Slashdot Mirror
Graphics Programs Uncover Secret PINs
Errtu76 writes "The BBC is running a story stating that, among other programs, The Gimp and Photoshop have been identified as possible tools for uncovering PINs via the mail." From the article: "The researchers collected lots of so-called Pin mailers and then tested how secure they were. Many were defeated using bright lights shone at an angle on to the paper. Other Pins could be read by scanning the letter and then adjusting some of the image qualities in popular programs such as GIMP, Adobe Photoshop and Paintshop Pro."
OMFG the Gimp icon just looked at me
Now, if only they'd make a program that let's me remotely break into people's mailboxes and steal their mail. Then I'd be all set.
No one knew until now that scanning a document in black and white and adjusting the black/white threshold value can make it easier to read marginal text? Wow. Sounds like a patent application to me. Whatever.
The NSA: The only part of the US government that actually listens.
Maybe people will quit calling them Personal Identification Number numbers.
Hopefully though, this discovery will further bring to light all the lax security that companies that control our personal information have. It would be nice to see data brokers and banks start to care about security a little more.
And the fact that if your info gets out and someone exploits it, it is such a hassle to clear your good name/credit.
That being said- locks only keep honest men out... In the military locks are known as "delaying devices"
If someone wants your info, and are willing to break out the scanner and start graphics manipulation to get it, well, they are likely to get it. But wouldn't it just be easier to hit strangers about the head with a sock of nickels and take their cash?
And All I Ask is a Tall Ship And a Star to Steer Her By
They do say of course you need the card which is right but at the same time organised gangs will quite happily put card readers in ATM machines and pick the details and clone your card
Cheap UK and US VPS
And hence the reason for sending the pin seperately from the card becomes clear.
Nothing to see here... yet again.
I think one of the issues here is mail security.
:-\
I mean come on, how expensive is it to get a damn lock on your mailbox?
If someone owned a convience store, wouldn't it be possible to scan the un-scratched tickets looking for the "big winner" without having to pay for them all?
Me, whenever I get one of these things I either shred the bejesus out of it or store it in a secure place. I NEVER trust the trash for things like this, or even receipts from places I use my credit card. Lots of them still print the whole number on the paper. :/
"I'm a leaf on the wind. Watch how I soar."
-Hoban Washburn
The existing patterned ink method was adopted because of cost, but really, tacking some mylar onto the form would be cheaper than tacking those thick plastic fake credit cards into those credit offers they flood you with. Yeah, I know: marketing budget can afford fake credit cards but the operations budget can't afford mylar for security.
[
To carry your ATM card in tin-foil faraday cage because it can be read by a device hidden in your office elevator ?.
PIN codes are just there to protect a person's card from random pickpocketing. Also this "exploit" needs access to the mail containing the PIN , before the user reads it and changes it. It is very unlikely that somebody will be able to do this easily - the obvious suspects being your kid brother who signed for your credit card when it came at your home and your shopping crazy sister. It needs very clear physical access on day-to-day basis.
This belongs in the same category as mothers steaming opening letters - maybe you should read Saki's shock tactics about how to handle that scenario.
Quidquid latine dictum sit, altum videtur
The key point of this article (before the industry response) is not about some great new way to use photo editing software to steal someone's PIN number. The majority of it discusses the dangers of using new methods of mailing PIN and passwords that can be read by the HUMAN EYE, sometimes with no more technology than the ability to tilt the paper and shine a bright light.
The problem is not with the gimp or photoshop, but poor printing techniques that could put your 'secure' password information at risk with the simplest of methods. It still deserves a mention in YRO because I've even had a few letters mailed to me with PIN information like this. The letter had already been partially broken on one side due to handling, and I could see the PIN in the sunlight through the thin sheet even though that thin sheet is meant to let you know if someone has tampered with your information.
Perfecting Discordia
www.stevenvansickle.com
I don't understand the practical applications of this attack outside the realm of academia.
So they can steal your mail? If they've stolen it, why not just open it and read the pin?
If someone is targetting you to steal your money, they would have to steal the pin number and then check back every day to see if the card came. Doesn't seem very practical to me.
I can see them taking the same attitude towards PINs. Any abuse must be the customer's fault, since no one else could have known the PIN.
Mea navis aericumbens anguillis abundat
They were able to see through the enveloppe obfuscation using a slide projector as a bright light (and undoubtely a fair number of aspirins).
An even better way of reading the PIN is to open up the envelope and look inside. One doesn't even need a computer for that.
