Letter box

Banks and many other organisations use secure stationery to give customers new pins or passwords that is designed to make it obvious if the envelope has been opened and the number or word has been read by someone else.

This secure stationery often uses a transparent label that must be peeled off to reveal a Pin or password. Background printing makes replacing a label accurately very difficult.

But Mike Bond, Steven Murdoch, and Jolyon Clulow from the security group at the Cambridge University computer lab has found that poor printing can mean that this secure system can be easily overcome.

Mr Bond was alerted to the problems when he was sent a new Pin and found that poor printing meant it was readable with the naked eye.

The researchers collected lots of so-called Pin mailers and then tested how secure they were.

You can also check : Top News News of the Week

"We were surprised that it could be done so easily," said Mr Bond.

"We're concerned as academics and outside parties that other people are going to be spotting this too and start working towards fraud," he told the BBC News website.

The security failings emerge as banks have turned to new laser-printing technology to produce pin mailer letters, said Mr Bond.

Laser-printed Pin mailer letters look like any other communication from a bank and help to defeat thieves looking out for the old-fashioned mailers that were much more distinctive.

Millions of Pin mailers are being sent out in the UK as chip and pin technology is more widely adopted.

Mr Bond said that the work the team has done on laser printed Pin mailers has shown that it is a "subtle art" that is tricky to do correctly.

"You are printing black toner on to a background pattern that is supposed to disguise it," he said. "If you add too little you cannot read it but too much will make it stand out."

Industry response

The Cambridge trio revealed their findings to the banking industry at the end of 2004 which has resulted in a standardisation procedure and new testing regimes for banks producing Pin mailers.

Despite these changes, said Mr Bond, the same insecure mailers are still being used months after the researchers warned about the failings. This was worrying, he added, because Chip and Pin puts so much emphasis on that personal number.

A spokeswoman for Apacs, the industry body for the payments systems used by UK banks, played down the risks exposed by the researchers.

"We always have to bear in mind that laboratory conditions are not duplicated in the real world," she said.

"Security around Pins is paramount and always has been because of cash machines."

She added that Pin numbers were inherently more secure than written signatures.

Security is constantly kept under review," said the spokeswoman, "every bank takes security seriously."

The new standards developed by the industry should be in place by the end of 2006.

"It's a work in progress at the moment," she said.

Consumers should also remember that, unless they are negligent, UK banking regulations do not make them liable for losses from fraud, she added.

News about the Pin printing research first appeared in the journal Infosecurity Today