Cameras, fake card readers, you name it… the list of schemes used to steal customer PINs at ATM machines is endless. Now it’s time to add another possible technique. Researchers at the University of California, San Diego recently presented the results of a study in which they found infrared cameras could be used to steal a PIN even after the customer left the ATM.
Led by Keaton Mowery, a doctoral student in computer science, the team found that they could measure the residual heat of ATM users’ fingers on the keypad. Using custom software that automated the camera’s heat-seeking abilities, they had 21 volunteers try out 27 random four-digit PINs on both plastic and brushed metal keypads.
The plastic pads were more insecure. If used immediately after the user entered his or her PIN, the team’s cameras accurately found the four digits in the PIN 80 percent of the time. After a minute, the success rate was still 50 percent.
With metal’s higher thermal conductivity, heat dissipated from those keypads almost instantly, making stealing numbers nearly impossible.
An additional issue is the fact that, while the team was able to find the digits users pressed, it wasn’t feasible to regularly discover their order. Still, that’s only 24 possible combinations to test out versus the 10,000 a thief would have to work through if he or she started from scratch. Also, with the concept already proven, it’s possible that further refinements could measure the heat difference between the button pressed first and those following, although that’s yet to be shown.
So should you just completely give up ATMs, force your employer to pay you in cash and walk around with stacks of twenties in your pockets? Well, you can if you want, but it’s probably not necessary. One, as a rule it’s not a good idea to use an ATM with camera guys lurking around anyway, and this is no exception. Two, using a metal keypad pretty much eliminates the possibility of this scam working unless a hidden camera was filming the whole time. In that case, it’s already prudent practice to cover the keypad while you enter your PIN. Common sense and a preference for metal keypads should protect the average Joe from this particular scheme, but you’re more than welcome to ice your fingertips beforehand if it makes you feel safer.
Photo credit: Keaton Mowery, via PhysOrg
- Homebrew PC troubleshooting 101: Here’s where to start if your PC won’t
- How to build a PC
- Kangaroo Home Security review: Affordable, but there’s room for improvement
- How to buy Bitcoin
- The best smart locks of CES 2021