I presume the 'redundant' moderation was because you actually typed 'PIN numbers'.
;-)
...
Redundancy, geddit? Geddit?
I'm truly sorry...
Tedious Bloggy Stuff - hooray?
Tiny tinfoil hats for the pin numbers.
Yes, that's right... Big, powerful headline... Why not just say something like:
"All your pin are belong to GIMP!"
This has nothing to do with the graphics programs and everything to do with bad-quality printing methods.
"The amount of intelligence on this planet is a constant. The population is growing." -Cole's Axiom
Wrap the PIN mailings inside bank notes. All these programs should have banknote scanning prevention as Uncle Sam mandates, so covering the mailings inside of bank notes should solve the PIN theft problem. If this causes the currency theft problem to rise, we can simple wrap the currency inside gold leaf.
Haha, probably. But then the mods were also redundant by modding it as redundant twice :p
Send email from the afterlife! Write your e-will at Dead Man's Switch.
Remember Homer's hilarious dilemma when choosing between a winning 500$ lottery ticket, which he saw using this very method, and a Yodel bar.
H - Man, that Yodel was so good..I wish I was eating it right now..
I never spellcheck and I freely admit it. Save your karma for more worthwhile "lol erorrs" replies
"Poor print exposing Pin numbers"
If some has my Personal Identification Number Number, they may use it in an Automatic Teller Machine Machine.
If they were public they'd be useless for authentication, genius.
When did a criminal get this sudden hit of "oh my- what am I doing- I can't _OPEN_ this letter! I'll just scan it and see what i can find". This is someone who already intercepted mail and is about to commit fraud. Just open the envelope and call it a day.
FYI: From the Canada Post Corporation Act
when you see the word 'Linux', drink!
I just discovered that duster cans (those little cans that blow dust out of your keyboard) when turned upsidedown will blow coolant.
Aim this coolant at a sealed envelope and it makes the paper transparent.
meh
If you hold a sealed envelope, over boiling water, it OPENS! Once it opens, if you close it back up and place it under a book, it will RESEAL!
.. oh wait, there are already laws in place making mail fraud illegal.
.. nevermind.
God! someone should *DO* something about this
Gee
--Ne auderis delere orbem rigidum meum, non erravi pernicose!
In the immortal words of Dr. Nick's Diet:
// On my way to the ATM machine.
"If you're unsure about something, rub it against a piece of paper. If the paper turns clear, its your window to weight gain!"
Have fun eating greasy chicken and stealing PIN numbers
/ Thats right, I said PIN Number.
With all the fuss over identity theft and so forth, I propose SPIT ( Spit on PDA Id Tracking )which boils down to a Pocket PC's which you SPIT on. After your spit has been authenticated, you can use your snot key to decrypt all documents which were previously paper based!
Please feel free to contribute your own spit to this new project.
Does anyone know of methods for other forensic uses of these, such as reading pen impressions on paper?
Technology Reporting Rule #37: Only mention Open Source Software in a story if it has a negative connotation. Technology Reporting Rule #38: Throw in the names of some commercial software as well so it doesn't seem biased.
Support Right To Repair Legislation.
Do they actually send cards WITH pins anywhere? Some banks here even refuse to mail the damn thing..
"slow process that forces them to be in the geographic neighborhood of their victims."
This is very true. But lets not forget one of the oldest scams in the book. Ship bogus credit card products to an abandoned location with instructions to leave at the door. Only, with this, you could ship products to your neighbor's house (when you know they won't be there) with that neighbor's credit card and proper pin.
Because the number, pin, and address were all to the same person, it makes it much harder on the card holder to prove fraud. After all, the theif could even be standing on the porch to forge the signature to the UPS guy. The theif would have to have a set of brass balls to pull this off, but old targets are in many cases still the easiest targets. Most home mailboxes aren't locked.
I8-D
I don't see a reason why the PIN couldn't be provided over the phone using this system:
1. Send activation PIN through mail to be used for phone verification.
2. Computer system for phone verification provides the actual PIN over the phone if the phone number where the call originates matches the one on the account and correct activation PIN is provided.
3. If phone # or activation PIN does not match, call is connected to a CSR who must verify the caller's identity before releasing the PIN -- and the PIN is read over the phone by the computer, not the CSR, so they can't steal PINs from the inside.
I would think that this type of a system not only thwarts your average pickpockets and mail thieves, but also more ambitious criminals who are willing to go a step further. You'd have to 1) either fake the originating phone #, 2) break into the owner's home and get the actual PIN using their own phone, or 3) have personal details like last four of a SSN-type number, address, birthdate, etc., and by that time the problem is bigger than a stolen PIN.
