Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
The Gimp Privacy Software

Graphics Programs Uncover Secret PINs 363

Errtu76 writes "The BBC is running a story stating that, among other programs, The Gimp and Photoshop have been identified as possible tools for uncovering PINs via the mail." From the article: "The researchers collected lots of so-called Pin mailers and then tested how secure they were. Many were defeated using bright lights shone at an angle on to the paper. Other Pins could be read by scanning the letter and then adjusting some of the image qualities in popular programs such as GIMP, Adobe Photoshop and Paintshop Pro."
This discussion has been archived. No new comments can be posted.

Graphics Programs Uncover Secret PINs

Comments Filter:
  • by Anonymous Coward on Friday August 26, 2005 @08:45AM (#13406975)
    OMFG the Gimp icon just looked at me
    • it's oogling us! Beware the gimp ain't asleep... other than that I love it when an article has a "Mr. Bond" my imagine runs wild and I can just see Sean Connery holding a sheet of paper into the light and saying "well I'll just get this off to Q, now get me another vodka-martini, shaken, not stirred.." BTW vodka martini shaken is absolutely delicious! Just make sure you get dry martini! hrmmm *thinking* it's friday, my pal the bartender is working tonight... yep.. time to don the white dinner jacket and
    • Yeah , scared the crap out of me too! Only seems to do it during certain mouse movements.
    • I'd much rather have to deal with this gimp instead of the one from Pulp Fiction.
  • 1 out of 2 (Score:2, Funny)

    by suso ( 153703 ) *
    Now, if only they'd make a program that let's me remotely break into people's mailboxes and steal their mail. Then I'd be all set.
    • Re:1 out of 2 (Score:5, Insightful)

      by Asprin ( 545477 ) <(gsarnold) (at) (yahoo.com)> on Friday August 26, 2005 @09:01AM (#13407146) Homepage Journal

      Unfortunately, I think your point is going to be lost on some people.

      While the article certainly has a point in pointing out the problem, at least in this scenario the criminal has to hit his targets old school: manually and one-at-a-time. This is a time-consuming, slow process that forces them to be in the geographic neighborhood of their victims.

      I am more concerned about security privacy issues with data stored online, where you can hack a database 3,000 miles away and get 10 million PINs in an afternoon. Now *that's* an increase in productivity.
      • by rf0 ( 159958 ) <rghf@fsck.me.uk> on Friday August 26, 2005 @09:15AM (#13407302) Homepage
        I've been seeing people recommending that you now write password down on postits on your montor as its actually more secure than most online passwords now days

        rus
      • "slow process that forces them to be in the geographic neighborhood of their victims."

        This is very true. But lets not forget one of the oldest scams in the book. Ship bogus credit card products to an abandoned location with instructions to leave at the door. Only, with this, you could ship products to your neighbor's house (when you know they won't be there) with that neighbor's credit card and proper pin.

        Because the number, pin, and address were all to the same person, it makes it much harder on the car
    • Agreed. I was wondering how this had anything to do with "Your Rights Online," but a remote mailbox exploit might do the trick.

      Let's get cracking.
    • Criminal (Score:5, Insightful)

      by PhYrE2k2 ( 806396 ) on Friday August 26, 2005 @09:21AM (#13407350)
      Opening or intercepting mail (at least in the US and Canada) not addressed to you is a criminal offense. So we're already talking criminals who have to commit an offense here in order to do so. At that point, why not open it? You're already stealing mail, you're about to steal a PIN number and hence some money from a bank where you'll be on video camera, who not just open the damn message- the person won't know for a few days that it's not arrived yet.

      When did a criminal get this sudden hit of "oh my- what am I doing- I can't _OPEN_ this letter! I'll just scan it and see what i can find". This is someone who already intercepted mail and is about to commit fraud. Just open the envelope and call it a day.

      FYI: From the Canada Post Corporation Act
      Every person commits an offence who, except where expressly authorized by or under this Act, the Customs Act or the Proceeds of Crime (Money Laundering) and Terrorist Financing Act, knowingly opens, keeps, secretes, delays or detains, or permits to be opened, kept, secreted, delayed or detained, any mail bag or mail or any receptacle or device authorized by the Corporation for the posting of mail.


      Every person commits an offence who unlawfully and knowingly abandons, misdirects, obstructs, delays or detains the progress of any mail or mail conveyance.
      • Re:Criminal (Score:5, Insightful)

        by dk.r*nger ( 460754 ) on Friday August 26, 2005 @10:21AM (#13407927)
        At that point, why not open it?

