Graphics Programs Uncover Secret PINs

Errtu76 writes "The BBC is running a story stating that, among other programs, The Gimp and Photoshop have been identified as possible tools for uncovering PINs via the mail." From the article: "The researchers collected lots of so-called Pin mailers and then tested how secure they were. Many were defeated using bright lights shone at an angle on to the paper. Other Pins could be read by scanning the letter and then adjusting some of the image qualities in popular programs such as GIMP, Adobe Photoshop and Paintshop Pro."

It's become sentient

OMFG the Gimp icon just looked at me

Re:It's become sentient

[DenDave]

it's oogling us! Beware the gimp ain't asleep... other than that I love it when an article has a "Mr. Bond" my imagine runs wild and I can just see Sean Connery holding a sheet of paper into the light and saying "well I'll just get this off to Q, now get me another vodka-martini, shaken, not stirred.." BTW vodka martini shaken is absolutely delicious! Just make sure you get dry martini! hrmmm *thinking* it's friday, my pal the bartender is working tonight... yep.. time to don the white dinner jacket and light up a cuban... *mumbling* nobody does it better....

Re:It's become sentient

[intangible]

I'd much rather have to deal with this gimp instead of the one from Pulp Fiction.

1 out of 2

[suso]

Now, if only they'd make a program that let's me remotely break into people's mailboxes and steal their mail. Then I'd be all set.

Re:1 out of 2

[Asprin]

Unfortunately, I think your point is going to be lost on some people.

While the article certainly has a point in pointing out the problem, at least in this scenario the criminal has to hit his targets old school: manually and one-at-a-time. This is a time-consuming, slow process that forces them to be in the geographic neighborhood of their victims.

I am more concerned about security privacy issues with data stored online, where you can hack a database 3,000 miles away and get 10 million PINs in an afternoon. Now *that's* an increase in productivity.

Re:1 out of 2

[robslimo]

Agreed. I was wondering how this had anything to do with "Your Rights Online," but a remote mailbox exploit might do the trick.

Let's get cracking.

Re:1 out of 2

[rf0]

I've been seeing people recommending that you now write password down on postits on your montor as its actually more secure than most online passwords now days

rus

Re:1 out of 2

[ArsonSmith]

I use passwdgen and make 3-5 passwords and write them on sticky notes and stick to my monitor. Kinda funny when people ask, "Arent you the security guy?"

Re:1 out of 2

[Qil'elPhil]

I think the point is that none of the passwords on the sticky note are actually in use.

Which begs the really Zen-like question:

"If a password is not in use, is it really a password or just a bunch of letters and numbers (and whatever else you use)?"

Don't tell me...

[It+doesn't+come+easy]

No one knew until now that scanning a document in black and white and adjusting the black/white threshold value can make it easier to read marginal text? Wow. Sounds like a patent application to me. Whatever.

Better recourse

[Alex+P+Keaton+in+da]

Hopefully though, this discovery will further bring to light all the lax security that companies that control our personal information have. It would be nice to see data brokers and banks start to care about security a little more.
And the fact that if your info gets out and someone exploits it, it is such a hassle to clear your good name/credit.
That being said- locks only keep honest men out... In the military locks are known as "delaying devices"
If someone wants your info, and are willing to break out the scanner and start graphics manipulation to get it, well, they are likely to get it. But wouldn't it just be easier to hit strangers about the head with a sock of nickels and take their cash?

Re:Better recourse

[Jeff+DeMaagd]

That being said- locks only keep honest men out... In the military locks are known as "delaying devices"

I think the "delaying devices" is exactly the key to their usefulness though. Every bit of difficulty in cirvumventing a device is useful in making it less worth a criminal's time to bypass it.

Sometimes I get the sense from the Slashdot crowd that something isn't worth doing because perfection is impossible, perfect security being a prime example. I would like to ask, does that mean we quit using security measures? Do the people that say that leave their cars, homes and possessions unlocked? It would seem that is the logical conclusion of such an argument. If a person truly believed it the argument., then locking things is something a person doesn't do.

Re:Better recourse

[avalys]

locks only keep honest men out

An honest man keeps himself out.

Re:Better recourse

[Alex+P+Keaton+in+da]

Sometimes I get the sense from the Slashdot crowd that something isn't worth doing because perfection is impossible, perfect security being a prime example. I would like to ask, does that mean we quit using security measures?
I believe you and I are on the same page. My point is, that no security is perfect. Not that it means we shouldn't secure our possesions, but rather that if someone really wants something, and is willing to go to any means to get it, then they are likely to succeed...
My point was that any security can be defeated, and if people are willing to break out the scanner and learn photoshop, they are likely to get what they want through that or other means.
We all need to decide for ourselves what we believe our personal level of security needs to be, whether it is a wide open door, or a deadbolt lock. What does worry me, are people who have our info without our experessed permission (i.e. data brokers) and are lax with security...

