Slashdot Mirror
Graphics Programs Uncover Secret PINs
Errtu76 writes "The BBC is running a story stating that, among other programs, The Gimp and Photoshop have been identified as possible tools for uncovering PINs via the mail." From the article: "The researchers collected lots of so-called Pin mailers and then tested how secure they were. Many were defeated using bright lights shone at an angle on to the paper. Other Pins could be read by scanning the letter and then adjusting some of the image qualities in popular programs such as GIMP, Adobe Photoshop and Paintshop Pro."
OMFG the Gimp icon just looked at me
No one knew until now that scanning a document in black and white and adjusting the black/white threshold value can make it easier to read marginal text? Wow. Sounds like a patent application to me. Whatever.
The NSA: The only part of the US government that actually listens.
Hopefully though, this discovery will further bring to light all the lax security that companies that control our personal information have. It would be nice to see data brokers and banks start to care about security a little more.
And the fact that if your info gets out and someone exploits it, it is such a hassle to clear your good name/credit.
That being said- locks only keep honest men out... In the military locks are known as "delaying devices"
If someone wants your info, and are willing to break out the scanner and start graphics manipulation to get it, well, they are likely to get it. But wouldn't it just be easier to hit strangers about the head with a sock of nickels and take their cash?
And All I Ask is a Tall Ship And a Star to Steer Her By
And hence the reason for sending the pin seperately from the card becomes clear.
Nothing to see here... yet again.
Me, whenever I get one of these things I either shred the bejesus out of it or store it in a secure place. I NEVER trust the trash for things like this, or even receipts from places I use my credit card. Lots of them still print the whole number on the paper. :/
"I'm a leaf on the wind. Watch how I soar."
-Hoban Washburn
The existing patterned ink method was adopted because of cost, but really, tacking some mylar onto the form would be cheaper than tacking those thick plastic fake credit cards into those credit offers they flood you with. Yeah, I know: marketing budget can afford fake credit cards but the operations budget can't afford mylar for security.
[
To carry your ATM card in tin-foil faraday cage because it can be read by a device hidden in your office elevator ?.
PIN codes are just there to protect a person's card from random pickpocketing. Also this "exploit" needs access to the mail containing the PIN , before the user reads it and changes it. It is very unlikely that somebody will be able to do this easily - the obvious suspects being your kid brother who signed for your credit card when it came at your home and your shopping crazy sister. It needs very clear physical access on day-to-day basis.
This belongs in the same category as mothers steaming opening letters - maybe you should read Saki's shock tactics about how to handle that scenario.
Quidquid latine dictum sit, altum videtur
The key point of this article (before the industry response) is not about some great new way to use photo editing software to steal someone's PIN number. The majority of it discusses the dangers of using new methods of mailing PIN and passwords that can be read by the HUMAN EYE, sometimes with no more technology than the ability to tilt the paper and shine a bright light.
The problem is not with the gimp or photoshop, but poor printing techniques that could put your 'secure' password information at risk with the simplest of methods. It still deserves a mention in YRO because I've even had a few letters mailed to me with PIN information like this. The letter had already been partially broken on one side due to handling, and I could see the PIN in the sunlight through the thin sheet even though that thin sheet is meant to let you know if someone has tampered with your information.
Perfecting Discordia
www.stevenvansickle.com
They were able to see through the enveloppe obfuscation using a slide projector as a bright light (and undoubtely a fair number of aspirins).
Unfortunately, I think your point is going to be lost on some people.
While the article certainly has a point in pointing out the problem, at least in this scenario the criminal has to hit his targets old school: manually and one-at-a-time. This is a time-consuming, slow process that forces them to be in the geographic neighborhood of their victims.
I am more concerned about security privacy issues with data stored online, where you can hack a database 3,000 miles away and get 10 million PINs in an afternoon. Now *that's* an increase in productivity.
"Lawyers are for sucks."
- Doug McKenzie
Agreed. I was wondering how this had anything to do with "Your Rights Online," but a remote mailbox exploit might do the trick.
Let's get cracking.
Something similar happened at least once. It took two people. One at the store to pull the reel of tickets and one with access to some medical machine. They looked through the roll with the medical scanner, took out and bought the winning tickets and put the broken up roll back. They were caught when someone else at the store noticed that the roll had several odd breaks. And probably that someone was a little too lucky.
I don't subscribe to RMS's GNUtopian vision.
I've been seeing people recommending that you now write password down on postits on your montor as its actually more secure than most online passwords now days
rus
Cheap UK and US VPS
When did a criminal get this sudden hit of "oh my- what am I doing- I can't _OPEN_ this letter! I'll just scan it and see what i can find". This is someone who already intercepted mail and is about to commit fraud. Just open the envelope and call it a day.
FYI: From the Canada Post Corporation Act
when you see the word 'Linux', drink!
I just discovered that duster cans (those little cans that blow dust out of your keyboard) when turned upsidedown will blow coolant.
Aim this coolant at a sealed envelope and it makes the paper transparent.
meh
In the immortal words of Dr. Nick's Diet:
// On my way to the ATM machine.
"If you're unsure about something, rub it against a piece of paper. If the paper turns clear, its your window to weight gain!"
Have fun eating greasy chicken and stealing PIN numbers
/ Thats right, I said PIN Number.
I use passwdgen and make 3-5 passwords and write them on sticky notes and stick to my monitor. Kinda funny when people ask, "Arent you the security guy?"
Paying taxes to buy civilization is like paying a hooker to buy love.
I knew this article would eventually make it to slashdot after i saw the rare mention of the GIMP in mainstream media...
I think the point is that none of the passwords on the sticky note are actually in use.
Which begs the really Zen-like question:
"If a password is not in use, is it really a password or just a bunch of letters and numbers (and whatever else you use)?"
This sig is made from 100% recycled bytes. No keys were typed in the creation process.
Man... I really hate those TLA acronyms...
Ubuntu is an African word meaning 'I can't configure Debian'
The report (PDF 767kB) deals with the type of PIN mailers where the PIN is printed on the top layer of the paper, but there is a "scramble pattern" underneath it which prevents you from reading the PIN. The scramble pattern is either peeled away or scratched off. If you can pick out the difference between the toner and the scramble pattern you can read the PIN.
I guess what you are talking about is where the data is printed then covered with a scratch off layer. This technology is common for lottery cards but I have never heard of it being used for PINs. Here you need to see through this layer to get at the data underneath, so the tricks mentioned in the report won't work.
(I am one of the authors of the report)
Steven Murdoch.
web: http://www.cl.cam.ac.uk/users/sjm217/