nerdexam
EC-Council

312-50V10 · Question #660

If a token and 4-digit personal identification number (PIN) are used to access a computer system and the token performs off-line checking for the correct PIN, what type of attack is possible?

The correct answer is B. Brute force. When a token performs PIN verification offline, an attacker in possession of the token can systematically try all possible PIN combinations without network-side lockout policies intervening.

System Hacking

Question

If a token and 4-digit personal identification number (PIN) are used to access a computer system and the token performs off-line checking for the correct PIN, what type of attack is possible?

Options

  • ABirthday
  • BBrute force
  • CMan-in-the-middle
  • DSmurf

How the community answered

(39 responses)
  • A
    3% (1)
  • B
    74% (29)
  • C
    8% (3)
  • D
    15% (6)

Why each option

When a token performs PIN verification offline, an attacker in possession of the token can systematically try all possible PIN combinations without network-side lockout policies intervening.

ABirthday

A birthday attack targets hash collision probability and is used against cryptographic functions, not against guessing a numeric PIN.

BBrute forceCorrect

A 4-digit PIN has only 10,000 possible combinations (0000-9999). Because the token checks the PIN locally without any server-side lockout or delay enforcement, an attacker can automate attempts against the token hardware itself, making brute force the viable attack - the small keyspace makes exhaustive guessing practical.

CMan-in-the-middle

A man-in-the-middle attack requires intercepting live communications between two parties; it is irrelevant when the attacker has physical possession of the token and checks offline.

DSmurf

A smurf attack is an ICMP-based distributed denial-of-service amplification technique and has no relationship to token PIN authentication.

Concept tested: Offline PIN brute force against hardware tokens

Source: https://csrc.nist.gov/publications/detail/sp/800-63b/final

Topics

#token authentication#PIN brute force#offline attack#multi-factor authentication

Community Discussion

No community discussion yet for this question.

Full 312-50V10 Practice