Feel free to poke holes and criticise this; I thought of this on a whim and I'm not by any means an expert on security.
Nobody ever mentions Corel PhotoPaint.
I remember when WordPerfect, Ventura and CorelDraw were kings, those were the days.
Too bad they canceled their linux program, or not. It probably would have turned into something like Linspire, and thats what BeOS is for.
I can't get past the first "Mr Bond".
Poor guy, he must have difficulties with people taking him seriously. But at least he will likely to remembered by others... (and everyone knows his PIN also).
I should get some sleep.
You edit curves and drag the centre of the curve down a bit I believe. Also useful for reading notes on the page underneath the one they were written on.
to manipulate images. Don't miss tomorrow's story: desktop publishing program used to fake documents!
I am a believer of momentum and curves.
I'd be exactly where I am now--a comedic genius who wrote a joke reply based on the Open Source movement, clearly intended as a satiric/ironic aside on the article in question.
Looks like all of those rumors about Continental Europe going through a humor drought are true. Quick, someone call the Red Cross and get some humor shipped to Europe right now! Mobilize the U.N.! Get some hot water, clean towels, and iodine and...no, wait, that's the thing when someone is giving birth. Never mind that last thing.
Better ban all image creating and editing programs!!!!
Everyone panic and flail their arms about, screaming!!
-- I am. Therefore, I think!
Newsflash: At my office, I can even OPEN UP the inter-office envelopes in the outgoing mail bins and see EVERYTHING inside! Heck, I don't need the gimp or anything, and there is no evidence of tampering.
In the book "Spy Catcher" (late 80s) an ex-MI5 guy writes the various ways they used to read the contents of letters without opening the envelope. One clever was was to use a long, thin strip of bamboo to "twirl" the letter around inside the envelope and read it as it was 'scrolling' by.
Other, easier ways include spraying the envelope with automotive-freon. The envelope becomes transparent while wet, and within seconds the freon completely evaporates.
Other inventive ideas: Use a strand of high quality fiber optics to have a peek inside.
Point being, wouldnt it be far more sensible to NOT include the PIN ?!?! Duh.
The only PT Boat Journal on the web: http://www.PT171.org
Actually, it is simply an animated GIF. These are usually annoying, but this one doesn't move too much, so it isn't too bad.
Powered by caffeine and sugar; BSD
is for GIMP and Photoshop to be found illegal under the Patriot Act...
At least, I hope you were trying to be funny. I laughed. 8o)
b3 4phr41d 0f my 4bov3-4v3r4g3 c0mpu73r kn0wI3dg3!
MadDwarf
Well, I'm going to opt to mod myself down a bit on that one. Always a good idea to RTFA before posting, heh. Apparently these pins are for ATMs, and thus, pretty much makes (most of) my above post irrelevant.
I was thinking of the security pin located on the back of most credit cards.
In this case, then, I'm in full agreement with the parent of my original post, though this is something that should be fixed... possibly through online pin activation:
Mail someone a temporary pin they have to enter online to get a one time view of the real pin. After the first view, no other views allowed. Thus, you really wouldn't even need that much initial security in the mailing, as no two people could view the pin, and if a second view was attempted, the issuer could be alerted to potential fraud.
I8-D
Why don't they just use non photographic blue ink? It won't show up on xerox's and near impossible to make it show up properly on a scanner, especially if it was obfuscated by the envelope. If no one here knows, you can get non photographic blue pencils, comic artists frequently use them so the inker doesn't have to do as much clean up before they start doing the color layers.
I knew this article would eventually make it to slashdot after i saw the rare mention of the GIMP in mainstream media...
And just yesterday I made a Joke about RAID arrays and got modded flamebait.
What's your secret? More sarcasm?
(Don't forget the ATM machine)
Most folk'll never lose a toe, and then again some folk'll...
I've had my personal info sold. Yep that's right someone out their paid some insane amount to bribe good old Bank Of America. No suprise. What frustrates me is not just that but also how when some yutz uses that to look at porn or subscribe to mags or what ever, I call up and say that doesn't look right I'm treated like a criminal that kind of BS has to stop. The other related problem is this whole social security number and pin and what link stuff like that plus none of these things will ever stop untill their's no proffit or percieved proffit.
Simply force the card owner to change the PIN when activating the card. Making the mailed PIN useless even if intercepted.
To be fair, nothing that they do is ever going to be perfect. If the criminal really wanted, they would just open the envelope.
