1) either fake the originating phone #, 2) break into the owner's home and get the actual PIN using their own phone, or 3) have personal details like last four of a SSN-type number, address, birthdate, etc., and by that time the problem is bigger than a stolen PIN.

Faking a caller line ID is easy. Any modern PBX system can do it, such as asterisk. As for your number three, that information is much easier to get then a PIN.

Re:Provide PIN over the phone?

[LamboAlpha]

Or go to their house (since you already got their mail) and open the telephone network box (little gray thing on the side of your house) plug a phone into the testing port. And there you have it, a way to gain access to someone's phone line. No breaking in required. Depending on where they live, this might actually be easy. If they are willing to commit a felony to get the mail, how much more is trespassing?

And yes you can put locks on those boxes.

corel photopaint

[solipsist0x01]

Nobody ever mentions Corel PhotoPaint.

I remember when WordPerfect, Ventura and CorelDraw were kings, those were the days.

Too bad they canceled their linux program, or not. It probably would have turned into something like Linspire, and thats what BeOS is for.

I can't concentrate

[Frnak]

I can't get past the first "Mr Bond".

Poor guy, he must have difficulties with people taking him seriously. But at least he will likely to remembered by others... (and everyone knows his PIN also).

I should get some sleep.

There's an EASY solution...

Why not all, like some banks and financial institutions allow, pick your own PIN for the card in question. I prefer banks that let me do this. Some, like State Farm bank, assign you a PIN and let you change it, which is acceptable, but not nearly as good as choosing your own from the start.

And it goes a little something like this...

[McTaggart]

You edit curves and drag the centre of the curve down a bit I believe. Also useful for reading notes on the page underneath the one they were written on.

Breaking news: Image manipulation programs used. .

[noewun]

to manipulate images. Don't miss tomorrow's story: desktop publishing program used to fake documents!

Mail Carriers

Well maybe now that the Mail Carriers have a better means they will now stop opening all my mail!

Oh my god!

[dentar]

Better ban all image creating and editing programs!!!!

Everyone panic and flail their arms about, screaming!!

So what?

[SCHecklerX]

If you don't trust the USPS, then tell your bank/whatever not to use them. But really, is there a feasibly more secure way to send a PIN than through our federal mail system?

Newsflash: At my office, I can even OPEN UP the inter-office envelopes in the outgoing mail bins and see EVERYTHING inside! Heck, I don't need the gimp or anything, and there is no evidence of tampering.

Next you're going to tell me....

That people who would commit rape and murder wouldn't break any gun laws.

After all.. murdering someone is small potatos compared to ~you know~ faking a background check.

Other ways of reading the PINs

[RagingChipmunk]

In the book "Spy Catcher" (late 80s) an ex-MI5 guy writes the various ways they used to read the contents of letters without opening the envelope. One clever was was to use a long, thin strip of bamboo to "twirl" the letter around inside the envelope and read it as it was 'scrolling' by.

Other, easier ways include spraying the envelope with automotive-freon. The envelope becomes transparent while wet, and within seconds the freon completely evaporates.

Other inventive ideas: Use a strand of high quality fiber optics to have a peek inside.

Point being, wouldnt it be far more sensible to NOT include the PIN ?!?! Duh.

It is an animated GIF

[Zweideutig]

Actually, it is simply an animated GIF. These are usually annoying, but this one doesn't move too much, so it isn't too bad.

That's all we need...

[cdn2k1]

is for GIMP and Photoshop to be found illegal under the Patriot Act...

Re:That's all we need...

[Frank+T.+Lofaro+Jr.]

Adobe got Sklyarov arrested - they are in good with the Feds.

GIMP on the other hand, is open source which is sometimes considered to be terrorist, piracy, etc, by clueless but often powerful people and companies.

BTW: GIMP also as a politically incorrect and stupid name which is unprofessional and looks bad in the eyes of the public.

Re:And hence..MOD PARENT FUNNY

[NewStarRising]

At least, I hope you were trying to be funny. I laughed. 8o)

Mod myself down... RTFA

[Kamiza+Ikioi]

Well, I'm going to opt to mod myself down a bit on that one. Always a good idea to RTFA before posting, heh. Apparently these pins are for ATMs, and thus, pretty much makes (most of) my above post irrelevant.

