Slashdot Mirror

← Back to Stories (view on slashdot.org)

Graphics Programs Uncover Secret PINs

Posted by Zonk on from the not-so-secret-then dept.

Errtu76 writes "The BBC is running a story stating that, among other programs, The Gimp and Photoshop have been identified as possible tools for uncovering PINs via the mail." From the article: "The researchers collected lots of so-called Pin mailers and then tested how secure they were. Many were defeated using bright lights shone at an angle on to the paper. Other Pins could be read by scanning the letter and then adjusting some of the image qualities in popular programs such as GIMP, Adobe Photoshop and Paintshop Pro."

10 of 363 comments (clear)

  1. Better recourse by Alex+P+Keaton+in+da · · Score: 4, Interesting

    Hopefully though, this discovery will further bring to light all the lax security that companies that control our personal information have. It would be nice to see data brokers and banks start to care about security a little more.
    And the fact that if your info gets out and someone exploits it, it is such a hassle to clear your good name/credit.
    That being said- locks only keep honest men out... In the military locks are known as "delaying devices"
    If someone wants your info, and are willing to break out the scanner and start graphics manipulation to get it, well, they are likely to get it. But wouldn't it just be easier to hit strangers about the head with a sock of nickels and take their cash?

    --
    And All I Ask is a Tall Ship And a Star to Steer Her By
    1. Re:Better recourse by rknop · · Score: 3, Interesting

      Hopefully though, this discovery will further bring to light all the lax security that companies that control our personal information have. It would be nice to see data brokers and banks start to care about security a little more.

      Heh. Hopefully.

      More likely, it will bring calls to limit these nefarious tools that can be used for criminal purposes. We already are paranoid about color printers running off images of dollar bills. Now we'd better make laws saying that any image processing program must contain checks against this sort of thing.

      I will not be surprised if that response is seriously proposed.

      Hell, under the DMCA, it may be illegal to download Gimp now. After all, it is a tool that has been demonstrated to break an effective security measure (the paper around a PIN number), although the PIN number may not be IP and thus may not be covered under the DMCA.

      But we also have the Grokster case as precedent to allow us to hold the Gimp developers responsible for this use of their tool.

      -Rob

  2. Scratch-off lottery tickets? by Anonymous Coward · · Score: 2, Interesting

    If someone owned a convience store, wouldn't it be possible to scan the un-scratched tickets looking for the "big winner" without having to pay for them all?

    1. Re:Scratch-off lottery tickets? by Paul+Neubauer · · Score: 4, Interesting

      Something similar happened at least once. It took two people. One at the store to pull the reel of tickets and one with access to some medical machine. They looked through the roll with the medical scanner, took out and bought the winning tickets and put the broken up roll back. They were caught when someone else at the store noticed that the roll had several odd breaks. And probably that someone was a little too lucky.

      --
      I don't subscribe to RMS's GNUtopian vision.
  3. two sheets of mylar by Speare · · Score: 4, Interesting
    I've always wondered why they didn't just slip some mylar film into those mailers. Mylar was designed in wartime as radar chaff, but is more likely seen today as the bag around your snack or a helium balloon.

    The existing patterned ink method was adopted because of cost, but really, tacking some mylar onto the form would be cheaper than tacking those thick plastic fake credit cards into those credit offers they flood you with. Yeah, I know: marketing budget can afford fake credit cards but the operations budget can't afford mylar for security.

    --
    [ .sig file not found ]
  4. UK Banks by Detritus · · Score: 2, Interesting
    Aren't these the same banks that had a police officer prosecuted for attempted fraud because he inquired about some suspicious transactions in his bank account? The premise being that bank systems are secure and perfect, therefore the customer must be at fault.

    I can see them taking the same attitude towards PINs. Any abuse must be the customer's fault, since no one else could have known the PIN.

    --
    Mea navis aericumbens anguillis abundat
  5. Nothing new, really. by Pig+Hogger · · Score: 3, Interesting
    Some 20 years ago, around Montréal, a lottery-scamming ring was uncovered, who operated with "pouch-type" lottery tickets (a ticket enclosed in an transparency-obfuscating enveloppe). They had a network of operatives who worked at convenience store, and swapped unknown tickets with "known ungood" tickets.

    They were able to see through the enveloppe obfuscation using a slide projector as a bright light (and undoubtely a fair number of aspirins).

  6. Re:Kind of silly by SimilarityEngine · · Score: 2, Interesting

    Perhaps they could intercept your mail, obtain your PIN, place the letter back in your mailbox (so you have no reason to be on your guard or change your PIN), follow you carefully into town, steal your wallet (maybe without you knowing, but a simple mugging would do) ...

    Far fetched? Depends on whether this little security hole becomes well known in the wrong circles. Also, where I work the same kind of system is use to protect wage-slips - which have employee payroll numbers, bank details, social security numbers etc. on, so there is potentially a broader problem here. Think I might have a word with my manager....

    --
    Those who can make you believe absurdities can make you commit atrocities. - Voltaire
  7. DUSTER! by bigattichouse · · Score: 4, Interesting

    I just discovered that duster cans (those little cans that blow dust out of your keyboard) when turned upsidedown will blow coolant.

    Aim this coolant at a sealed envelope and it makes the paper transparent.

    --
    meh
  8. Mod myself down... RTFA by Kamiza+Ikioi · · Score: 2, Interesting

    Well, I'm going to opt to mod myself down a bit on that one. Always a good idea to RTFA before posting, heh. Apparently these pins are for ATMs, and thus, pretty much makes (most of) my above post irrelevant.

    I was thinking of the security pin located on the back of most credit cards.

    In this case, then, I'm in full agreement with the parent of my original post, though this is something that should be fixed... possibly through online pin activation:

    Mail someone a temporary pin they have to enter online to get a one time view of the real pin. After the first view, no other views allowed. Thus, you really wouldn't even need that much initial security in the mailing, as no two people could view the pin, and if a second view was attempted, the issuer could be alerted to potential fraud.

    --
    I8-D