        Because you want the victim to actually recieve the letter, activate the card and not be suspicious. Otherwise you'll just have the PIN of an inactive credit card, which is worth squat/zip/nada.

        Mailing the PIN and relying on that it will arrive unread is an important part of the chain of trust on credit cards.
  • by It doesn't come easy ( 695416 ) * on Friday August 26, 2005 @08:45AM (#13406980) Journal
    No one knew until now that scanning a document in black and white and adjusting the black/white threshold value can make it easier to read marginal text? Wow. Sounds like a patent application to me. Whatever.
  • Better recourse (Score:5, Interesting)

    by Alex P Keaton in da ( 882660 ) on Friday August 26, 2005 @08:49AM (#13407023) Homepage
    Hopefully though, this discovery will further bring to light all the lax security that companies that control our personal information have. It would be nice to see data brokers and banks start to care about security a little more.
    And the fact that if your info gets out and someone exploits it, it is such a hassle to clear your good name/credit.
    That being said- locks only keep honest men out... In the military locks are known as "delaying devices"
    If someone wants your info, and are willing to break out the scanner and start graphics manipulation to get it, well, they are likely to get it. But wouldn't it just be easier to hit strangers about the head with a sock of nickels and take their cash?
    • That being said- locks only keep honest men out... In the military locks are known as "delaying devices"

      I think the "delaying devices" is exactly the key to their usefulness though. Every bit of difficulty in cirvumventing a device is useful in making it less worth a criminal's time to bypass it.

      Sometimes I get the sense from the Slashdot crowd that something isn't worth doing because perfection is impossible, perfect security being a prime example. I would like to ask, does that mean we quit using secur
      • Sometimes I get the sense from the Slashdot crowd that something isn't worth doing because perfection is impossible, perfect security being a prime example. I would like to ask, does that mean we quit using security measures?
        I believe you and I are on the same page. My point is, that no security is perfect. Not that it means we shouldn't secure our possesions, but rather that if someone really wants something, and is willing to go to any means to get it, then they are likely to succeed...
        My point was tha
      • Sometimes I get the sense from the Slashdot crowd that something isn't worth doing because perfection is impossible, perfect security being a prime example.

        Some slashdotters may rail against anything other than perfect security, but I think a fair amount of Slashdot vitriol is directed at security measures that are disproportionate in impact or cost compared with the risks they are nominally intended to mitigate.

    • Re:Better recourse (Score:5, Insightful)

      by avalys ( 221114 ) on Friday August 26, 2005 @08:59AM (#13407127)
      locks only keep honest men out

      An honest man keeps himself out.
    • Re:Better recourse (Score:4, Interesting)

      by rknop ( 240417 ) on Friday August 26, 2005 @09:18AM (#13407319) Homepage

      Hopefully though, this discovery will further bring to light all the lax security that companies that control our personal information have. It would be nice to see data brokers and banks start to care about security a little more.

      Heh. Hopefully.

      More likely, it will bring calls to limit these nefarious tools that can be used for criminal purposes. We already are paranoid about color printers running off images of dollar bills. Now we'd better make laws saying that any image processing program must contain checks against this sort of thing.

      I will not be surprised if that response is seriously proposed.

      Hell, under the DMCA, it may be illegal to download Gimp now. After all, it is a tool that has been demonstrated to break an effective security measure (the paper around a PIN number), although the PIN number may not be IP and thus may not be covered under the DMCA.

      But we also have the Grokster case as precedent to allow us to hold the Gimp developers responsible for this use of their tool.

      -Rob

    • And the fact that if your info gets out and someone exploits it, it is such a hassle to clear your good name/credit.

      But thats the point. It's hassle to you. It don't affect the bottom line

      Or if it does it's not enougth to get worked up about

    • by Frank T. Lofaro Jr. ( 142215 ) on Friday August 26, 2005 @11:16AM (#13408541) Homepage
      Well in the military, "denial devices" are not something you'd ever want to encounter, so "delaying devices" is usually what you use. :)

      Hitting strangers with a sock of nickels isn't Slashdot worthy. Hiting them with a sock full of RFID identification tags is. :)
  • They do say of course you need the card which is right but at the same time organised gangs will quite happily put card readers in ATM machines and pick the details and clone your card

  • And hence.. (Score:5, Insightful)

    by domipheus ( 751857 ) * on Friday August 26, 2005 @08:50AM (#13407030)
    And hence the reason for sending the pin seperately from the card becomes clear.

