WHAT... why would you completely black out the number, where you could instead use random coloured squares, that look like it is a blurring, so someone can go through all the effort, decoding your white noise, and thinking in the end they have your number... when they don't ;)
I dont think he is stressing the ease of doing this with credit card numbers. The sample space he is suggesting generating is far too large... You can usually identify the first several digits simply by the issuing organization, as they all use standardized numbers, the remaining digits must pass a certain checksum algorithm. So really generating a bunch of valid cc numbers is quite trivial. Matching exp dates with numbers and ccv numbers.. Different story.
But i wonder what the limits to effectiveness is on this attack. I usually randomly swirl around with a smear tool to blur out things...
Bank of America uses a horrible method for generating debit card numbers. It's a standard prefix + account number + sequence number + check digit. If you have stolen someone's BofA debit card number then you can easily guess the replacement card's number (just increment the sequence number and recalculate the check digit). From there you just need to guess the expiration date (a comparatively trivial task).
Either you're skipping over a lot of information in the process of how that number's generated, or that's not how they do it anymore (and not how they've done it for at least the last couple of years).
But that's for debit cards - I think most banks include the account number in a debit card number. You would still need the CCV number from the back of the card for the attack to work.
edit: CCV proves that you at one time had access to the CCV number.
Online merchants are supposed to comply with PCI-DSS - not store your CCV ever, never transmit your number unencrypted, never store cardholder information unencrypted, plus tons of management controls and audit controls over the same.
In practice, let's just say lazy programming is everywhere.
I've seen many people who handle online transactions and violate PCI-DSS to some degree, including storing CCV numbers.
I'd expect random swirls to be reliable, or any obfuscation that introduces a reasonable amount of entropy. This whole attack relies on an almost-exact replication of the original blurred image. If you do something a computer can't easily reproduce over and over again, or something that looks the same no matter what the obfuscated content is (like blacking out), this attack cannot work.
Actually when you really need to decode a blurred or mosaiced image you can do even more tricks. Especially when they are screenshots. Since you can take a pattern (digits) and blur them with all possible options of certain most popular image editing software, you can then do massive number of comparisons to see what comes out right.
It's massively cpu intensive, but I am sure people that need it can do it.
Blacking out the section entirely is the only proper way, since you really want to be sure you are destroying the information in the image, not just dispersing it.
Even then, if you are removing a single digit it can be partially recovered by observing kerning statistics, etc.
It looks like this is the original source, but it's from 2007, not 2010. This 2007 Slashdot article links to the same URL: http://it.slashdot.org/article.pl?sid=07/01/07/1352242. Maybe the current year gets auto-added by whatever CMS he's using? Either that or it's been updated.
"Identify the exact size and offset, in pixels, of the mosaic tiles used to blur the original image (easy)"
I don't see that this is easy. Surely you have to test a number of offsets and sizes of text? And without knowing the digits, this is not going to be totally accurate.
You don't even have to color over, or blur, or do any of that hard stuff. Just select the region, and press "CTRL-X", save and quit. No reason to do it any other way.
People blur to maintain the general look of the original image. Having black boxes everywhere is jarring.
Honestly, I don't think the lesson has to be "don't blur"... it can just be "blur enough". If I blur something out, I just use a radius big enough to erase all of the information.
Deconvolution is quick with Fourier transforms. In infinite precision, convolution by any nonzero function (which includes Gaussian blurs) is invertible. In practice, quantization and stopping the convolution at the edge of the blur region complicates things. The blur itself removes no information, if you want to convince yourself it's safe you need to argue numerical analysis.
Check out "High Quality Motion Deblurring from a Single Image", for some quite impressive photo reconstruction done by actually fitting a spatially varying set of blur kernels to an image.
Black it out. And I don't mean the stupid PDF trick where they draw a black box over it (but you can still copy/paste the number from underneath). I mean actually black it out. Print it out, draw on it with a marker, and scan it again if you have to make sure.
But I've seen so many blurred out numbers that I could just about figure out with my eyes, let alone a computer program that could decode it algorithmically. And yes, standard (and non-standard, i.e. Photoshop) algorithms are fairly well known and can be tested against known data. Also, people really can tell what font was used. That gives them more than enough information to decode it.
But why are you giving people information in the first place? Never, ever try to distort information you should be destroying.
