The project started when Mike Bond noticed that he could read one of his PINs without tampering it, just by looking carefully. Later Jolyon Clulow and myself got involved and found new ways to reveal the PIN, ranging from shining a bright light at the PIN from an angle to scanning the PIN mailer and using the GIMP to enhance the image.
When we realised this was a problem, we contacted the manufacturers and users of these products and helped them develop new PIN mailers which were resistant the these attacks. We sent them a vulnerability report in November 2004 which was privately circulated in the banking community. We planned to publicly release information about the vulnerability 6 months later, but by this stage it was clear that manufacturers were still working on fixing this problem, so we delayed the release another 3 months.
On the 31 July 2005 we put the report on our websites, but not much happened for a while. Then SA Mathieson picked the story up and wrote an article for Infosecurity Today on 24 August 2005. Soon after, the BBC picked it up, followed by The Register and PC Pro. Today some other journalists have been phoning Mike and he was interviewed on the Simon Mayo show on Radio Five Live at about 2pm.
- Laser-printed PIN Mailer Vulnerability Report (PDF 676Kb)
- The original report which sparked it all off – released on 31 July 2005
- Also mentioned in the author's blog
- Infosecurity Today: UK banks sent out vulnerable PIN mailers
- First news article – 24 August 2005
- BBC News online: Poor print exposing Pin numbers
- More information on the vulnerability, including a response from APACS, the banking industry trade association – 25 August 2005
- Also published in Turkish Weekly and The News (Pakistan)
- Commented on by Digital Silence, Addict3ed and Schneier on Security
- There was a post to the cryptography mailing list about this article and while our report does not deal with lottery-style scratchcards (where the data is covered by a coating over the toner, rather than being disguised by a coating on the other side of the toner), a followup post describes a fairly high-tech but apparently feasible attack on these too.
- The Register: The GIMP threatens PIN number security
- Article with a slightly different spin – 25 August 2005
- Also published in IT Observer, SecurityFocus and NewsForge
- PC Pro: Cambridge team reveals PIN vulnerability
- Brief summary of the vulnerability – 26 August 2005
- Also published in Computer Shopper
- Slashdot: Graphics Programs Uncover Secret PINs
- Brief summary along with many comments, much of which are of dubious value
- The Sydney Morning Herald Technology: Razor - Is your PIN secure?
- Comparison with Australian practices
Update: (26 August 2005) Slashdot added.
Update: (27 August 2005) Turkish Weekly, Digital Silence, IT Observer, SecurityFocus, NewsForge, Addict3ed and Sydney Morning Herald added from Google News.
Update: (28 August 2005) Computer Shopper and The News added..
Update: (30 August 2005) Schneier on Security added.
Update: (31 August 2005) Cryptography mailing list added.