    Nothing to see here... yet again.
  • by Anonymous Coward
    If someone owned a convience store, wouldn't it be possible to scan the un-scratched tickets looking for the "big winner" without having to pay for them all?
    • by Paul Neubauer ( 86753 ) on Friday August 26, 2005 @09:08AM (#13407223)

      Something similar happened at least once. It took two people. One at the store to pull the reel of tickets and one with access to some medical machine. They looked through the roll with the medical scanner, took out and bought the winning tickets and put the broken up roll back. They were caught when someone else at the store noticed that the roll had several odd breaks. And probably that someone was a little too lucky.

      • They were caught when someone else at the store noticed that the roll had several odd breaks.
        Presumably most people who tried this scam were actually intelligent not to give themselves away like this and that we only know about the people who come from the lower 1% percentile of stupidity.
  • by Winterblink ( 575267 ) on Friday August 26, 2005 @08:54AM (#13407085) Homepage
    Me, whenever I get one of these things I either shred the bejesus out of it or store it in a secure place. I NEVER trust the trash for things like this, or even receipts from places I use my credit card. Lots of them still print the whole number on the paper. :/
    • i never liked shredding, sure it deters the common theif but its still a puzzle and like a puzzle it can be put back together, i usually turn them into paper mache (i don't know how to spell that) after shredding so that the fibers themselves aren't attached anymore. makes for a VERY difficult puzzle if you ever wanted them back.
      • Some pizza places still give out those carbon swiper receipts... I usually dunk it in some water so the ink bleeds, then mash it up before tossing out.

        But if you get a good shredder (one of those diagonal cross cut ones for instance) it can be a total bitch to get the stuff back together.
      • Yep I just got a CD shedder the other day for deleting our buisness backups. I wonder if its possible to puzzle together the bits and reconstruct anything???.
    • I photocopy mine to 900% size and tape them up in all my windows.

      People say I am a looney, but I don't know. Who is to say anyone will even look at my windows anyway?
    • Lots of them still print the whole number on the paper. :/

      And the carbons and whatnot are carefully filed in the trash together.

      Going through your trash, I might get something interesting.

      Going through a restaurant's or other store's trash, odds are I'll get many interesting things.
    • Who still prints the whole number?

      In America, or abroad?
  • two sheets of mylar (Score:5, Interesting)

    by Speare ( 84249 ) on Friday August 26, 2005 @08:55AM (#13407092) Homepage Journal
    I've always wondered why they didn't just slip some mylar film into those mailers. Mylar was designed in wartime as radar chaff, but is more likely seen today as the bag around your snack or a helium balloon.

    The existing patterned ink method was adopted because of cost, but really, tacking some mylar onto the form would be cheaper than tacking those thick plastic fake credit cards into those credit offers they flood you with. Yeah, I know: marketing budget can afford fake credit cards but the operations budget can't afford mylar for security.

    • by Mignon ( 34109 ) <satan@programmer.net> on Friday August 26, 2005 @09:03AM (#13407169)
      Mylar was designed in wartime as radar chaff

      How well does it work at blocking CIA mind-control rays? I'm worried that my tinfoil hat isn't up to the task against their post-9/11 spy satellite upgrades.

    • by Pig Hogger ( 10379 ) <pig@hogger.gmail@com> on Friday August 26, 2005 @09:20AM (#13407340) Journal
      I've always wondered why they didn't just slip some mylar film into those mailers. Mylar was designed in wartime as radar chaff, but is more likely seen today as the bag around your snack or a helium balloon.
      If you look carefully, metallized mylar is not opaque (mylar itself is quite transparent [wikipedia.org]), just like any sufficiently metal film.
      • Whatever happened to security envelopes? I mean, they shouldn't be the only thing protecting such information, but you shouldn't overlook the usefulness of opaque windowless envelopes.... Use 28lb paper with a 100% coverage of toner (not ink) or some other material that's black and opaque, and you can't read the contents of the envelope without opening it.

        When dealing with that kind of information, I'd be happy to spend an extra $0.05 on the mailer....
  • by Gopal.V ( 532678 ) on Friday August 26, 2005 @08:57AM (#13407113) Homepage Journal
    To carry your ATM card in tin-foil faraday cage because it can be read by a device hidden in your office elevator ?.

