| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <s0d818a7.042@mail.smuht.nwest.nhs.uk> From: Marek.Isalski at smuht.nwest.nhs.uk (Marek Isalski) Subject: What Your Empty Wallet Says About You In an attempt to be slightly on-topic; more so than the "0day disclosures" that I just read with the Delete key. A couple of months ago my partner bought a new wallet in which to keep my credit cards, debit cards and useful "plastic" -- presumably she was shamed at the scruffy nature of the previous wallet. So after being jammed in my pockets, packed with my flexible friends, I noticed something which I'll need to bear in mind when this wallet is deemed shoddy and due for replacement -- the poly-something sleeves that hold the cards are plastic (impressionable) and, when your wallet isn't chocked full of cards, the softness of empty plastic sleeves is deformed by the raised print of the cards. This deformity remains for a long time with the cards removed. Attached is a cropped photograph (taken with a cheap phone camera). I've pulled the card slightly out of its sleeve -- in the right lighting, you can easily read the card number. And you can just about make out the card holder's name, sort and account numbers by eye (the camera is of too low a quality). All the more reason to have the three digit security code on the back of the card not embossed -- but with only 1000 combinations, does this have enough entropy to deter a determined credit card thief from hunting through rubbish for wallets? I imagine that people cycle cards faster than wallets -- my figures are about six cards in as many years for one wallet -- but there's a much larger amount of information for the wallet to disclose. Hopefully we all know to chop up our expired credit cards when "retiring" them. I certainly didn't think I would need to apply data destruction to a worn-out container (an interesting thought exercise in itself -- I don't want to burn it and choke on fumes, and I don't think the office shredder will cope...). (And no, this vulnerability doesn't have a CVE, the vendor hasn't been notified, and the only "shoutz" go out to aforementioned partner, Melanie.) Regards, Marek -------------- next part -------------- A non-text attachment was scrubbed... Name: walletdisclosure.jpg Type: image/jpeg Size: 5170 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040622/bb0fca53/walletdisclosure.jpg
Powered by blists - more mailing lists