Slashdot Mirror

← Back to Stories (view on slashdot.org)

Graphics Programs Uncover Secret PINs

Posted by Zonk on from the not-so-secret-then dept.

Errtu76 writes "The BBC is running a story stating that, among other programs, The Gimp and Photoshop have been identified as possible tools for uncovering PINs via the mail." From the article: "The researchers collected lots of so-called Pin mailers and then tested how secure they were. Many were defeated using bright lights shone at an angle on to the paper. Other Pins could be read by scanning the letter and then adjusting some of the image qualities in popular programs such as GIMP, Adobe Photoshop and Paintshop Pro."

23 of 363 comments (clear)

  1. It's become sentient by Anonymous Coward · · Score: 5, Funny

    OMFG the Gimp icon just looked at me

  2. Don't tell me... by It+doesn't+come+easy · · Score: 4, Funny

    No one knew until now that scanning a document in black and white and adjusting the black/white threshold value can make it easier to read marginal text? Wow. Sounds like a patent application to me. Whatever.

    --
    The NSA: The only part of the US government that actually listens.
  3. Better recourse by Alex+P+Keaton+in+da · · Score: 4, Interesting

    Hopefully though, this discovery will further bring to light all the lax security that companies that control our personal information have. It would be nice to see data brokers and banks start to care about security a little more.
    And the fact that if your info gets out and someone exploits it, it is such a hassle to clear your good name/credit.
    That being said- locks only keep honest men out... In the military locks are known as "delaying devices"
    If someone wants your info, and are willing to break out the scanner and start graphics manipulation to get it, well, they are likely to get it. But wouldn't it just be easier to hit strangers about the head with a sock of nickels and take their cash?

    --
    And All I Ask is a Tall Ship And a Star to Steer Her By
    1. Re:Better recourse by avalys · · Score: 4, Insightful

      locks only keep honest men out

      An honest man keeps himself out.

      --
      This space intentionally left blank.
    2. Re:Better recourse by Have+Blue · · Score: 4, Insightful

      "Integrity means doing the right thing when no one is watching." -anonymous

    3. Re:Better recourse by ArsonSmith · · Score: 5, Insightful

      No, Locks keep lazy men honest.

      --
      Paying taxes to buy civilization is like paying a hooker to buy love.
    4. Re:Better recourse by cdn2k1 · · Score: 5, Funny

      No, beer keeps honest men lazy.

  4. And hence.. by domipheus · · Score: 5, Insightful

    And hence the reason for sending the pin seperately from the card becomes clear.

    Nothing to see here... yet again.

  5. Securely store or shred by Winterblink · · Score: 4, Insightful

    Me, whenever I get one of these things I either shred the bejesus out of it or store it in a secure place. I NEVER trust the trash for things like this, or even receipts from places I use my credit card. Lots of them still print the whole number on the paper. :/

    --
    "I'm a leaf on the wind. Watch how I soar."
    -Hoban Washburn
  6. two sheets of mylar by Speare · · Score: 4, Interesting
    I've always wondered why they didn't just slip some mylar film into those mailers. Mylar was designed in wartime as radar chaff, but is more likely seen today as the bag around your snack or a helium balloon.

    The existing patterned ink method was adopted because of cost, but really, tacking some mylar onto the form would be cheaper than tacking those thick plastic fake credit cards into those credit offers they flood you with. Yeah, I know: marketing budget can afford fake credit cards but the operations budget can't afford mylar for security.

    --
    [ .sig file not found ]
    1. Re:two sheets of mylar by Mignon · · Score: 4, Funny
      Mylar was designed in wartime as radar chaff

      How well does it work at blocking CIA mind-control rays? I'm worried that my tinfoil hat isn't up to the task against their post-9/11 spy satellite upgrades.

    2. Re:two sheets of mylar by Pig+Hogger · · Score: 4, Informative
      I've always wondered why they didn't just slip some mylar film into those mailers. Mylar was designed in wartime as radar chaff, but is more likely seen today as the bag around your snack or a helium balloon.
      If you look carefully, metallized mylar is not opaque (mylar itself is quite transparent), just like any sufficiently metal film.
  7. Next you'll tell us... by Gopal.V · · Score: 4, Insightful

    To carry your ATM card in tin-foil faraday cage because it can be read by a device hidden in your office elevator ?.

    PIN codes are just there to protect a person's card from random pickpocketing. Also this "exploit" needs access to the mail containing the PIN , before the user reads it and changes it. It is very unlikely that somebody will be able to do this easily - the obvious suspects being your kid brother who signed for your credit card when it came at your home and your shopping crazy sister. It needs very clear physical access on day-to-day basis.

    This belongs in the same category as mothers steaming opening letters - maybe you should read Saki's shock tactics about how to handle that scenario.

