The present disclosure relates to securely providing secret information to users via electronic communication.
Banks (and enterprises in general) around the world provide users with cards, such as Automated Teller Machine (ATM) cards, credit cards, banking cards, etc. Such cards often have Personal Identification Number (PIN) codes associated with them. In some cases, the PIN code may be entered by the user when using the card, such as entering the PIN when making a withdrawal at an ATM machine. The card issuer typically generates a PIN for each card held by an account holder, in accordance with a defined algorithm.
One problem is how to securely provide the user with the PIN. Banks (and enterprises in general) around the world send PIN mailers to users. For example, a bank may send the ATM/Debit card PIN via a paper-based PIN mailer. Similarly banks often send the Internet Banking/eBanking password using a paper-based PIN mailer. These paper-based PIN mailers are designed to send shared secrets such as ATM PINs, one time passwords (OTPs), or activation codes to users. Large banks may distribute a million or more paper-based PIN mailers every month.
Technology has been developed for efficiently printing such PIN mailers. In one technique, a single printing pass with a conventional laser printer can be used to print an envelope that includes the user's name and address in clear text, while printing the PIN code such that it is hidden from view. This may be accomplished by first adhering a special laser PIN label to the envelope. The special laser PIN label may have a pigmented layer beneath a clear polymer coating. In one technology, the secret (e.g., PIN code) is printed onto a surface of the clear polymer coating, but obscured by a random pattern of black dots beneath in the pigmented layer beneath the surface.
Unfortunately, paper-based PIN mailers are expensive (printing cost, postal/courier cost). Also, paper-based PIN mailers are inconvenient to the users, as it takes a fair amount of time to receive them through traditional postal delivery. Although paper-based PIN mailers are designed to be secure, it is difficult to ensure that only the intended recipient gets access to these sensitive paper documents once it is put into the postal/courier system for delivery.
Moreover, while the paper-based PIN mailers are intended to be tamper evident, they are not tamper proof. For example, paper-based PIN mailers are subject to several types of attacks that can read the PIN, without showing obvious evidence of tampering. One type of attack is image processing based in which a color difference between the toner on the surface of the clear polymer coating and the masking pattern below is exploited. Image processing attacks make use of commonly available computer programs that perform image processing. These programs can be used to capture an image of the paper-based PIN mailer and apply image processing techniques such as color intensity threshold functions, blurring, etc. to make the secret PIN code visible on a computer display.
In an angled light attack, the reflective properties of the toner on the surface of the clear polymer coating may be exploited to allow the naked eye to separate the PIN from the backing pattern. In such an attack, the user makes direct visual inspection with their eye at a severe angle to the PIN mailer. A light source may be held at about the same angle on the opposite side. In some, but not all cases, the PIN code can be read.