Slashdot Mirror

← Back to Stories (view on slashdot.org)

Graphics Programs Uncover Secret PINs

Posted by Zonk on from the not-so-secret-then dept.

Errtu76 writes "The BBC is running a story stating that, among other programs, The Gimp and Photoshop have been identified as possible tools for uncovering PINs via the mail." From the article: "The researchers collected lots of so-called Pin mailers and then tested how secure they were. Many were defeated using bright lights shone at an angle on to the paper. Other Pins could be read by scanning the letter and then adjusting some of the image qualities in popular programs such as GIMP, Adobe Photoshop and Paintshop Pro."

15 of 363 comments (clear)

  1. And hence.. by domipheus · · Score: 5, Insightful

    And hence the reason for sending the pin seperately from the card becomes clear.

    Nothing to see here... yet again.

  2. Securely store or shred by Winterblink · · Score: 4, Insightful

    Me, whenever I get one of these things I either shred the bejesus out of it or store it in a secure place. I NEVER trust the trash for things like this, or even receipts from places I use my credit card. Lots of them still print the whole number on the paper. :/

    --
    "I'm a leaf on the wind. Watch how I soar."
    -Hoban Washburn
  3. Next you'll tell us... by Gopal.V · · Score: 4, Insightful

    To carry your ATM card in tin-foil faraday cage because it can be read by a device hidden in your office elevator ?.

    PIN codes are just there to protect a person's card from random pickpocketing. Also this "exploit" needs access to the mail containing the PIN , before the user reads it and changes it. It is very unlikely that somebody will be able to do this easily - the obvious suspects being your kid brother who signed for your credit card when it came at your home and your shopping crazy sister. It needs very clear physical access on day-to-day basis.

    This belongs in the same category as mothers steaming opening letters - maybe you should read Saki's shock tactics about how to handle that scenario.

    --
    Quidquid latine dictum sit, altum videtur
  4. Overhyped title by Iriel · · Score: 5, Insightful

    The key point of this article (before the industry response) is not about some great new way to use photo editing software to steal someone's PIN number. The majority of it discusses the dangers of using new methods of mailing PIN and passwords that can be read by the HUMAN EYE, sometimes with no more technology than the ability to tilt the paper and shine a bright light.

    The problem is not with the gimp or photoshop, but poor printing techniques that could put your 'secure' password information at risk with the simplest of methods. It still deserves a mention in YRO because I've even had a few letters mailed to me with PIN information like this. The letter had already been partially broken on one side due to handling, and I could see the PIN in the sunlight through the thin sheet even though that thin sheet is meant to let you know if someone has tampered with your information.

    --
    Perfecting Discordia
    www.stevenvansickle.com
  5. Re:Better recourse by avalys · · Score: 4, Insightful

    locks only keep honest men out

    An honest man keeps himself out.

    --
    This space intentionally left blank.
  6. Kind of silly by kevin_conaway · · Score: 2, Insightful

    I don't understand the practical applications of this attack outside the realm of academia.

    So they can steal your mail? If they've stolen it, why not just open it and read the pin?

    If someone is targetting you to steal your money, they would have to steal the pin number and then check back every day to see if the card came. Doesn't seem very practical to me.

  7. Re:1 out of 2 by Asprin · · Score: 5, Insightful


    Unfortunately, I think your point is going to be lost on some people.

    While the article certainly has a point in pointing out the problem, at least in this scenario the criminal has to hit his targets old school: manually and one-at-a-time. This is a time-consuming, slow process that forces them to be in the geographic neighborhood of their victims.

    I am more concerned about security privacy issues with data stored online, where you can hack a database 3,000 miles away and get 10 million PINs in an afternoon. Now *that's* an increase in productivity.

    --
    "Lawyers are for sucks."
    - Doug McKenzie
  8. Re:Better recourse by Alex+P+Keaton+in+da · · Score: 2, Insightful

    Sometimes I get the sense from the Slashdot crowd that something isn't worth doing because perfection is impossible, perfect security being a prime example. I would like to ask, does that mean we quit using security measures?
    I believe you and I are on the same page. My point is, that no security is perfect. Not that it means we shouldn't secure our possesions, but rather that if someone really wants something, and is willing to go to any means to get it, then they are likely to succeed...
    My point was that any security can be defeated, and if people are willing to break out the scanner and learn photoshop, they are likely to get what they want through that or other means.
    We all need to decide for ourselves what we believe our personal level of security needs to be, whether it is a wide open door, or a deadbolt lock. What does worry me, are people who have our info without our experessed permission (i.e. data brokers) and are lax with security...

    --
    And All I Ask is a Tall Ship And a Star to Steer Her By
  9. A better way.... by yoey · · Score: 2, Insightful

    An even better way of reading the PIN is to open up the envelope and look inside. One doesn't even need a computer for that.

  10. Criminal by PhYrE2k2 · · Score: 4, Insightful
    Opening or intercepting mail (at least in the US and Canada) not addressed to you is a criminal offense. So we're already talking criminals who have to commit an offense here in order to do so. At that point, why not open it? You're already stealing mail, you're about to steal a PIN number and hence some money from a bank where you'll be on video camera, who not just open the damn message- the person won't know for a few days that it's not arrived yet.

    When did a criminal get this sudden hit of "oh my- what am I doing- I can't _OPEN_ this letter! I'll just scan it and see what i can find". This is someone who already intercepted mail and is about to commit fraud. Just open the envelope and call it a day.

    FYI: From the Canada Post Corporation Act
    Every person commits an offence who, except where expressly authorized by or under this Act, the Customs Act or the Proceeds of Crime (Money Laundering) and Terrorist Financing Act, knowingly opens, keeps, secretes, delays or detains, or permits to be opened, kept, secreted, delayed or detained, any mail bag or mail or any receptacle or device authorized by the Corporation for the posting of mail.

    Every person commits an offence who unlawfully and knowingly abandons, misdirects, obstructs, delays or detains the progress of any mail or mail conveyance.
    --

    when you see the word 'Linux', drink!
    1. Re:Criminal by dk.r*nger · · Score: 5, Insightful

      At that point, why not open it?

      Because you want the victim to actually recieve the letter, activate the card and not be suspicious. Otherwise you'll just have the PIN of an inactive credit card, which is worth squat/zip/nada.

      Mailing the PIN and relying on that it will arrive unread is an important part of the chain of trust on credit cards.

  11. Re:Better recourse by Have+Blue · · Score: 4, Insightful

    "Integrity means doing the right thing when no one is watching." -anonymous

  12. Re:Better recourse by ArsonSmith · · Score: 5, Insightful

    No, Locks keep lazy men honest.

    --
    Paying taxes to buy civilization is like paying a hooker to buy love.
  13. two related problems by Anonymous Coward · · Score: 1, Insightful

    I've had my personal info sold. Yep that's right someone out their paid some insane amount to bribe good old Bank Of America. No suprise. What frustrates me is not just that but also how when some yutz uses that to look at porn or subscribe to mags or what ever, I call up and say that doesn't look right I'm treated like a criminal that kind of BS has to stop. The other related problem is this whole social security number and pin and what link stuff like that plus none of these things will ever stop untill their's no proffit or percieved proffit.

  14. Re:Provide PIN over the phone? by Anonymous Coward · · Score: 1, Insightful

    > I don't see a reason why the PIN couldn't be provided over the phone...

    Actually, this would be *really* cool!!!

    Especially with those wireless phones without DECT, cus the PIN will just be radio broadcasted! :)