    --
    Quidquid latine dictum sit, altum videtur
  8. Overhyped title by Iriel · · Score: 5, Insightful

    The key point of this article (before the industry response) is not about some great new way to use photo editing software to steal someone's PIN number. The majority of it discusses the dangers of using new methods of mailing PIN and passwords that can be read by the HUMAN EYE, sometimes with no more technology than the ability to tilt the paper and shine a bright light.

    The problem is not with the gimp or photoshop, but poor printing techniques that could put your 'secure' password information at risk with the simplest of methods. It still deserves a mention in YRO because I've even had a few letters mailed to me with PIN information like this. The letter had already been partially broken on one side due to handling, and I could see the PIN in the sunlight through the thin sheet even though that thin sheet is meant to let you know if someone has tampered with your information.

    --
    Perfecting Discordia
    www.stevenvansickle.com
  9. Re:1 out of 2 by Asprin · · Score: 5, Insightful


    Unfortunately, I think your point is going to be lost on some people.

    While the article certainly has a point in pointing out the problem, at least in this scenario the criminal has to hit his targets old school: manually and one-at-a-time. This is a time-consuming, slow process that forces them to be in the geographic neighborhood of their victims.

    I am more concerned about security privacy issues with data stored online, where you can hack a database 3,000 miles away and get 10 million PINs in an afternoon. Now *that's* an increase in productivity.

    --
    "Lawyers are for sucks."
    - Doug McKenzie
  10. Re:Scratch-off lottery tickets? by Paul+Neubauer · · Score: 4, Interesting

    Something similar happened at least once. It took two people. One at the store to pull the reel of tickets and one with access to some medical machine. They looked through the roll with the medical scanner, took out and bought the winning tickets and put the broken up roll back. They were caught when someone else at the store noticed that the roll had several odd breaks. And probably that someone was a little too lucky.

    --
    I don't subscribe to RMS's GNUtopian vision.
  11. Criminal by PhYrE2k2 · · Score: 4, Insightful
    Opening or intercepting mail (at least in the US and Canada) not addressed to you is a criminal offense. So we're already talking criminals who have to commit an offense here in order to do so. At that point, why not open it? You're already stealing mail, you're about to steal a PIN number and hence some money from a bank where you'll be on video camera, who not just open the damn message- the person won't know for a few days that it's not arrived yet.

    When did a criminal get this sudden hit of "oh my- what am I doing- I can't _OPEN_ this letter! I'll just scan it and see what i can find". This is someone who already intercepted mail and is about to commit fraud. Just open the envelope and call it a day.

    FYI: From the Canada Post Corporation Act
    Every person commits an offence who, except where expressly authorized by or under this Act, the Customs Act or the Proceeds of Crime (Money Laundering) and Terrorist Financing Act, knowingly opens, keeps, secretes, delays or detains, or permits to be opened, kept, secreted, delayed or detained, any mail bag or mail or any receptacle or device authorized by the Corporation for the posting of mail.

    Every person commits an offence who unlawfully and knowingly abandons, misdirects, obstructs, delays or detains the progress of any mail or mail conveyance.
    --

    when you see the word 'Linux', drink!
    1. Re:Criminal by dk.r*nger · · Score: 5, Insightful

      At that point, why not open it?

      Because you want the victim to actually recieve the letter, activate the card and not be suspicious. Otherwise you'll just have the PIN of an inactive credit card, which is worth squat/zip/nada.

      Mailing the PIN and relying on that it will arrive unread is an important part of the chain of trust on credit cards.

  12. DUSTER! by bigattichouse · · Score: 4, Interesting

    I just discovered that duster cans (those little cans that blow dust out of your keyboard) when turned upsidedown will blow coolant.

    Aim this coolant at a sealed envelope and it makes the paper transparent.

    --
    meh
  13. Dr Nick by kevin_conaway · · Score: 5, Funny

    In the immortal words of Dr. Nick's Diet:

    "If you're unsure about something, rub it against a piece of paper. If the paper turns clear, its your window to weight gain!"

    Have fun eating greasy chicken and stealing PIN numbers

    / Thats right, I said PIN Number.

    // On my way to the ATM machine.

  14. Re:1 out of 2 by ArsonSmith · · Score: 4, Funny

    I use passwdgen and make 3-5 passwords and write them on sticky notes and stick to my monitor. Kinda funny when people ask, "Arent you the security guy?"

    --
    Paying taxes to buy civilization is like paying a hooker to buy love.
  15. ego inflation by dan+the+person · · Score: 4, Funny

    I knew this article would eventually make it to slashdot after i saw the rare mention of the GIMP in mainstream media...

  16. Re:1 out of 2 by Qil'elPhil · · Score: 4, Funny

    I think the point is that none of the passwords on the sticky note are actually in use.

    Which begs the really Zen-like question:

    "If a password is not in use, is it really a password or just a bunch of letters and numbers (and whatever else you use)?"

    --
    This sig is made from 100% recycled bytes. No keys were typed in the creation process.