Sending the letter with the pin on the outside of the envelope, or without any of the black crosshatching is pretty insecure. It costs the bank only a little bit more to put the crosshatching on the paper, so they do. The point is not to make it so noone can ever read the pin, the point is to make it annoying enough that criminals commit fraud in other ways.
The most important thing in security is to avoid being the low hanging branch. Kind of like when you are out camping with a bunch of friends in a place known to have alot of bears, you always need to remember to bring a friend who runs slower than you.
Research like this is good though, because the public should always understand what people are doing to protect their information. I feel a bit safer knowing a smart group of people seriously looked at the security protocols, and this was the best they came up with.
I hold the patent.
The bastards who use this, including those damn reporters, owe me a royalty!
I'm off to call the lawyers.
"Live Free or Die." Don't like it? Then keep out of the USA
The tone of this article is refreshing, likely because it doesn't deal directly with computers. Every time an independant researcher discovers a buffer overflow exploit, he's branded a criminal by the industry and the media play along. It's time we start to demand that articles about security put the researcher and not the faceless corporation in the protagonist's role.
I used to read Caltizzle. I was a lot cooler than you.
Lighter fluid will make most paper types transparent for a few minutes, and evaporates with no residue. It also doesn't smear ink or attract condensation.
If you have a book cover or something paper that's become smudged, this stuff'll let you wipe it right off. Works really well for adhesive labels, too.
Just be careful, it's really flammable.
Man, gimme that stuff that makes me mod this Score:5, Informative.. :-)
It would be nice to know if you have a lame 5%-off coupon before you head off to the local JCP.
So, why are we all shocked at how insecure a system of mailing passwords is?
... ... and 9876, 8765, ...
I mean... PINs are 4 digit all-numeric codes. That's not *that* *hard* to crack... 10000 possibilities, except that the auto-generated ones probably automatically eliminate 0000, 1111, 2222,
as well as 1234, 2345, 3456, 4567,
All the "too-obvious" ones probably eliminate another 100 or so.
If they're human-generated ones, just try valid combinations of month/year or month/day
that eliminates a whole bunch more, since that says the first digit is 0 or 1, and I bet a lot of people use someone's birthday as the code. Or a 4-digit year for something important... you could probably build a list of less that 1000 that are really common for human-selected PINs.
Sometimes I get the sense from the Slashdot crowd that something isn't worth doing because perfection is impossible, perfect security being a prime example. I would like to ask, does that mean we quit using security measures? Do the people that say that leave their cars, homes and possessions unlocked? It would seem that is the logical conclusion of such an argument.
No, the real logical conclusion is that you should evaluate security as you would evaluate anything else: cost vs. benefit.
Is it worth it to lock your car? Sure. The cost of locking it is so near zero that any security benefits it provides are well worth it.
But a lot of computer security measures really only serve to make it harder for people to do things the right way and don't add any real security for those who want to bypass it. Take DRM as a prime example. The current DRM schemes used by Apple and Microsoft make it difficult for people to load their purchased music onto their own purchased music playing devices, but do nothing as far as keeping the music off the file sharing networks. The costs are higher than the benefits.
- Give a man a fire and he's warm for a day, but set him on fire and he's warm for the rest of his life.
Every single time there's a story about cash machines or numeric passcodes, somebody repeats this old complaint about redundancy. Thing is that these suffixed generic nouns are not completely redundant, as they help to disambiguate different meanings of a given abbreviation (for example, Automated Teller Machine vs. Asynchronous Transfer Mode). In addition, trademarks should be used as adjectives, with a suffixed generic noun. The canonical example here is "SPAM luncheon meat" even though 'M' stands for meat.
Just Shut The Fuck Up up.
Somebody call in the SWAT team!
Special Weapons And Tactics. You fail it ;-)
GIMP also as a politically incorrect and stupid name which is unprofessional
How is "GNU Image Manipulation Program" any less professional than, say, "Windows Media Player"? Both names consist of an operating system brand followed by a generic name, and both have allegedly unprofessional abbreviations: "GIMP" vs. "WiMP".
It was explained to me thusly - Martini's were stirred in order to not "bruise" the gin, and because it would still be clear when poured. Obviously only posers would worry about these things, (and our Mr. Bond was not one of them.) A shaken martini would be (theoretically) colder and thus superior. Just another one of the ways that Ian Fleming emphasised how cool and competent (in a late 50s sort of way) Bond really was.
None of them can see the clouds; The polished wings don't care.
