Why You Should Never Use Pixelation To Hide Sensitive Text

Why You Should Never Use Pixelation To Hide Sensitive Text

Pixelation is great for hiding faces and covering up nakedness, but it’s not good for disguising text. It’s so bad, in fact, that it might not even protect you at all.

The explanation comes by way of Dheera Venkatraman, who expertly explains the premise in great detail on his blog. The simple version goes a little something like this:

A pixelated face is generally gone for good, but text is so simple to decipher that ne’er-do-wells can find out what it is just by working backwards. Take a pixelized Social Security number from a screengrab of an email or a PDF, for example. An aspiring identity thief can simply make a copy of the image, sub in a possible SS number, pixelate the image, and see how close the pixelated image matches. It doesn’t have to be perfect — a list of a few pretty good guesses will do — and it’s a pretty easy process to automate. It’s like brute-forcing a password, but with a couple extra steps. It’s a cakewalk for anyone who really wants to know.

Of course the process is only that simple for pristine, digital text. If a thief is working with a real-life picture of something like a credit card, it gets more complicated, but still not impossible.

As Dheera explains:

In the real world we have photos, not fictitious checks made in Photoshop. We have distortions of the text because of the camera angle, imperfect alignment, and so on. But that doesn’t stop a human from determining exactly what these distortions are and creating a script to apply them! Either way, the lowest few distances determined can be considered as candidates, and especially in the world of credit cards, where numbers are nicely chunked out in groups of 4, and only 1 in 10 numbers is actually a valid number, it makes it easy to select from your top few lowest distances, which the most likely candidates are.

Who knows whether or not there’s anyone out there hoarding pixelated credit card pictures and reverse-engineering them to steal the numbers. But there’s an easy way to make sure you’ll be safe now and in the future: Always use a ugly black smear. [Dheera Venkatraman via Hacker News]