Schneier on Security: Tamper-Evident Paper Mailings

← Security at Visa Unintended Information Revelation →

Tamper-Evident Paper Mailings

We've all received them in the mail: envelopes from banks with PINs, access codes, or other secret information. The letters are somewhat tamper-proof, but mostly they're designed to be tamper-evident: if someone opens the letter and reads the information, you're going to know. The security devices include fully sealed packaging, and black inks that obscure the secret information if you hold the envelope up to the light.

Researchers from Cambridge University have been looking at the security inherent in these systems, and they've written a paper that outlines how to break them:

Abstract. Tamper-evident laser-printed PIN mailers are used by many institutions to issue PINs and other secrets to individuals in a secure manner. Such mailers are created by printing the PIN using a normal laser, but on to special stationery and using a special font. The background of the stationery disguises the PIN so that it cannot be read with the naked eye without tampering. We show that currently deployed PIN mailer technology (used by the major UK banks) is vulnerable to trivial attacks that reveal the PIN without tampering. We describe image processing attacks, where a colour difference between the toner and the stationary "masking pattern" is exploited. We also describe angled light attacks, where the reflective properties of the toner and stationery are exploited to allow the naked eye to separate the PIN from the backing pattern. All laser-printed mailers examined so far have been shown insecure.

According to a researcher website:

It should be noted that we sat on this report for about 9 months, and the various manufacturers all have new products which address to varying degrees the issues raised in the report.

BBC covered the story.

Tags: academic papers, mail, passwords, PINs, tamper detection

Posted on August 30, 2005 at 7:59 AM • 20 Comments

Comments

DarkFire • August 30, 2005 9:36 AM

One peripheral comment I would make on this subject - it's far safer for someone to have their cards / cheque book / pin number sent to their local bank branch rather than their home address.

In my experience the rate of theft of mail that's on it;s way to an actual bank is nearly zero, but the amount of mail that is stolen on it's way to residential addresses is frankly enormous. Pin numbers, cards & cheque books are particularly targeted.

I know it causes extra bother, but far less bother than having to report the theft & then trying to force the bank to actually investigate it (less than 7% of these crimes are actually investigated by the banks).

My $0.02 worth...

Harrold • August 30, 2005 10:56 AM

But the pin is of no value with the card (or perhaps just the number to begin some sort of fraud like change of address), and they are mailed separately, so it would take a determined, focused thief to exploit all avenues to be successful.

In the end, we'll have systems that require thieves to just rob us at gunpoint at the ATM, and then we'll all feel safer, right?

Tom Chiverton • August 30, 2005 11:20 AM

Interestingly, they can see through scratch-here type protections too. I wonder if the same thing applies to national lottery scratch cards or not...

Bruce Schneier • August 30, 2005 11:32 AM

"Interestingly, they can see through scratch-here type protections too. I wonder if the same thing applies to national lottery scratch cards or not..."

My initial guess is that scratch lottery tickets have more expensive security coatings, but that they are vulnerable to more expensive attacks.

Clearly this is an area of research that needs more scrutiny.

RonK • August 30, 2005 12:43 PM

I work at a company which does a lot of image processing, and I wondered once how well the patterning on the outside of the company's payslips worked for obscuring the personal information contained within.

I had no problems getting a lot of information with my naked eye by using a strong light source, and only a bit more difficulty in filtering out the pattern from the information if the paycheck was scanned on a flatbet scanner.

I'd be very surprised if lottery tickets were secure from very expensive imaging attacks like neutron imaging, but as we know, it's not a matter of preventing attack, just making them not worthwhile.

Davi Ottenheimer • August 30, 2005 12:51 PM

This bit of the BBC article made me laugh:

"A spokeswoman for Apacs, the industry body for the payments systems used by UK banks, played down the risks exposed by the researchers.'We always have to bear in mind that laboratory conditions are not duplicated in the real world,' she said."

Really? Shining a bright light at an angle on a piece or paper, or using GIMP and a scanner are both complicated and risky maneuvers? Forget changing the PIN mailers, this anonymous "industry body spokesperson" probably will next announce that all future lamps will carry a warning "Do not shine at an angle to reveal PIN codes".

So if the industry body spokesperson completely fails to appreciate any threats and/or vulnerabilities to PIN mailers, what are the chances that the industry will actually change the mailers?

The researchers say their disclosure forced "a standardisation procedure and new testing regimes for banks producing PIN mailers", but they also say mailers are not changing yet. What's a reasonable time from disclosure of the vulnerability for consumer accounts to be protected?

