Slashdot Mirror
How To Steal ATM PINs With a Thermal Camera
An anonymous reader writes "Researchers from UCSD have demonstrated how thermal imagery cameras can be used to
steal customers' PINs (PDF) when you withdraw cash from ATMs. Their paper, entitled 'Heat of the Moment: Characterizing the Efficacy of Thermal Camera-Based Attacks', (PDF) discovered that plastic PIN pads were the best for retaining heat signatures showing which numbers (and in which order) were used by bank customers. Fortunately the methodology does not appear to have been used by criminals yet, but a third of people surveyed admit that they do not check ATMs for tampering before withdrawing cash."
Their paper, entitled 'Heat of the Moment: Characterizing the Efcacy of Thermal Camera-Based Attacks' ...
Oh sure everybody wants to show how easy it is to steal everyone else's PIN but when you release a paper detailing how to do it with X-rays and guarantee the target develops cancer and dies within a month leaving their account ripe for unnoticed pilfering then you've "gone too far"!
My work here is dung.
Hmm, I knew there was a reason that I rested all of my fingers uniformly across the keypad, gently caressing their every ridge and facet as I discreetly pumped out my digits into their PIN pad. Well, another reason, at least.
Also I try to think about a completely different song than the one that corresponds to the letters that correspond to the numbers of my PIN, just to thwart any brainwave phreaking attacks as well.
But still hoping we score some decent security measures out of this, like maybe a bank-issued gold card or something.
but a third of people surveyed admit that they do not check ATMs for tampering before withdrawing cash.
A person checking an ATM for tampering may look like they are tampering with an ATM. Now get back in line.
There is no level of applied security that can thwart applied freedom.
The dangers of knowledge trigger emotional distress in human beings.
I use the corner of my wallet to to press the keys, let's see them work with that.
when I viewed this story. Conflict of interest here?
The bikini - security through obscurity since 1943
They did this in Splinter Cell YEARS ago.
+1 IDisagreeSoHeMustBeATrollOrAnAstroturferOrAShill
The Real Hustle on BBC3 to open a safe in a jewellery shop. How they got into the jewellery shop was pretty genius too.
Just make sure you add a bunch of heat on all the number keys before you leave to mess up their analysis. I recommend urinating on the keypad to get a good even distribution.
Even as a usually law-abiding citizen, I might be tempted to steal that camera thingy if i find it. The fact that it was put there by criminals would greatly reduce my pangs of conscience ;-)
C - the footgun of programming languages
Tampering is not needed for taking a thermal photo as the next in line.
this is an even better reason we need secure NFC transactions (with your mobile) asap. it's absurd to be typing a by-definition-weak password into an unauditable terminal. why hasn't some bank hasn't noticed that at least early adopters would pay for the privilege of paying securely?
then again, if banks simply secured their terminals, much of the hacked-ATM problem would disappear. yes, toilet-like stalls for each ATM...
this is why i need to train my cold blooded pet snack to enter my pin for me!
My God can beat up your God. Just kidding...don't take offense. I know there's no God.
Isn't it cheaper to simply mug the ATM user after they are done and take cash while out of sight of the ATM machine's own camera? You'd have to do that anyway to get the card from them. Why get all technical?
As I cover my hand to hide the numbers I always touch more than the four digits whenever I input my PIN as I center my hand on the keypad. Most of the time I also fake pressing some digits by keeping my finger onto them. I never thought of the thermal way to recover PIN numbers but I think I am safe.
Google context sensitive advertising at work.
They probably also advertise ski masks on stories about bank robbery.
Targeted advertising!
If I'm the only one with the card?
PS: I don't reply to ACs.
Slashdot has ads?
On BBC iPlayer, they did a con involving a safe keypad and a FLIR thermal camera to show the heat on the keypad.
I'd never heard of this method of attack until now. But it might explain why some of my bank's ATMs seem to have a high volume of cooling air blasting through any cracks and openings in the machine. Metal keys as well.
