312-50V13 · Question #114
If a token and 4-digit personal identification number (PIN) are used to access a computer system and the token performs off-line checking for the correct PIN, what type of attack is possible?
The correct answer is B. Brute force. When a token performs off-line checking for a 4-digit PIN, it exposes the system to a brute force attack due to the finite and small number of possible PIN combinations.
Question
Options
- ABirthday
- BBrute force
- CMan-in-the-middle
- DSmurf
How the community answered
(50 responses)- A12% (6)
- B80% (40)
- C2% (1)
- D6% (3)
Why each option
When a token performs off-line checking for a 4-digit PIN, it exposes the system to a brute force attack due to the finite and small number of possible PIN combinations.
A birthday attack is a cryptographic attack that exploits the mathematics behind hash collisions; it is not applicable to a simple 4-digit PIN authentication mechanism.
A brute force attack is possible because the PIN checking occurs off-line, meaning there are no network-based defenses (like account lockout policies) to prevent repeated guesses. With only a 4-digit PIN, there are 10,000 possible combinations (0000-9999), which can be quickly exhausted by an attacker without detection if the checking is done locally on the token.
A man-in-the-middle attack involves intercepting communication between two parties; off-line PIN checking doesn't inherently create a vulnerability for MITM, though it might be combined with other attacks.
A Smurf attack is a type of Denial of Service (DoS) attack that uses ICMP echo requests (pings) and broadcast addresses; it is unrelated to token-based authentication with a PIN.
Concept tested: Brute force attack vulnerability
Topics
Community Discussion
No community discussion yet for this question.