I was thinking of the security pin located on the back of most credit cards.

In this case, then, I'm in full agreement with the parent of my original post, though this is something that should be fixed... possibly through online pin activation:

Mail someone a temporary pin they have to enter online to get a one time view of the real pin. After the first view, no other views allowed. Thus, you really wouldn't even need that much initial security in the mailing, as no two people could view the pin, and if a second view was attempted, the issuer could be alerted to potential fraud.

Re:Mod myself down... RTFA

[Slime-dogg]

Best way? Call the individual up and have them come to the bank and set their own pin. Require a couple forms of proper photo identification, and the problem is solved.

Non photographic blue ink

Why don't they just use non photographic blue ink? It won't show up on xerox's and near impossible to make it show up properly on a scanner, especially if it was obfuscated by the envelope. If no one here knows, you can get non photographic blue pencils, comic artists frequently use them so the inker doesn't have to do as much clean up before they start doing the color layers.

Re:Non photographic blue ink

[imthesponge]

Wouldn't that make it possible to copy it onto transparent paper using a different color ink and then overlay it, so that the number would show up?

ego inflation

[dan+the+person]

I knew this article would eventually make it to slashdot after i saw the rare mention of the GIMP in mainstream media...

Aww man...

[ferrocene]

And just yesterday I made a Joke about RAID arrays and got modded flamebait.

What's your secret? More sarcasm?

(Don't forget the ATM machine)

two related problems

I've had my personal info sold. Yep that's right someone out their paid some insane amount to bribe good old Bank Of America. No suprise. What frustrates me is not just that but also how when some yutz uses that to look at porn or subscribe to mags or what ever, I call up and say that doesn't look right I'm treated like a criminal that kind of BS has to stop. The other related problem is this whole social security number and pin and what link stuff like that plus none of these things will ever stop untill their's no proffit or percieved proffit.

Change the pin at activation

[coulbc]

Simply force the card owner to change the PIN when activating the card. Making the mailed PIN useless even if intercepted.

Scanners and lights

[Coyote65]

Am I the only one that would think to just open the envelope, tear back the 'protective strip' and READ the PIN with my own eyes? I've already gone far enough to 'Take someone else's mail', why wouldn't I go whole-hog and finish the job properly? This seems like a silly 'Panic of the week'...

security vs time

[Deanalator]

To be fair, nothing that they do is ever going to be perfect. If the criminal really wanted, they would just open the envelope.

Sending the letter with the pin on the outside of the envelope, or without any of the black crosshatching is pretty insecure. It costs the bank only a little bit more to put the crosshatching on the paper, so they do. The point is not to make it so noone can ever read the pin, the point is to make it annoying enough that criminals commit fraud in other ways.

The most important thing in security is to avoid being the low hanging branch. Kind of like when you are out camping with a bunch of friends in a place known to have alot of bears, you always need to remember to bring a friend who runs slower than you.

Research like this is good though, because the public should always understand what people are doing to protect their information. I feel a bit safer knowing a smart group of people seriously looked at the security protocols, and this was the best they came up with.

Been done.

[doublem]

I hold the patent.

The bastards who use this, including those damn reporters, owe me a royalty!

I'm off to call the lawyers.

Tone of the Article

[daniel_mcl]

The tone of this article is refreshing, likely because it doesn't deal directly with computers. Every time an independant researcher discovers a buffer overflow exploit, he's branded a criminal by the industry and the media play along. It's time we start to demand that articles about security put the researcher and not the faceless corporation in the protagonist's role.

Gimp can find pins in the mail

Yeah, but can it find needles in popcorn balls?

Zippo lighter fluid is even better.

[Trespass]

Lighter fluid will make most paper types transparent for a few minutes, and evaporates with no residue. It also doesn't smear ink or attract condensation.

If you have a book cover or something paper that's become smudged, this stuff'll let you wipe it right off. Works really well for adhesive labels, too.

Just be careful, it's really flammable.

Informative?!

