Insecure PIN Mailers

I just sent the following email to Nominet, the UK domain registration authority:

Dear Nominet,

Today I received two “Confirmation of Registration” letters from you – one for a recently-registered domain, and one for a renewal. These had the “secure” PIN mailers in the bottom right hand corner, which are supposed to assure me that, if they have not been tampered with, no-one else knows the PIN to manage my domain.

You will be unhappy to hear that I was able to read the PINs from these PIN mailers in about 45 seconds using nothing more than a bright light at an oblique angle, and without tampering with them or peeling them back in any way. If you want to try this yourself, I can tell you that closing one eye helps.

This type of problem with PIN mailer technology was highlighted back in 2005 by Mike Bond and his research team at the University of Cambridge, who published a report (PDF). This was covered in the news at the time.

Unless your PIN protection is snake oil security, I hope you will consider upgrading it to a version which addresses the technical shortcomings outlined in the Bond paper.


Gervase Markham

I read the Bond paper a few weeks ago; when the Nominet letters arrived I decided to try it – and it really works! Next time you get a PIN mailed to you with one of these things, give it a go. Find a nice bright point light source, shine it on the paper from a very shallow angle, and look with one eye from the equal angle on the other side.

2 thoughts on “Insecure PIN Mailers

  1. Considering that Nominet was one of the examples I would assumes that they are aware of this, but bugging them is still a good idea.