There was an article in a recent electronics magazine about building a code entry keypad that scrambles the digit positions between each entry attempt. This would make filming the keyboard difficult if one were to make the digit displays hard to see other than straight on. It would cause problems for people who enter their PIN based upon positional memory rather than looking at the numbers.
Have gnu, will travel.
Right now in Texas, we're hitting over 104F in the afternoons, several degrees higher than body temperature. Would the buttons be cooled by people touching them?
Is it just me, or does anyone else tire over stories of ATM skimming/tampering? I guess my main point here is who the hell still uses an ATM anymore?
It's probably been at least 6 months since I've stepped in front of one. I can withdraw up to $100 at just about any store I go into when I use my debit card(multiple times a day too), and since there seems to be a rather large void of evidence regarding tampering of debit terminals inside stores and banks, the most obvious solution seems to be the answer here.
And if I find myself in need of more than a few hundred dollars in cash(cash? what's that?) on any given day, then I go to the most secure place to get it; the actual bank.
In today's cashless society, I still struggle to find why ATMs haven't gone the way of the pay phone yet. Perhaps it's because a good portion of banking revenue is still generated off their ripoff fees for transactions? Chances are greed is in the answer there somewhere.
Good thing I do have cold dead fingers so they can't actually pry my money out of them.
I don't need to worry either. I have a feeling that anyone accessing my account would feel sorry for me, and might even be inclined to make a deposit instead of a withdrawal.
Making a touchscreen keypad mandatory should prevent this, and for added bonus present a random order of the numbers on the touch screen each time.
The camera wouldn't be near the ATM. Someone behind you in line would take the camera out of their pocket, and take a picture of the keypad you just touched.
For letting the criminal know that they have another option to steal our money. Now We have to carry a Dust can that we have to turn upside down and spray it cold air to wipe it down.
I can't stand to touch those PIN pads. Keys or gloves (in winter).
These cards with 'security chips' are a much greater risk. After entering your PIN, you must wait with the card sticking halfway out of the terminal pad while the transaction proceeds, during which time nobody guards their card. Who needs a heat camera when you can just peep over at someone entering their pin in the grocery line, snag their neatly exposed card, and drain their account at the nearest ATM? You can even yank it before the transaction completes to leave more money in the account! It's one thing that the pin pads are highly exposed, but to make the card itself vulnerable to easy theft is really ridiculous, especially in the name of security.
War as we knew it was obsolete
Nothing could beat complete denial
- Emily Haines
When I saw this done on Max Headroom, I was skeptical that it could work. Not because a regular news camera had an "infra-red" mode, I expected that could happen (and some do, just not enough to be heat sensitive yet), but I thought the keys would cool down too fast. Good to know how scientifically accurate a show about a simulated human infecting the world's computer networks was.
Back in the 80's I worked at a place where you needed to enter a PIN to open a side door. The keypad had a shield around the top and sides, the keys were back lit with nixie tubes that were below the surface about 0.5" -> 1" such that you had to be looking pretty much directly into them to see the numbers. You walked up, hit a button, the digits lit up and which button was which number was scrambled so that even if somebody saw the pattern of buttons you pressed, they still could not use it to gain access. It made it a PITA as you had to actually remember your code and not rely on muscle memory after a while. This was 80's technology, why can't ATMs use something like that? Ah yes, the customers would complain it's too hard to remember 4 digits. Must make it easier for the customers and thief's.
I accidentally typed some extra characters at a CapitalOne ATM once while taking money from my CapitalOne account and the ATM took it. I tried at a couple other CapitalOne ATMs and they took extra trailing characters as well.
I didn't complain because I didn't think it was a security flaw but now I am happy because those few times I did that, the thermal imaging attack would have returned an invalid PIN (that would have worked just as well as my valid one).
You can have my PIN
if you pry it from my dead COLD fingers.
Don't fight for your country, if your country does not fight for you.