Re:Better recourse

[rknop]

Hopefully though, this discovery will further bring to light all the lax security that companies that control our personal information have. It would be nice to see data brokers and banks start to care about security a little more.

Heh. Hopefully.

More likely, it will bring calls to limit these nefarious tools that can be used for criminal purposes. We already are paranoid about color printers running off images of dollar bills. Now we'd better make laws saying that any image processing program must contain checks against this sort of thing.

I will not be surprised if that response is seriously proposed.

Hell, under the DMCA, it may be illegal to download Gimp now. After all, it is a tool that has been demonstrated to break an effective security measure (the paper around a PIN number), although the PIN number may not be IP and thus may not be covered under the DMCA.

But we also have the Grokster case as precedent to allow us to hold the Gimp developers responsible for this use of their tool.

-Rob

Re:Better recourse

[Have+Blue]

"Integrity means doing the right thing when no one is watching." -anonymous

Re:Better recourse

[ArsonSmith]

No, Locks keep lazy men honest.

Re:Better recourse

[cdn2k1]

No, beer keeps honest men lazy.

Re:Better recourse

[Frank+T.+Lofaro+Jr.]

Well in the military, "denial devices" are not something you'd ever want to encounter, so "delaying devices" is usually what you use. :)

Hitting strangers with a sock of nickels isn't Slashdot worthy. Hiting them with a sock full of RFID identification tags is. :)

And hence..

[domipheus]

And hence the reason for sending the pin seperately from the card becomes clear.

Nothing to see here... yet again.

Scratch-off lottery tickets?

If someone owned a convience store, wouldn't it be possible to scan the un-scratched tickets looking for the "big winner" without having to pay for them all?

Re:Scratch-off lottery tickets?

[Paul+Neubauer]

Something similar happened at least once. It took two people. One at the store to pull the reel of tickets and one with access to some medical machine. They looked through the roll with the medical scanner, took out and bought the winning tickets and put the broken up roll back. They were caught when someone else at the store noticed that the roll had several odd breaks. And probably that someone was a little too lucky.

Securely store or shred

[Winterblink]

Me, whenever I get one of these things I either shred the bejesus out of it or store it in a secure place. I NEVER trust the trash for things like this, or even receipts from places I use my credit card. Lots of them still print the whole number on the paper. :/

two sheets of mylar

[Speare]

I've always wondered why they didn't just slip some mylar film into those mailers. Mylar was designed in wartime as radar chaff, but is more likely seen today as the bag around your snack or a helium balloon.

The existing patterned ink method was adopted because of cost, but really, tacking some mylar onto the form would be cheaper than tacking those thick plastic fake credit cards into those credit offers they flood you with. Yeah, I know: marketing budget can afford fake credit cards but the operations budget can't afford mylar for security.

Re:two sheets of mylar

[Mignon]

Mylar was designed in wartime as radar chaff

How well does it work at blocking CIA mind-control rays? I'm worried that my tinfoil hat isn't up to the task against their post-9/11 spy satellite upgrades.

Re:two sheets of mylar

[maxwell+demon]

Don't worry. The fact that you still worry shows that mind control still doesn't work. It's when you stop worrying, then you should worry.

Re:two sheets of mylar

[Pig+Hogger]

I've always wondered why they didn't just slip some mylar film into those mailers. Mylar was designed in wartime as radar chaff, but is more likely seen today as the bag around your snack or a helium balloon.

If you look carefully, metallized mylar is not opaque (mylar itself is quite transparent), just like any sufficiently metal film.

Next you'll tell us...

[Gopal.V]

To carry your ATM card in tin-foil faraday cage because it can be read by a device hidden in your office elevator ?.

PIN codes are just there to protect a person's card from random pickpocketing. Also this "exploit" needs access to the mail containing the PIN , before the user reads it and changes it. It is very unlikely that somebody will be able to do this easily - the obvious suspects being your kid brother who signed for your credit card when it came at your home and your shopping crazy sister. It needs very clear physical access on day-to-day basis.

This belongs in the same category as mothers steaming opening letters - maybe you should read Saki's shock tactics about how to handle that scenario.

Overhyped title

[Iriel]

The key point of this article (before the industry response) is not about some great new way to use photo editing software to steal someone's PIN number. The majority of it discusses the dangers of using new methods of mailing PIN and passwords that can be read by the HUMAN EYE, sometimes with no more technology than the ability to tilt the paper and shine a bright light.