Kero • August 30, 2005 1:00 PM

I think the thing to remember is that in most cases to use the PIN you need the corresponding card. If you have stolen the card stealing the envelope with the PIN should be easy. The same is more important with lottery cards. How do you see the crime happening that uses this threat? I steal a roll of lottery tickets, scan them finding the winners, then put the rest back? It may save time for the theives and keep their carpets cleaner not having to rub off all the covering but still... I don't see how this is a high risk threat.

paul • August 30, 2005 1:07 PM

The value of defeating tamper-evident security measures is that the target goes on as if nothing had happened. The accountholder whose card has been nicked or duplicated doesn't report the card stolen, the store whose roll of lotto tickets has been removed and replaced doesn't file a report and have that range of cards invalidated, the user whose password has been compromised just keeps on using it willy-nilly.

As a result, there's more opportunity for loss, and a harder time for the victim trying to prove that a given transaction was in fact illegitimate.

Davi Ottenheimer • August 30, 2005 1:59 PM

@ Kero

"I don't see how this is a high risk threat."

There are two approaches to this concern. First, why is the PIN is obscured in the first place? If there is no high risk threat, why not send it in the clear and forget even trying to protect it? Obviously card issuers have reason to be concerned enough that they spend time and money on tamper-resistant technology (that they think is secure).

On the other hand, let's just ignore the group that tells us they want to protect their PINs and yet seems to not do a very good job of it. A simple calculation (asset x vuln x threat) helps to factor the actual risk. To gauge the severity of vulnerabilities and threats, you might want to read up on "phantom withdrawls" such as cases where "bank insiders can almost trivially find out the PINs of any or all customers" (http://cryptome.org/pacc.htm)...

Steven Murdoch • August 30, 2005 2:01 PM

"Interestingly, they can see through scratch-here type protections too. I wonder if the same thing applies to national lottery scratch cards or not..."

The mailers we looked at all worked on a similar principle: you print on the top of transparent plastic and have a "scrambling pattern" on the other side. Then to reveal the PIN, you remove the plastic from the scrambling pattern, either by scratching it off or peeling the two apart. Even though you can still see the toner which makes up the PIN, the idea is that the scrambling pattern will make it hard to read. This system has the advantage of being one-pass and needing only a standard laser printer. However, you can attack them by using some, non-intrusive method to visually separate the toner from the scrambling pattern, for example angled light or image processing.

Lottery scratch-cards generally have the scratch off coating put over the top of the printed message, rather than on the other side, requiring two passes and special machinery at the printing site. This means you have to see through it, instead of just needing to separate two layers which you can both see. So I don't think the techniques mentioned in the report will work.

However, discussion of this report did trigger someone to describe a fairly high-tech, but feasible technique for reading lottery scratch-cards: http://www.mail-archive.com/cryptography%40metzdowd.com/msg04679.html

Steven Murdoch • August 30, 2005 2:13 PM

"One peripheral comment I would make on this subject - it's far safer for someone to have their cards / cheque book / pin number sent to their local bank branch rather than their home address."

Indeed, and I know of some banks who do this, particularly in the US and continental Europe. However in the UK, I don't know of any banks who do this as standard. Though banks in the UK sometimes require customers to pick their cards/PIN up from the bank, because the customer lives in an area where there is an unusually high rate of mail non-receipt fraud, generally believed to happen in the local mail sorting office.

Ross • August 30, 2005 2:20 PM

Money, as ever, talks. This didn't (to my knowledge) happen with the older style PIN mailers which contained some sort of carbon-paper analogue, imprinted upon by a dot-matrix or line printer. However, I understand those mailers cost over $1 each, so it's clear that finding savings was big business. I don't know what the current mailers referenced in the paper cost, but I imagine it's little beyond whatever licensing fees the stationery providers charge.

In response to Kero: this attack would allow an attacker - perhaps a bank insider - to steal PINs *without detection* as the tamper evidence in the mailer is untouched. Combine this with existing techniques for getting hold of a card and you've probably increased the window of opportunity for fraud, depending on individual users' behaviour.

More interestingly, the claim that only the customer could possibly know the PIN - as mentioned by Ross Anderson et al apropos phantom withdrawals - can be refuted.

Filias Cupio • August 30, 2005 5:04 PM

@Kero
"I steal a roll of lottery tickets, scan them finding the winners, then put the rest back?"

No, you are the owner of a corner dairy which sells lottery tickets. You legitimately get rolls of tickets, scan them, and keep the few big winners (possibly using friends as a front to claim the prize.) The rest you sell to punters who are unaware that they have no chance of striking a big prize.

