A decision by my Internet Service Provider (ISP) has left me perplexed.
They produce monthly invoices in PDF format and deliver them to me via e-mail and are password-protected using “the last 4 digits of the phone number associated with your account”.
The password approach is made clear in each e-mail.
It’s not breaking news that e-mail does not provide any real form of security at all but the decision to encrypt the PDF document using just four digits (that’s only 10,000 possible combinations) is bizarre.
How easy would it be to crack the password?
I took an off-the-shelf NuGet package called PdfSharp and threw some C# code together. The code simply starts ten parallel tasks and carves the problem up. Task 1 goes from 0000 to 0999, task 2 goes from 1000 to 1999, and so on. An exception is thrown by PdfSharp if the password is incorrect whilst attempting to open the document.
The code was able to crack the password in 520 milliseconds – half a second. Testing all 10,000 combinations took around 2.5 seconds with the ten parallel tasks. In just over two seconds a malicious actor is able to obtain my name, postal address, account number. Ironically, the attacker has also learnt the last four digits of the phone number associated with the account.
It’s important to bear in mind that PdfSharp was not designed for this purpose. It’s not going to be optimised. For a start, throwing an exception 9,999 times of out 10,000 is costly. It’s likely with some modification this could be made much, much faster.
The burning question is why did the ISP decide it was a good idea to do this? It offers no privacy at all if the PDF was obtained by a malicious actor.
Answers on a postcard.
Please could I have your full postal address so that I can send you a postcode.
Furthermore, if I could have the first 7 digits of your mobile number so that I can verify your authenticity, that would certainly help expedite . Together we will solve this .