The problem is not with the gimp or photoshop, but poor printing techniques that could put your 'secure' password information at risk with the simplest of methods. It still deserves a mention in YRO because I've even had a few letters mailed to me with PIN information like this. The letter had already been partially broken on one side due to handling, and I could see the PIN in the sunlight through the thin sheet even though that thin sheet is meant to let you know if someone has tampered with your information.

Kind of silly

[kevin_conaway]

I don't understand the practical applications of this attack outside the realm of academia.

So they can steal your mail? If they've stolen it, why not just open it and read the pin?

If someone is targetting you to steal your money, they would have to steal the pin number and then check back every day to see if the card came. Doesn't seem very practical to me.

Re:Kind of silly

[SimilarityEngine]

Perhaps they could intercept your mail, obtain your PIN, place the letter back in your mailbox (so you have no reason to be on your guard or change your PIN), follow you carefully into town, steal your wallet (maybe without you knowing, but a simple mugging would do) ...

Far fetched? Depends on whether this little security hole becomes well known in the wrong circles. Also, where I work the same kind of system is use to protect wage-slips - which have employee payroll numbers, bank details, social security numbers etc. on, so there is potentially a broader problem here. Think I might have a word with my manager....

UK Banks

[Detritus]

Aren't these the same banks that had a police officer prosecuted for attempted fraud because he inquired about some suspicious transactions in his bank account? The premise being that bank systems are secure and perfect, therefore the customer must be at fault.

I can see them taking the same attitude towards PINs. Any abuse must be the customer's fault, since no one else could have known the PIN.

Nothing new, really.

[Pig+Hogger]

Some 20 years ago, around Montréal, a lottery-scamming ring was uncovered, who operated with "pouch-type" lottery tickets (a ticket enclosed in an transparency-obfuscating enveloppe). They had a network of operatives who worked at convenience store, and swapped unknown tickets with "known ungood" tickets.

They were able to see through the enveloppe obfuscation using a slide projector as a bright light (and undoubtely a fair number of aspirins).

A better way....

[yoey]

An even better way of reading the PIN is to open up the envelope and look inside. One doesn't even need a computer for that.

The usual /. Spin

[Xentor]

Yes, that's right... Big, powerful headline... Why not just say something like:

"All your pin are belong to GIMP!"

This has nothing to do with the graphics programs and everything to do with bad-quality printing methods.

My 100% effective solution

Wrap the PIN mailings inside bank notes. All these programs should have banknote scanning prevention as Uncle Sam mandates, so covering the mailings inside of bank notes should solve the PIN theft problem. If this causes the currency theft problem to rise, we can simple wrap the currency inside gold leaf.

Re:Bah.

[Poromenos1]

Haha, probably. But then the mods were also redundant by modding it as redundant twice :p

Criminal

[PhYrE2k2]

Opening or intercepting mail (at least in the US and Canada) not addressed to you is a criminal offense. So we're already talking criminals who have to commit an offense here in order to do so. At that point, why not open it? You're already stealing mail, you're about to steal a PIN number and hence some money from a bank where you'll be on video camera, who not just open the damn message- the person won't know for a few days that it's not arrived yet.

When did a criminal get this sudden hit of "oh my- what am I doing- I can't _OPEN_ this letter! I'll just scan it and see what i can find". This is someone who already intercepted mail and is about to commit fraud. Just open the envelope and call it a day.

FYI: From the Canada Post Corporation Act

Every person commits an offence who, except where expressly authorized by or under this Act, the Customs Act or the Proceeds of Crime (Money Laundering) and Terrorist Financing Act, knowingly opens, keeps, secretes, delays or detains, or permits to be opened, kept, secreted, delayed or detained, any mail bag or mail or any receptacle or device authorized by the Corporation for the posting of mail.

Every person commits an offence who unlawfully and knowingly abandons, misdirects, obstructs, delays or detains the progress of any mail or mail conveyance.

Re:Criminal

[dk.r*nger]

At that point, why not open it?

Because you want the victim to actually recieve the letter, activate the card and not be suspicious. Otherwise you'll just have the PIN of an inactive credit card, which is worth squat/zip/nada.

Mailing the PIN and relying on that it will arrive unread is an important part of the chain of trust on credit cards.

DUSTER!

[bigattichouse]

I just discovered that duster cans (those little cans that blow dust out of your keyboard) when turned upsidedown will blow coolant.

Aim this coolant at a sealed envelope and it makes the paper transparent.

Re:DUSTER!