... to just open the letter and copy down the PIN?
Bright lights and easy to use software helped University of Cambridge researchers defeat tamper-proofing on letters telling people their new Pin. Say, wait. Is the gimp only easy to use when you want to hack a snail-mail letter?
...but I burn or tear to really small pieces every envelope with the PIN inside it (after reading the PIN of course) and then change my PIN. Most PIN envelopes suggest destroying the paper with the PIN on it immediately after reading it.
I'm using this on mobile phone SIM packages, but I'm not sure if you are allowed to change a credit card PIN.
Maybe it's different with Canadian banks (or just the Royal Bank?). To get a PIN number on your ATM card you have to physically goto a bank and type it in on a terminal at the bank. They don't mail them, nobody but you knows that number (unless you tell them).
I asked a few people and apparently PIN mailers are common to non-canadians. The three Canadians I asked thought it was incredibly silly that your PIN number would ever be actually printed on paper and more incredible that it would be mailed.
tomorrow's story: desktop publishing program used to fake documents!
I thought that was last year's story. You know, the entire Dan Rather reports and Microsoft Word margins fiasco....
This is insane; in New Zealand, I set the PIN by visiting the bank. Nowhere is the PIN ever printed out on anything (we're warned that that writing it down anywhere is a very stupid idea!); I only ever type it in a keypad at the bank to set it. If my credit card is reissued, it carries my previous PIN (without ever being told what it is). If I don't know what that PIN is, I vist the bank and reset it in person. IN PERSON.
If my previous credit card didn't have a PIN, my new one doesn't either.
ATM/Debit cards are only reissued in the physical bank itself and have no expiry (they're not routienly reissued) and so I set the PIN then and there when I get a new one (because I lost the old one or something). (They're live instantly)
(In New Zealand, all ATM cards are also debit cards[1] - we don't have seperate debit cards - and are usable to purchase at the overwhelming majority of retailers. It is a shock to find a retailer that won't accept "EFTPOS" as we call it.)
I guess the difference is we are in mantainece mode - we're not deploying to everyone, just maintaining new accounts and people that loose their cards. And we've taken this stuff for granted since 1984. (Yes, New Zealanders have been paying for things using electronic card based transactions at stores since the mid 80's.)
Err, yeah, we've had PINs for transactions for the LAST *TWENTY* YEARS. We've been wondering when the rest of the world will catch up!
[1] Well, sort of. Unlike a US debit card, the transactions are instanious; the money is debited from our account right then and there, there's no qubbiling.
Meh, The thing with PIN mailers is they closely follow the actual card in the mail. In fact this happened to me.
A theif stole the card from my mailbox then a few days later stole the PIN as well. They then withdrew the full limit from a few ATM's.
As I was expecting a card that never arrived I rang the company asking when it would arrive, they said the card had been used, I signed a Stat Dec and the debt was wiped.
The point is... The PIN mailer is in your mailbox along with your card... Why not just open the mailer and use the card in an ATM right away!
Orationem pulchram non habens, scribo ista linea in lingua Latina
I believe Rule #38 also specifically states that the OSS must be mentioned first in the software list for proper emphasis and implicit indictment.
'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
It was the same way in Thailand (at least with relatives' houses, I didn't really live that close to any of my good friends).
d e/thaihousesbindex.htm
For one thing, most of the old, traditional-style Thai houses were open-air.
http://www.orientalarchitecture.com/thaicountrysi
Not really much to keep people out.
Everyone pretty much had a tall fence and metal gates around their property. Most were easy to climb, though others were lined with spikes or broken glass on top. Everyone had at least 2 dogs roaming their property, usually 3 or 4. So if you were known to the family and the dogs, you could pretty much walk in and make yourself comfortable, while every other visitor would get a loud welcome.
Since my international school schedule was often out of sync with my Thai cousins' schedules, I'd spend a lot of time with their dogs. These dogs were quite different from American dogs, in that they were only marginally domesticated to respect their owners. Since they had plenty of other dogs in their household, the retained a lot of the wolf-pack mentality.
Anyway, dogs can be poisoned, gates can be scaled, and locks can be defeated. As far as crime was concerned (and I think this is still true in several third world countries) anything is pretty much fair game for thieves unless you actually have an armed guard there protecting your property or neighborhood. Since live-in guards / housekeepers are quite affordable, that's the route many people pretty much take.
So for a Southeast Asian to come here, it's kind of strange to walk into a house and have no one to greet you and let you in, since most of the houses back east basically came occupied full-time.