
Why blurring sensitive information is a bad idea - soundsop
http://dheera.net/projects/blur.php
======
andrewreds
WHAT... why would you completely black out the number, where you could instead
use random coloured squares, that look like it is a blurring, so someone can
go through all the effort, decoding your white noise, and thinking in the end
they have your number... when they don't ;)

------
jadedoto
I dont think he is stressing the ease of doing this with credit card numbers.
The sample space he is suggesting generating is far too large... You can
usually identify the first several digits simply by the issuing organization,
as they all use standardized numbers, the remaining digits must pass a certain
checksum algorithm. So really generating a bunch of valid cc numbers is quite
trivial. Matching exp dates with numbers and ccv numbers.. Different story.

But i wonder what the limits to effectiveness is on this attack. I usually
randomly swirl around with a smear tool to blur out things...

~~~
InclinedPlane
Bank of America uses a horrible method for generating debit card numbers. It's
a standard prefix + account number + sequence number + check digit. If you
have stolen someone's BofA debit card number then you can easily guess the
replacement card's number (just increment the sequence number and recalculate
the check digit). From there you just need to guess the expiration date (a
comparatively trivial task).

~~~
nodata
But that's for debit cards - I think most banks include the account number in
a debit card number. You would still need the CCV number from the back of the
card for the attack to work.

~~~
InclinedPlane
I haven't noticed any other bank which had the same practice.

Also, not all online merchants use CCV. Also consider the risk of creating
fake physical CCs, no address or CCV necessary.

~~~
Cushman
Just checked— my credit union debit card number includes my account number.

------
DrJokepu
As seen in the brilliant 2008 Underhanded C Contest, sometimes even masking
isn't enough: <http://underhanded.xcott.com/?p=12>

------
jbeluch
Also be sure to strip EXIF data since it can contain an original thumbnail.
Not all image editors update the thumbnail with changes.

~~~
scrrr
good point. i usually just display the pic, snap a screenshot and all metadata
is gone. if it is scaled it obfuscates blurred things, too.

------
andraz
Actually when you really need to decode a blurred or mosaiced image you can do
even more tricks. Especially when they are screenshots. Since you can take a
pattern (digits) and blur them with all possible options of certain most
popular image editing software, you can then do massive number of comparisons
to see what comes out right. It's massively cpu intensive, but I am sure
people that need it can do it.

Blacking out the section entirely is the only proper way, since you really
want to be sure you are destroying the information in the image, not just
dispersing it.

Even then, if you are removing a single digit it can be partially recovered by
observing kerning statistics, etc.

~~~
lelele
What? Are you talking about proportional fonts?

------
makecheck
I'm wondering if the copyright and year are accurate...I recall reading
something like this a few years ago, complete with pictures of sample checks.

~~~
_delirium
It looks like this is the original source, but it's from 2007, not 2010. This
2007 Slashdot article links to the same URL:
<http://it.slashdot.org/article.pl?sid=07/01/07/1352242>. Maybe the current
year gets auto-added by whatever CMS he's using? Either that or it's been
updated.

Incidentally, while I was looking for that link, I found an implementation in
the form of a Photoshop filter:
[http://tlrobinson.net/blog/2008/10/08/recovering-censored-
te...](http://tlrobinson.net/blog/2008/10/08/recovering-censored-text-using-
adobe-photoshop-cs3/)

------
tptacek
This attack is, for what it's worth, at least 4 years old (probably older).

~~~
gus_massa
According to SearchYC this has been posted twice

3 years ago (3 comments) <http://news.ycombinator.com/item?id=79405>

9 months ago (no comments) <http://news.ycombinator.com/item?id=1115919>

------
andrewmu
"Identify the exact size and offset, in pixels, of the mosaic tiles used to
blur the original image (easy)"

I don't see that this is easy. Surely you have to test a number of offsets and
sizes of text? And without knowing the digits, this is not going to be totally
accurate.

------
sliverstorm
You don't even have to color over, or blur, or do any of that hard stuff. Just
select the region, and press "CTRL-X", save and quit. No reason to do it any
other way.

~~~
erikpukinskis
People blur to maintain the general look of the original image. Having black
boxes everywhere is jarring.

Honestly, I don't think the lesson has to be "don't blur"... it can just be
"blur enough". If I blur something out, I just use a radius big enough to
erase all of the information.

~~~
panic
_People blur to maintain the general look of the original image. Having black
boxes everywhere is jarring._

In that case, why not erase the numbers and replace them with random digits?

~~~
ovi256
Effort ? Way more work than putting a black box in.

------
guynamedloren
Here's a tip: if you do blur, don't use mosaic. Use the blur tool.

~~~
yatsyk
Usually it's easier to extract exact numbers from blured image.

~~~
lwhi
Yep, mosaic (often drastically) reduces the resolution of a portion of the
image. The information that's been removed can't easily be recovered.