[bigattichouse]

forgot.. in a reasonably non-humid atmosphere, the fluid evaporates without condensing too much water.. leaving the envelope not too much worse for wear.

Dr Nick

[kevin_conaway]

In the immortal words of Dr. Nick's Diet:

"If you're unsure about something, rub it against a piece of paper. If the paper turns clear, its your window to weight gain!"

Have fun eating greasy chicken and stealing PIN numbers

/ Thats right, I said PIN Number.

// On my way to the ATM machine.

Re:PIN Number

[Fahrvergnuugen]

Or how about "Built on NT Technology" right in the win2k startup screen.

Re:PIN Number

[syrinx]

How else will we access our accounts in the ATM machines, other than by putting in our PIN numbers and reading the LCD display?

RFC - SPIT and the digitalisation of all paper

[ACORN_USER]

I'm sick to death with paper and important papers in particular. I think that in this day and age, it is really a joke that I have worry about draws filled with crumpled and unread letters printed in red ink.

With all the fuss over identity theft and so forth, I propose SPIT ( Spit on PDA Id Tracking )which boils down to a Pocket PC's which you SPIT on. After your spit has been authenticated, you can use your snot key to decrypt all documents which were previously paper based!

Please feel free to contribute your own spit to this new project.

And it goes a little something like this...

[McTaggart]

You edit curves and drag the centre of the curve down a bit I believe. Also useful for reading notes on the page underneath the one they were written on.

Other ways of reading the PINs

[RagingChipmunk]

In the book "Spy Catcher" (late 80s) an ex-MI5 guy writes the various ways they used to read the contents of letters without opening the envelope. One clever was was to use a long, thin strip of bamboo to "twirl" the letter around inside the envelope and read it as it was 'scrolling' by.

Other, easier ways include spraying the envelope with automotive-freon. The envelope becomes transparent while wet, and within seconds the freon completely evaporates.

Other inventive ideas: Use a strand of high quality fiber optics to have a peek inside.

Point being, wouldnt it be far more sensible to NOT include the PIN ?!?! Duh.

That's all we need...

[cdn2k1]

is for GIMP and Photoshop to be found illegal under the Patriot Act...

Mod myself down... RTFA

[Kamiza+Ikioi]

Well, I'm going to opt to mod myself down a bit on that one. Always a good idea to RTFA before posting, heh. Apparently these pins are for ATMs, and thus, pretty much makes (most of) my above post irrelevant.

I was thinking of the security pin located on the back of most credit cards.

In this case, then, I'm in full agreement with the parent of my original post, though this is something that should be fixed... possibly through online pin activation:

Mail someone a temporary pin they have to enter online to get a one time view of the real pin. After the first view, no other views allowed. Thus, you really wouldn't even need that much initial security in the mailing, as no two people could view the pin, and if a second view was attempted, the issuer could be alerted to potential fraud.

Non photographic blue ink

Why don't they just use non photographic blue ink? It won't show up on xerox's and near impossible to make it show up properly on a scanner, especially if it was obfuscated by the envelope. If no one here knows, you can get non photographic blue pencils, comic artists frequently use them so the inker doesn't have to do as much clean up before they start doing the color layers.

ego inflation

[dan+the+person]

I knew this article would eventually make it to slashdot after i saw the rare mention of the GIMP in mainstream media...

Re:PIN Number

[xtracto]

Man... I really hate those TLA acronyms...

Re:Provide PIN over the phone?

[Charles+Dodgeson]

I would think that this type of a system not only thwarts your average pickpockets and mail thieves, but also more ambitious criminals who are willing to go a step further. You'd have to 1) either fake the originating phone #, 2) break into the owner's home and get the actual PIN using their own phone, or 3) have personal details like last four of a SSN-type number, address, birthdate, etc., and by that time the problem is bigger than a stolen PIN.

Faking a caller line ID is easy. Any modern PBX system can do it, such as asterisk. As for your number three, that information is much easier to get then a PIN.

Re:Applicability to "Scratch and Save" Coupons?

[sjmurdoch]

The report (PDF 767kB) deals with the type of PIN mailers where the PIN is printed on the top layer of the paper, but there is a "scramble pattern" underneath it which prevents you from reading the PIN. The scramble pattern is either peeled away or scratched off. If you can pick out the difference between the toner and the scramble pattern you can read the PIN.

I guess what you are talking about is where the data is printed then covered with a scratch off layer. This technology is common for lottery cards but I have never heard of it being used for PINs. Here you need to see through this layer to get at the data underneath, so the tricks mentioned in the report won't work.

(I am one of the authors of the report)