Banks use insecure methods for PIN numbers

University of Cambridge researchers have revealed pin numbers in tamper-proof stationery, using bright lights and easy to use software. The security experts warn that the pin numbers of millions of consumers are at risk.

Secure stationery is used by banks and other organisations to send new pins or passwords to customers. The stationery is designed so that it is immediately obvious if the envelope has been opened and the information read by someone else.

The stationery often uses a transparent label that hides the password or pin number until it is peeled off by the customer. The background is printed to make it difficult to replace a label accurately. However, researchers Mike Bond, Steven Murdoch, and Jolyon Clulow, found that poor printing can make it easy to overcome the secure system.

The researchers found that pin numbers and passwords could be revealed by shining bright lights at an angle on to the paper, or by scanning the letter and then adjusting some of the image qualities in programs such as GIMP, Adobe Photoshop and Paintshop Pro.

The banking industry was advised of the findings at the end of 2004 and new standardisation procedure and testing regimes have been introduced.

Despite these changes, said Mr Bond, the same insecure mailers are still being used.

A spokeswoman for Apacs, the industry body said that little fraud has been perpetrated by the method of reading pins from secure stationery.

The new standards developed by the industry should be in place by the end of 2006.