Steven Murdoch • August 30, 2005 8:20 PM

"This didn't (to my knowledge) happen with the older style PIN mailers which contained some sort of carbon-paper analogue, imprinted upon by a dot-matrix or line printer. However, I understand those mailers cost over $1 each, so it's clear that finding savings was big business."

We also found similar techniques effective at reading these types of mailer (multipart stationary) and a similar technology where the PIN is printed and the sheet is folded over and glued closed (pressure sealed). These aren't mentioned in the report since the techniques to read these are well known and their use in the UK declining.

The cost of the raw stationary isn't the only factor (although I don't know about the relative costs), there is also the printing costs. Laser-printed PIN mailers need only a laser printer, which the banks already have, whereas the other technologies require printers dedicated to this task.

Also, I think there are significant security considerations, in addition to the tamper evidence. For example, multipart stationary and pressure seal mailers look very different from normal bank mail, so a criminal could easily pick these out. Whereas the laser-printed PIN mailers just look like ordinary letters from the outside.

Another problem is that with multipart/pressure sealed mailers, they are not secure out of the printer, either a sheet has to be torn off or the letter sealed. This means someone with access to the intermediate stage could read the PINs. With the laser-printed PIN mailers, there is no second step.

DarkFire • August 31, 2005 3:20 AM

Using the tamper-evident postage bags unfortunately has an undesirable negative effect on the security of mail:

Imagine for a moment that you are a thief. You know that financial documents, credit cards & pin numbers are all posted in this sort of packet. So, you steal a random sample of these packages (just enough that you don't get noticed), or target a single address. The chances are that over time you will eventually end up with a matching card & associated pin number.

If you end up with a cheque book, some semi-skilled forging will enable you to cash cheques on the unsuspecting victim's account until the credit limit is reached.

Unfortunately this sort of theft is both rampant (here in the UK) and difficult to solve.

DarkFire • August 31, 2005 3:30 AM

Sorry, forgot a bit:

The conclusion I was coming to is that security of personal data via the dilution method is the best defence IMO.

This is why: the tamper-evident bags are IMO an ineffective security measure - they do not deter the intelligent, organised, capable thief as explained above, but they do advertise "this is a financial document" to the opportunist.

Disguising a credit card or pin as a normal letter would prove almost 100% effective against an opportunist (the greatest threat in this instance) but would not really prove much more of a security risk versus the determined, experienced thief.

As allways, my $0.02...

Ben Smyth • August 31, 2005 6:41 AM

@Kero/Filias Cupio,

Kero: "I steal a roll of lottery tickets, scan them finding the winners, then put the rest back?"

Filias: "No, you are the owner of a corner dairy which sells lottery tickets."

Or, you are a minimum wage employee working for the corner dairy. Although it may be easier for the employee simply to steal all of the scratchcards (along with the cigarettes, booze, takings and ...) whilst his employer is away on holiday in some luxury foreign resort....

JD • September 1, 2005 8:43 AM

The PIN is no good without the card, which is mailed separately, and the cards I get nowadays are no good unless activated from my home phone.

The cards and PINs come in envelopes indistinguishable from the daily flow of credit card offers and other junk, creating the biggest risk I will throw out the former with the latter.

Bill McGonigle • September 1, 2005 11:52 AM

The scratchcard looks either like this:

P|C
or
P|I|C

where P=Paper, I=Ink, and C=coating. The coating is opaque, the paper is semi-transparent.

So it would seem that from the backside, you should be able to find a radio/light source that would reflect differently off of
P|C
than
P|I|C
it's a matter of building the appropriate sensors and finding the right kind of signal.

This isn't an easy task, perhaps, but there's alot of money involved here.

Of course, lotteries being the state sponsored gambling operation, there are probably felonies associated with scamming the system no matter the technology.

Jonathan Craymer • September 22, 2005 6:47 PM

Just in case it's of use to anyone who hates having to remember PINs, I believe I've come up with the perfect low-tech answer (even if you've got a brilliant memory - and mine isn't bad - just think of all those who haven't, or pensioners who struggle with PINs). The Craymer Grid is quite simply a PIN reminder which users can carry with them in virtually 100% safety - without fear of a thief being able to 'read' the data. It's GBP4.99 (excuse 'talking shop' for a moment) and just available hot off the press at www.craymergrid.co.uk.

Name (required):

E-mail Address:

URL:

Fill in the blank: the name of this blog is Schneier on ___________ (required):

Comments:

Allowed HTML: <a href="URL"> • <cite> • • • <ul> <ol> <li> • <blockquote> <pre>

← Security at Visa Unintended Information Revelation →

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient Systems, Inc.

Tamper-Evident Paper Mailings

Comments

Leave a comment