[catalax]

Man, gimme that stuff that makes me mod this Score:5, Informative.. :-)

Applicability to "Scratch and Save" Coupons?

[AngryNick]

My wife is constantly getting these stupid lottery card-like coupons that say "You can save 5% - 75% on your next purchase!" but where you're not allowed to reveal the amount of your savings until you reach to check out counter.

It would be nice to know if you have a lame 5%-off coupon before you head off to the local JCP.

Re:Applicability to "Scratch and Save" Coupons?

[sjmurdoch]

The report (PDF 767kB) deals with the type of PIN mailers where the PIN is printed on the top layer of the paper, but there is a "scramble pattern" underneath it which prevents you from reading the PIN. The scramble pattern is either peeled away or scratched off. If you can pick out the difference between the toner and the scramble pattern you can read the PIN.

I guess what you are talking about is where the data is printed then covered with a scratch off layer. This technology is common for lottery cards but I have never heard of it being used for PINs. Here you need to see through this layer to get at the data underneath, so the tricks mentioned in the report won't work.

(I am one of the authors of the report)

Wow... so hard to guess!

[Fareq]

So, why are we all shocked at how insecure a system of mailing passwords is?

I mean... PINs are 4 digit all-numeric codes. That's not *that* *hard* to crack... 10000 possibilities, except that the auto-generated ones probably automatically eliminate 0000, 1111, 2222, ...
as well as 1234, 2345, 3456, 4567, ... and 9876, 8765, ...

All the "too-obvious" ones probably eliminate another 100 or so.

If they're human-generated ones, just try valid combinations of month/year or month/day
that eliminates a whole bunch more, since that says the first digit is 0 or 1, and I bet a lot of people use someone's birthday as the code. Or a 4-digit year for something important... you could probably build a list of less that 1000 that are really common for human-selected PINs.

Re:Wow... so hard to guess!

...And then when you try brute-forcing, you discover you're SOL because most banks lock cards after 3 failed attempts. Oops.

BTW, pulling numbers out of your ass doesn't work very well. "too-obvious"? WTF? You understand people use 'password' for their password right?

Re:Wow... so hard to guess!

[Fareq]

most PIN-based systems won't *let* you use the too-obvious ones.

You do have a point with the card-locking though. hadn't considered that... I assume the PIN isn't on the mag-stripe, and that you can only verify it by connecting to whichever network...

Better conclusion..

[Otto]

Sometimes I get the sense from the Slashdot crowd that something isn't worth doing because perfection is impossible, perfect security being a prime example. I would like to ask, does that mean we quit using security measures? Do the people that say that leave their cars, homes and possessions unlocked? It would seem that is the logical conclusion of such an argument.

No, the real logical conclusion is that you should evaluate security as you would evaluate anything else: cost vs. benefit.

Is it worth it to lock your car? Sure. The cost of locking it is so near zero that any security benefits it provides are well worth it.

But a lot of computer security measures really only serve to make it harder for people to do things the right way and don't add any real security for those who want to bypass it. Take DRM as a prime example. The current DRM schemes used by Apple and Microsoft make it difficult for people to load their purchased music onto their own purchased music playing devices, but do nothing as far as keeping the music off the file sharing networks. The costs are higher than the benefits.

Trademarks are adjectives

[tepples]

Every single time there's a story about cash machines or numeric passcodes, somebody repeats this old complaint about redundancy. Thing is that these suffixed generic nouns are not completely redundant, as they help to disambiguate different meanings of a given abbreviation (for example, Automated Teller Machine vs. Asynchronous Transfer Mode). In addition, trademarks should be used as adjectives, with a suffixed generic noun. The canonical example here is "SPAM luncheon meat" even though 'M' stands for meat.

Re:Trademarks are adjectives

[syrinx]

SPAM = "SPiced hAM", I thought..?

says Wikipedia:

The name "SPAM" was chosen in the 1930s when the product, whose original name--"Hormel Spiced Ham"--was far less memorable, began to lose market share. The name was chosen from multiple entries in a naming contest. A Hormel official once stated that the original meaning of the name SPAM was "Shoulder of Pork and hAM". According to writer Marguerite Patten in SPAM - The Cookbook, the name was suggested by Kenneth Daigneau, brother of the Hormel vice president and an actor.

