By Mark Ward
Technology Correspondent, BBC News website
The Pin numbers of millions of consumers are being put at risk by shoddy printing, warn security experts.
Angled light can reveal Pin numbers
Bright lights and easy to use software helped University of Cambridge researchers defeat tamper-proofing on letters telling people their new Pin.
The researchers fear the security lapses could put consumers at risk as the UK adopts Chip and Pin technology.
The banking industry played down the risk and said little fraud was perpetrated by this method.
Banks and many other organisations use secure stationery to give customers new pins or passwords that is designed to make it obvious if the envelope has been opened and the number or word has been read by someone else.
This secure stationery often uses a transparent label that must be peeled off to reveal a Pin or password. Background printing makes replacing a label accurately very difficult.
But Mike Bond, Steven Murdoch, and Jolyon Clulow from the security group at the Cambridge University computer lab has found that poor printing can mean that this secure system can be easily overcome.
Mr Bond was alerted to the problems when he was sent a new Pin and found that poor printing meant it was readable with the naked eye.
The researchers collected lots of so-called Pin mailers and then tested how secure they were.
Many were defeated using bright lights shone at an angle on to the paper. Other Pins could be read by scanning the letter and then adjusting some of the image qualities in popular programs such as GIMP, Adobe Photoshop and Paintshop Pro.
Banking industry say pins have been protected for a long time
"We were surprised that it could be done so easily," said Mr Bond.
"We're concerned as academics and outside parties that other people are going to be spotting this too and start working towards fraud," he told the BBC News website.
The security failings emerge as banks have turned to new laser-printing technology to produce pin mailer letters, said Mr Bond.
Laser-printed Pin mailer letters look like any other communication from a bank and help to defeat thieves looking out for the old-fashioned mailers that were much more distinctive.
Millions of Pin mailers are being sent out in the UK as chip and pin technology is more widely adopted.
Mr Bond said that the work the team has done on laser printed Pin mailers has shown that it is a "subtle art" that is tricky to do correctly.
"You are printing black toner on to a background pattern that is supposed to disguise it," he said. "If you add too little you cannot read it but too much will make it stand out."
The Cambridge trio revealed their findings to the banking industry at the end of 2004 which has resulted in a standardisation procedure and new testing regimes for banks producing Pin mailers.
Despite these changes, said Mr Bond, the same insecure mailers are still being used months after the researchers warned about the failings. This was worrying, he added, because Chip and Pin puts so much emphasis on that personal number.
A spokeswoman for Apacs, the industry body for the payments systems used by UK banks, played down the risks exposed by the researchers.
"A Pin has no value without the card" she said, adding that little fraud has been perpetrated by the method of reading pins from secure stationery.
The UK is adopting Chip and Pin technology
"We always have to bear in mind that laboratory conditions are not duplicated in the real world," she said.
"Security around Pins is paramount and always has been because of cash machines."
She added that Pin numbers were inherently more secure than written signatures.
Security is constantly kept under review," said the spokeswoman, "every bank takes security seriously."
The new standards developed by the industry should be in place by the end of 2006.
"It's a work in progress at the moment," she said.
Consumers should also remember that, unless they are negligent, UK banking regulations do not make them liable for losses from fraud, she added.
News about the Pin printing research first appeared in the journal Infosecurity Today