"but a third of people surveyed admit that they do not check ATMs for tampering before withdrawing cash"
Yeah, I get it, some of you are typical Internet paranoid freaks who do this, but 99% of people don't. Why? I've never heard of anyone having their pin stolen. Ever. I've never known anyone who had money stolen from a bank account. We know the vast majority of cases of this are identity theft (which isn't pin theft). If someone did steal my PIN, they'd also need my wallet. My wallet was only stolen in an armed robbery by people who made no attempt to use my cards.
And what evidence of tampering are you looking for? Wires hanging out? Screws not flush? Seriously, wtf does this even mean?
Yeah, this isn't exactly new or news.
If i see someone hunched over the ATM i just finished using, with this thermal camera, guess what I will be doing....
smashing that camera to pieces in front of him.....
Seriously though, I think whether you dust for prints or heat or etc..... there is always a way to find the pin, which is why i subscribe to the new sms identification method gmail/facebook/hotmail uses, they should use that for banks and for credit cards
...it's more sanitary anyway.
I typically type two of the four numbers with the back of my fingernails. It won't help videocameras unless I would try to obfuscate it further, but for any type of fingerprinting, thermal, oil, or other attempts to duplicate my PIN that I've seen on Hollywood movies or CSI, it's hard enough to figure out that the imaginary criminal would probably just jack the next guy instead. Plus it gives my wife something to make fun of if she ever catches it.
But honestly, if you manage to steal a card and get the PIN, all you could get is repeated $500 draws until the account is empty, and for most of us, that account balance isn't anything to retire on. If you want to steal money using cards on a small-time scale, it's easier to just work at any restaurant or small business for a few weeks.
The really capable criminals go after larger scale heists than snooping at the ATM, copying credit cards, or offering cash swaps with Nigerian princes. I think typically we elect them or have them appointed.
"Cracking safes with thermal imaging" http://lcamtuf.coredump.cx/tsafe/
Well chase is making it harder at least. They are installing covers to the numberpad so that its harder for a camera to see what you are typing.
After you are finished with the ATM just press all the buttons on the keypad in random order leaving your finger on each key for a long hard press to really soak up your body heat. Kinda like scrambling the combination on a lock.
This is really good news. Where can I get one of these thermal imaging cameras? Can I mail away for the plans, you know, so they can't trace me on the internet? What if I get caught? Can I tell them I got the idea from slashdot? I should be able to post some tweaks in the methods in about 10 years when I get out of sing sing..
If my pin number was all the same number how would they know the order?
This trick was revealed back in the 1980's in a Commodore 64 game I had (I forget the name). The player is a spy who breaks into a top secret installation and at one point he comes to a door with a keypad. You have to think to use your thermal imaging device to look at the keys and guess the code based on how much each one is glowing. It's not a new idea at all. Of course, thermal cameras have always been very expensive, and remain so even today.
I really don't know what 80s pop sensation Asia has to do with the research they did. I'd like to know how that fits in.
Sand's overrated... it's just tiny little rocks.
People type their PIN when they use a debit card at places like 7-11. The real trick is to get the card.
It's 103F outside. Good luck with that whole thermal detection thing. (And I always touch all three buttons in a row at once, but only press down one, and will touch random rows without pressing any, just in case there's a camera nearby.)
Cyberia came out in 1994.
--- widget evolution: enhanced, plus, super, ultra, extreme, exxxtreme, ultra-extreme,
The problem with ATMs are that the 'something you have' can be copied so easily. I already have a chip on my credit card and use it at point of sale terminals. How about using smartcard authentication that can't be copied as easily as the magnetic strip?
I visited a company that had keypads on the doors. These pads would randomly arrange the digits with LEDs in the keys every time. It was a bit harder to find the keys you needed because they were always in a different place, but even if someone watched from the side they had a very narrow field of view, and this silly thermal approach wouldn't work either because the numbers went away after the door opened - you might know which keys they pressed, but not which digits.
Wont work on me! I have to enter the wrong pin 3 times,,, call my wife, and then get it right!! Too bad I hit all the f'n keys!!