    PIN codes are just there to protect a person's card from random pickpocketing. Also this "exploit" needs access to the mail containing the PIN , before the user reads it and changes it. It is very unlikely that somebody will be able to do this easily - the obvious suspects being your kid brother who signed for your credit card when it came at your home and your shopping crazy sister. It needs very clear physical access on day-to-day basis.

    This belongs in the same category as mothers steaming opening letters - maybe you should read Saki's shock tactics about how to handle that scenario.
  • Overhyped title (Score:5, Insightful)

    by Iriel ( 810009 ) on Friday August 26, 2005 @08:57AM (#13407115) Homepage
    The key point of this article (before the industry response) is not about some great new way to use photo editing software to steal someone's PIN number. The majority of it discusses the dangers of using new methods of mailing PIN and passwords that can be read by the HUMAN EYE, sometimes with no more technology than the ability to tilt the paper and shine a bright light.

    The problem is not with the gimp or photoshop, but poor printing techniques that could put your 'secure' password information at risk with the simplest of methods. It still deserves a mention in YRO because I've even had a few letters mailed to me with PIN information like this. The letter had already been partially broken on one side due to handling, and I could see the PIN in the sunlight through the thin sheet even though that thin sheet is meant to let you know if someone has tampered with your information.
  • Kind of silly (Score:2, Insightful)

    I don't understand the practical applications of this attack outside the realm of academia.

    So they can steal your mail? If they've stolen it, why not just open it and read the pin?

    If someone is targetting you to steal your money, they would have to steal the pin number and then check back every day to see if the card came. Doesn't seem very practical to me.
    • Perhaps they could intercept your mail, obtain your PIN, place the letter back in your mailbox (so you have no reason to be on your guard or change your PIN), follow you carefully into town, steal your wallet (maybe without you knowing, but a simple mugging would do) ...

      Far fetched? Depends on whether this little security hole becomes well known in the wrong circles. Also, where I work the same kind of system is use to protect wage-slips - which have employee payroll numbers, bank details, social securit

    • So they can steal your mail? If they've stolen it, why not just open it and read the pin?
      Because until the PIN is not delivered to the recipient, the card cannot be activated...
  • UK Banks (Score:3, Interesting)

    by Detritus ( 11846 ) on Friday August 26, 2005 @09:00AM (#13407140) Homepage
    Aren't these the same banks that had a police officer prosecuted for attempted fraud because he inquired about some suspicious transactions in his bank account? The premise being that bank systems are secure and perfect, therefore the customer must be at fault.

    I can see them taking the same attitude towards PINs. Any abuse must be the customer's fault, since no one else could have known the PIN.

    • I looked it up. It was Police Constable John Munden, Cambridgeshire, and the Halifax Building Society. He was prosecuted, convicted, and had the conviction overturned on appeal. See Risks Digest Volume 18: Issue 25.
  • Nothing new, really. (Score:4, Interesting)

    by Pig Hogger ( 10379 ) <pig@hogger.gmail@com> on Friday August 26, 2005 @09:01AM (#13407142) Journal
    Some 20 years ago, around Montréal, a lottery-scamming ring was uncovered, who operated with "pouch-type" lottery tickets (a ticket enclosed in an transparency-obfuscating enveloppe). They had a network of operatives who worked at convenience store, and swapped unknown tickets with "known ungood" tickets.

    They were able to see through the enveloppe obfuscation using a slide projector as a bright light (and undoubtely a fair number of aspirins).

    • Remember Homer's hilarious dilemma when choosing between a winning 500$ lottery ticket, which he saw using this very method, and a Yodel bar.

      H - Man, that Yodel was so good..I wish I was eating it right now..
  • A better way.... (Score:2, Insightful)

    by yoey ( 247125 )
    An even better way of reading the PIN is to open up the envelope and look inside. One doesn't even need a computer for that.
    • An even better way of reading the PIN is to open up the envelope and look inside. One doesn't even need a computer for that.

      Except, as soon as you've broken the seal you've effectively announced to the intended victim: "Beware! Your PIN has been compromised!"

  • Yes, that's right... Big, powerful headline... Why not just say something like:

    "All your pin are belong to GIMP!"

    This has nothing to do with the graphics programs and everything to do with bad-quality printing methods.
  • by Anonymous Coward
    Wrap the PIN mailings inside bank notes. All these programs should have banknote scanning prevention as Uncle Sam mandates, so covering the mailings inside of bank notes should solve the PIN theft problem. If this causes the currency theft problem to rise, we can simple wrap the currency inside gold leaf.
  • Just Great! (Score:2, Funny)

    by miTTio ( 24893 )
    "Poor print exposing Pin numbers"

    If some has my Personal Identification Number Number, they may use it in an Automatic Teller Machine Machine.
    • If some has my Personal Identification Number Number, they may use it in an Automatic Teller Machine Machine.

