nerdexam
EC-Council

312-50V11 · Question #660

If a token and 4-digit personal identification number (PIN) are used to access a computer system and the token performs off-line checking for the correct PIN, what type of attack is possible?

The correct answer is B. Brute force. Offline PIN checking on a token removes server-side lockout enforcement, leaving the 4-digit PIN space fully exposed to a local brute-force attack by anyone who possesses the token.

Cryptography

Question

If a token and 4-digit personal identification number (PIN) are used to access a computer system and the token performs off-line checking for the correct PIN, what type of attack is possible?

Options

  • ABirthday
  • BBrute force
  • CMan-in-the-middle
  • DSmurf

How the community answered

(32 responses)
  • A
    3% (1)
  • B
    78% (25)
  • C
    13% (4)
  • D
    6% (2)

Why each option

Offline PIN checking on a token removes server-side lockout enforcement, leaving the 4-digit PIN space fully exposed to a local brute-force attack by anyone who possesses the token.

ABirthday

A birthday attack targets collision probability in cryptographic hash functions and is unrelated to guessing a short numeric PIN on a physical token.

BBrute forceCorrect

Because the token validates the PIN locally without contacting an authentication server, there is no centralized mechanism to detect, throttle, or lock out repeated failed attempts. A 4-digit numeric PIN has only 10,000 possible combinations, so an attacker with physical access to the token can systematically try every combination until the correct PIN is found - a textbook brute-force attack made feasible by the absence of online rate limiting.

CMan-in-the-middle

A man-in-the-middle attack intercepts communications between two parties over a network; offline PIN checking involves no network exchange to intercept.

DSmurf

A Smurf attack is a network-layer DDoS amplification technique using ICMP broadcasts and has no relationship to token-based authentication or PIN guessing.

Concept tested: Brute-force vulnerability from offline PIN verification on hardware tokens

Source: https://pages.nist.gov/800-63-3/sp800-63b.html

Topics

#token authentication#offline brute force#PIN attack#multi-factor authentication

Community Discussion

No community discussion yet for this question.

Full 312-50V11 Practice