Yesterday I received the PIN letter from my new credit card for online banking and I was wondering how secure the black and white security field under which the PIN is hidden is. As a hobby photographer, I came up with the idea of simply “illuminating” the security field with a flash of lightning. At that time, the security field had not yet been opened. I only removed the Hydalam DIN A4 sheet from the envelope.
Hydalam is a patent protected product which is distributed by KOOPMANNDRUCK GmbH in Germany under license. The paper is printed, however, by different printing companies in Germany, which must however adhere to special, strict safety standards.
So I just kept the flash behind the field and after only a few test shots I found the right shutter speed and aperture to get first useful pictures.
At this point, I was very surprised that with a little concentration in the 100% view, the first numbers could already be seen (2.6). The fine dotted areas are interrupted at the places where the foil was printed.
With the certainty that the PIN is actually in the pictures, but this is quite difficult to recognize, I continued the further processing on the PC. I used the RAW file of the image shown above as my source material. After some failed attempts to get the PIN already visible in the RAW converter, I finally went over to open the image in Photoshop and play with the layer settings there. One of my first assumptions was successful:
- Duplicate the base layer
- Set level property to “Difference
- Move one of the layers 1px in any direction.
Two images as difference images on top of each other only result in a black surface. But a layer shifted by 1 pixel results in a perfectly visible PIN.
Demo PSD to test yourself (8,41MB): Download
Not surprisingly, the PIN after opening is actually “261398” as expected.
Within half an hour, including all preparations and failures, the PIN can be made visible without damaging the security field in any way. The actual effort is less than 5 minutes.
Unfortunately I broke the seal out of curiosity before I came up with the idea to scan the folded A4 page or even the whole letter. But I’m sure that the folded sheet wouldn’t have caused much trouble, because there’s no writing on the adjacent pages of this letter. This means that I probably would have only had to increase the flash power a bit, whereby the picture above was shot with only 1/64 of the full power (the lowest power level of the flash). Power reserves are therefore available. The letter itself is also unprinted.
What does that mean in the end for the transmitter and the receiver?
An external attacker would be able to intercept the letter, read the PIN and put the page in a neutral envelope and close it. The recipient will not notice this as long as the page is not wrinkled. The original PIN letters are also neutral (for a given reason!). If it is possible to scan the PIN through the closed letter, there will be no way to identify an attack.
Now one can assume that the time lag in which the “knowledge” and “credit” are usually sent in the case of a two-factor authentication provides enough security. However, a two-factor authentication relies on the confidentiality of the “knowledge” factor, which neither the sender nor the recipient can rely on 100%. Both sides should therefore be interested in a more secure procedure for exchanging the PIN.
In my case with the online banking PIN, I am responsible for changing the PIN immediately after receiving the letter.