Tamper-Evident Paper Mailings
We’ve all received them in the mail: envelopes from banks with PINs, access codes, or other secret information. The letters are somewhat tamper-proof, but mostly they’re designed to be tamper-evident: if someone opens the letter and reads the information, you’re going to know. The security devices include fully sealed packaging, and black inks that obscure the secret information if you hold the envelope up to the light.
Researchers from Cambridge University have been looking at the security inherent in these systems, and they’ve written a paper that outlines how to break them:
Abstract. Tamper-evident laser-printed PIN mailers are used by many institutions to issue PINs and other secrets to individuals in a secure manner. Such mailers are created by printing the PIN using a normal laser, but on to special stationery and using a special font. The background of the stationery disguises the PIN so that it cannot be read with the naked eye without tampering. We show that currently deployed PIN mailer technology (used by the major UK banks) is vulnerable to trivial attacks that reveal the PIN without tampering. We describe image processing attacks, where a colour difference between the toner and the stationary “masking pattern” is exploited. We also describe angled light attacks, where the reflective properties of the toner and stationery are exploited to allow the naked eye to separate the PIN from the backing pattern. All laser-printed mailers examined so far have been shown insecure.
According to a researcher website:
It should be noted that we sat on this report for about 9 months, and the various manufacturers all have new products which address to varying degrees the issues raised in the report.
BBC covered the story.
DarkFire • August 30, 2005 9:36 AM
One peripheral comment I would make on this subject – it’s far safer for someone to have their cards / cheque book / pin number sent to their local bank branch rather than their home address.
In my experience the rate of theft of mail that’s on it;s way to an actual bank is nearly zero, but the amount of mail that is stolen on it’s way to residential addresses is frankly enormous. Pin numbers, cards & cheque books are particularly targeted.
I know it causes extra bother, but far less bother than having to report the theft & then trying to force the bank to actually investigate it (less than 7% of these crimes are actually investigated by the banks).
My $0.02 worth…