Other explanations of the origin of the term include the acronym "Specially Processed Assorted Meat","Spiced Pork And haM", "Specially Processed Army Meat", and "SPAre hAM"; there are also some less-than-serious explanations, such as "Synthetically Produced Artificial Meat" or "Stuff Posing As Meat". The current official explanation is the SP and AM were taken from "SPiced hAM" to win a $100 prize.

According to Hormel's trademark guidelines, SPAM(TM) is spelled with all capital letters and treated as an adjective, as in the phrase SPAM(TM) luncheon meat. As with many trademarks (such as LEGO(TM) or Kleenex(TM)) consumers typically simply refer to similar meat products as SPAM.

Damn it

[commodoresloat]

Just Shut The Fuck Up up.

Consider yourself swatted

[tepples]

Somebody call in the SWAT team!

Special Weapons And Tactics. You fail it ;-)

Re:Consider yourself swatted

[pclminion]

Special Weapons And Tactics. You fail it ;-)

Originally it stood for "Special Weapons Attack Team" but it was changed, I guess because it sounded too scary.

original paper

this is the paper

Re:Other ways of saying other things in other ways

Yeah, but if we say "PI Number" won't that be confused with 3.14159265...?

Similarly awkward: "I was at the AT machine, and I forgot my PI number."

[ I know, I know...you just want us to say ATM and PIN (without saying machine and number). ]

Good luck in your fruitless quest to rid the world of redundant phrases that contain repetition and redundancy where less redundancy is sufficient to eliminate unnessecary repetition of redundant words which do not add significantly to the meaning and intent of messages which are fruitless to the clueless and lucky to the fruity.

GIMP and WiMP

[tepples]

GIMP also as a politically incorrect and stupid name which is unprofessional

How is "GNU Image Manipulation Program" any less professional than, say, "Windows Media Player"? Both names consist of an operating system brand followed by a generic name, and both have allegedly unprofessional abbreviations: "GIMP" vs. "WiMP".

shaken not stirred

[onkelonkel]

It was explained to me thusly - Martini's were stirred in order to not "bruise" the gin, and because it would still be clear when poured. Obviously only posers would worry about these things, (and our Mr. Bond was not one of them.) A shaken martini would be (theoretically) colder and thus superior. Just another one of the ways that Ian Fleming emphasised how cool and competent (in a late 50s sort of way) Bond really was.

Re:shaken not stirred

[agraupe]

Also, I am told, the Bond movies started the idea of the vodka martini, because some big-time vodka maker paid the filmmakers money to feature it.

Re:shaken not stirred

If only Slashdot was around when I was 19, I would have got drunk with class, style, in a balanced way (with an irresistible chick by my side, not a bunch of losers).

Re:shaken not stirred

[sammyno55]

Exactly how much gin does a vodka Martini have?

Wouldn't it be easier...

[thePowerOfGrayskull]

... to just open the letter and copy down the PIN?

Re:Wouldn't it be easier...

[imthesponge]

Yes, but then the intended recipient will know it has been opened and change their PIN. It's supposedly tamper-evident.

Easy to use?

[thePowerOfGrayskull]

Bright lights and easy to use software helped University of Cambridge researchers defeat tamper-proofing on letters telling people their new Pin. Say, wait. Is the gimp only easy to use when you want to hack a snail-mail letter?

I'm just being paranoid...

[zlogic]

...but I burn or tear to really small pieces every envelope with the PIN inside it (after reading the PIN of course) and then change my PIN. Most PIN envelopes suggest destroying the paper with the PIN on it immediately after reading it.
I'm using this on mobile phone SIM packages, but I'm not sure if you are allowed to change a credit card PIN.

PIN number in the mail? How strange.

[AsmordeanX]

Maybe it's different with Canadian banks (or just the Royal Bank?). To get a PIN number on your ATM card you have to physically goto a bank and type it in on a terminal at the bank. They don't mail them, nobody but you knows that number (unless you tell them).

I asked a few people and apparently PIN mailers are common to non-canadians. The three Canadians I asked thought it was incredibly silly that your PIN number would ever be actually printed on paper and more incredible that it would be mailed.