      This being a UK story, would they use the ATM Machine at the Trustee Savings Bank Bank?!

      (The TSB was renamed to "TSB Bank" back in the 1980s, as a precursor to something or other boring and pointless)

  • DUSTER! (Score:5, Interesting)

    by bigattichouse ( 527527 ) on Friday August 26, 2005 @09:21AM (#13407353) Homepage
    I just discovered that duster cans (those little cans that blow dust out of your keyboard) when turned upsidedown will blow coolant.

    Aim this coolant at a sealed envelope and it makes the paper transparent.
  • If you hold a sealed envelope, over boiling water, it OPENS! Once it opens, if you close it back up and place it under a book, it will RESEAL!

    God! someone should *DO* something about this .. oh wait, there are already laws in place making mail fraud illegal.

    Gee .. nevermind.
    • If you hold a sealed envelope, over boiling water, it OPENS! Once it opens, if you close it back up and place it under a book, it will RESEAL!

      Not the PIN mailers in the UK - you need to either tear open the sealed envelope *inside* the outer envelope (which, I concede, could maybe be steamed open), or you need to GIMP the whole shebang (I feel durty just saying that...)

      • Yeah, most stuff now aways is the 'tear it open' variety.

        My point is more along the lines of its illegal to tamper with mail in any way, the methods of which you use are immaterial.

        In order to 'scan' the PIN number out, they first have to have illegal possession of your mail, or work for the post i suppose.
  • Dr Nick (Score:5, Funny)

    by kevin_conaway ( 585204 ) on Friday August 26, 2005 @09:27AM (#13407401) Homepage
    In the immortal words of Dr. Nick's Diet:

    "If you're unsure about something, rub it against a piece of paper. If the paper turns clear, its your window to weight gain!"

    Have fun eating greasy chicken and stealing PIN numbers

    / Thats right, I said PIN Number.

    // On my way to the ATM machine.
  • I'm sick to death with paper and important papers in particular. I think that in this day and age, it is really a joke that I have worry about draws filled with crumpled and unread letters printed in red ink.

    With all the fuss over identity theft and so forth, I propose SPIT ( Spit on PDA Id Tracking )which boils down to a Pocket PC's which you SPIT on. After your spit has been authenticated, you can use your snot key to decrypt all documents which were previously paper based!

    Please feel free to contri

  • Does anyone know of methods for other forensic uses of these, such as reading pen impressions on paper?
  • You edit curves and drag the centre of the curve down a bit I believe. Also useful for reading notes on the page underneath the one they were written on.
  • to manipulate images. Don't miss tomorrow's story: desktop publishing program used to fake documents!
  • Better ban all image creating and editing programs!!!!

    Everyone panic and flail their arms about, screaming!!

  • If you don't trust the USPS, then tell your bank/whatever not to use them. But really, is there a feasibly more secure way to send a PIN than through our federal mail system?

    Newsflash: At my office, I can even OPEN UP the inter-office envelopes in the outgoing mail bins and see EVERYTHING inside! Heck, I don't need the gimp or anything, and there is no evidence of tampering.

  • by RagingChipmunk ( 646664 ) on Friday August 26, 2005 @10:22AM (#13407949) Homepage
    In the book "Spy Catcher" (late 80s) an ex-MI5 guy writes the various ways they used to read the contents of letters without opening the envelope. One clever was was to use a long, thin strip of bamboo to "twirl" the letter around inside the envelope and read it as it was 'scrolling' by.

    Other, easier ways include spraying the envelope with automotive-freon. The envelope becomes transparent while wet, and within seconds the freon completely evaporates.

    Other inventive ideas: Use a strand of high quality fiber optics to have a peek inside.

    Point being, wouldnt it be far more sensible to NOT include the PIN ?!?! Duh.
  • is for GIMP and Photoshop to be found illegal under the Patriot Act...
  • by dan the person ( 93490 ) on Friday August 26, 2005 @10:36AM (#13408122) Homepage Journal
    I knew this article would eventually make it to slashdot after i saw the rare mention of the GIMP in mainstream media...

In practice, failures in system development, like unemployment in Russia, happens a lot despite official propaganda to the contrary. -- Paul Licker

Working...