EC-Council
312-50V9 · Question #562
312-50V9 Question #562: Real Exam Question with Answer & Explanation
The correct answer is B: Brute force. When a token performs offline PIN verification, an attacker who physically obtains the token can attempt every possible PIN combination without network lockout constraints.
Question
If a token and 4-digit personal identification number (PIN) are used to access a computer system and the token performs off-line checking for the correct PIN, what type of attack is possible?
Options
- ABirthday
- BBrute force
- CMan-in-the-middle
- DSmurf
Explanation
When a token performs offline PIN verification, an attacker who physically obtains the token can attempt every possible PIN combination without network lockout constraints.
Common mistakes.
- A. A birthday attack targets hash collisions to find two inputs with the same hash output and is not applicable to guessing a numeric PIN.
- C. A man-in-the-middle attack requires intercepting communication between two parties; offline PIN checking means no network communication occurs during verification.
- D. A Smurf attack is a network-layer DDoS technique using ICMP broadcast amplification and has no relevance to token-based authentication.
Concept tested. Offline token PIN brute force vulnerability
Reference. https://csrc.nist.gov/publications/detail/sp/800-63b/final
Community Discussion
No community discussion yet for this question.