Re:PIN number in the mail? How strange.

[imthesponge]

I haven't heard of it here in the US, but maybe it depends on the bank.

Re:Breaking news: Image manipulation programs used

[Geoffreyerffoeg]

tomorrow's story: desktop publishing program used to fake documents!

I thought that was last year's story. You know, the entire Dan Rather reports and Microsoft Word margins fiasco....

PIN numbers on PAPER!? Bit stupid!

[swmccracken]

This is insane; in New Zealand, I set the PIN by visiting the bank. Nowhere is the PIN ever printed out on anything (we're warned that that writing it down anywhere is a very stupid idea!); I only ever type it in a keypad at the bank to set it. If my credit card is reissued, it carries my previous PIN (without ever being told what it is). If I don't know what that PIN is, I vist the bank and reset it in person. IN PERSON.

If my previous credit card didn't have a PIN, my new one doesn't either.

ATM/Debit cards are only reissued in the physical bank itself and have no expiry (they're not routienly reissued) and so I set the PIN then and there when I get a new one (because I lost the old one or something). (They're live instantly)

(In New Zealand, all ATM cards are also debit cards[1] - we don't have seperate debit cards - and are usable to purchase at the overwhelming majority of retailers. It is a shock to find a retailer that won't accept "EFTPOS" as we call it.)

I guess the difference is we are in mantainece mode - we're not deploying to everyone, just maintaining new accounts and people that loose their cards. And we've taken this stuff for granted since 1984. (Yes, New Zealanders have been paying for things using electronic card based transactions at stores since the mid 80's.)

Err, yeah, we've had PINs for transactions for the LAST *TWENTY* YEARS. We've been wondering when the rest of the world will catch up!

[1] Well, sort of. Unlike a US debit card, the transactions are instanious; the money is debited from our account right then and there, there's no qubbiling.

There are other ways

[glowworm]

Meh, The thing with PIN mailers is they closely follow the actual card in the mail. In fact this happened to me.

A theif stole the card from my mailbox then a few days later stole the PIN as well. They then withdrew the full limit from a few ATM's.

As I was expecting a card that never arrived I rang the company asking when it would arrive, they said the card had been used, I signed a Stat Dec and the debt was wiped.

The point is... The PIN mailer is in your mailbox along with your card... Why not just open the mailer and use the card in an ATM right away!

Re:PIN numbers on PAPER!? Bit stupid!

Australia still mails out PINs (or at least the Commonwealth bank does). CBA mails the Keycard/eftpos card PIN, then the card itself, followed by the internet banking password followed by the internet banking 'client number'. It's really quite stupid.

Change the pin

Change your PIN to something else as soon as you activate your card, then this isn't a problem.

Normal for Southeast Asia

[rwa2]

It was the same way in Thailand (at least with relatives' houses, I didn't really live that close to any of my good friends).

For one thing, most of the old, traditional-style Thai houses were open-air.

http://www.orientalarchitecture.com/thaicountrysid e/thaihousesbindex.htm

Not really much to keep people out.

Everyone pretty much had a tall fence and metal gates around their property. Most were easy to climb, though others were lined with spikes or broken glass on top. Everyone had at least 2 dogs roaming their property, usually 3 or 4. So if you were known to the family and the dogs, you could pretty much walk in and make yourself comfortable, while every other visitor would get a loud welcome.

Since my international school schedule was often out of sync with my Thai cousins' schedules, I'd spend a lot of time with their dogs. These dogs were quite different from American dogs, in that they were only marginally domesticated to respect their owners. Since they had plenty of other dogs in their household, the retained a lot of the wolf-pack mentality.

Anyway, dogs can be poisoned, gates can be scaled, and locks can be defeated. As far as crime was concerned (and I think this is still true in several third world countries) anything is pretty much fair game for thieves unless you actually have an armed guard there protecting your property or neighborhood. Since live-in guards / housekeepers are quite affordable, that's the route many people pretty much take.

So for a Southeast Asian to come here, it's kind of strange to walk into a house and have no one to greet you and let you in, since most of the houses back east basically came occupied full-time.