312-50V11 · Question #660
If a token and 4-digit personal identification number (PIN) are used to access a computer system and the token performs off-line checking for the correct PIN, what type of attack is possible?
The correct answer is B. Brute force. Offline PIN checking on a token removes server-side lockout enforcement, leaving the 4-digit PIN space fully exposed to a local brute-force attack by anyone who possesses the token.
Question
If a token and 4-digit personal identification number (PIN) are used to access a computer system and the token performs off-line checking for the correct PIN, what type of attack is possible?
Options
- ABirthday
- BBrute force
- CMan-in-the-middle
- DSmurf
How the community answered
(32 responses)- A3% (1)
- B78% (25)
- C13% (4)
- D6% (2)
Why each option
Offline PIN checking on a token removes server-side lockout enforcement, leaving the 4-digit PIN space fully exposed to a local brute-force attack by anyone who possesses the token.
A birthday attack targets collision probability in cryptographic hash functions and is unrelated to guessing a short numeric PIN on a physical token.
Because the token validates the PIN locally without contacting an authentication server, there is no centralized mechanism to detect, throttle, or lock out repeated failed attempts. A 4-digit numeric PIN has only 10,000 possible combinations, so an attacker with physical access to the token can systematically try every combination until the correct PIN is found - a textbook brute-force attack made feasible by the absence of online rate limiting.
A man-in-the-middle attack intercepts communications between two parties over a network; offline PIN checking involves no network exchange to intercept.
A Smurf attack is a network-layer DDoS amplification technique using ICMP broadcasts and has no relationship to token-based authentication or PIN guessing.
Concept tested: Brute-force vulnerability from offline PIN verification on hardware tokens
Source: https://pages.nist.gov/800-63-3/sp800-63b.html
Topics
Community Discussion
No community discussion yet for this question.