?

Log in

No account? Create an account

Fri, Aug. 26th, 2005, 01:21 pm
Publicity about my "Laser-printed PIN Mailer Vulnerability Report"

Since October 2004 I have been investigating the security of tamper evident laser-printer PIN mailers. These are sheets of paper with a special patch where you print the PIN using a normal laser printer. The intention is that you can't read the PIN until you peel off a bit of plastic or scratch off a coating, depending on the technology. For example, probably the most widespread type is Hydalam. Then you shouldn't be able to put patch back to its previous state, without leaving some evidence of tampering. This is so someone can't intercept your PIN in the mail, read it and put it back, without the legitimate recipient noticing.

The project started when Mike Bond noticed that he could read one of his PINs without tampering it, just by looking carefully. Later Jolyon Clulow and myself got involved and found new ways to reveal the PIN, ranging from shining a bright light at the PIN from an angle to scanning the PIN mailer and using the GIMP to enhance the image.

When we realised this was a problem, we contacted the manufacturers and users of these products and helped them develop new PIN mailers which were resistant the these attacks. We sent them a vulnerability report in November 2004 which was privately circulated in the banking community. We planned to publicly release information about the vulnerability 6 months later, but by this stage it was clear that manufacturers were still working on fixing this problem, so we delayed the release another 3 months.

On the 31 July 2005 we put the report on our websites, but not much happened for a while. Then SA Mathieson picked the story up and wrote an article for Infosecurity Today on 24 August 2005. Soon after, the BBC picked it up, followed by The Register and PC Pro. Today some other journalists have been phoning Mike and he was interviewed on the Simon Mayo show on Radio Five Live at about 2pm.


Laser-printed PIN Mailer Vulnerability Report (PDF 676Kb)

The original report which sparked it all off – released on 31 July 2005

Also mentioned in the author's blog


Infosecurity Today: UK banks sent out vulnerable PIN mailers

First news article – 24 August 2005


BBC News online: Poor print exposing Pin numbers

More information on the vulnerability, including a response from APACS, the banking industry trade association – 25 August 2005

Also published in Turkish Weekly and The News (Pakistan)

Commented on by Digital Silence, Addict3ed and Schneier on Security

There was a post to the cryptography mailing list about this article and while our report does not deal with lottery-style scratchcards (where the data is covered by a coating over the toner, rather than being disguised by a coating on the other side of the toner), a followup post describes a fairly high-tech but apparently feasible attack on these too.

The Register: The GIMP threatens PIN number security

Article with a slightly different spin – 25 August 2005

Also published in IT Observer, SecurityFocus and NewsForge


PC Pro: Cambridge team reveals PIN vulnerability

Brief summary of the vulnerability – 26 August 2005

Also published in Computer Shopper


Slashdot: Graphics Programs Uncover Secret PINs

Brief summary along with many comments, much of which are of dubious value


The Sydney Morning Herald Technology: Razor - Is your PIN secure?

Comparison with Australian practices



Update: (26 August 2005) Slashdot added.

Update: (27 August 2005) Turkish Weekly, Digital Silence, IT Observer, SecurityFocus, NewsForge, Addict3ed and Sydney Morning Herald added from Google News.

Update: (28 August 2005) Computer Shopper and The News added..

Update: (30 August 2005) Schneier on Security added.

Update: (31 August 2005) Cryptography mailing list added.

Fri, Aug. 26th, 2005 03:22 pm (UTC)
maxleon

Ahh, read that in The Register today. Research well done, but do these people really care? Doesn't look so from the comments by the banks.

Sun, Aug. 28th, 2005 09:34 pm (UTC)
sjmurdoch

The manufacturers of PIN mailers that we have been in contact with certainly appear to be working on the problem and have produced new products which will hopefully defend against these attacks. We have had less feedback from the banks, but they do appear to be taking notice, although there are still some which are sending out the same, known vulnerable, mailers which they were using in October 2004.