How To Steal ATM PINs With a Thermal Camera

An anonymous reader writes "Researchers from UCSD have demonstrated how thermal imagery cameras can be used to steal customers' PINs (PDF) when you withdraw cash from ATMs. Their paper, entitled 'Heat of the Moment: Characterizing the Efficacy of Thermal Camera-Based Attacks', (PDF) discovered that plastic PIN pads were the best for retaining heat signatures showing which numbers (and in which order) were used by bank customers. Fortunately the methodology does not appear to have been used by criminals yet, but a third of people surveyed admit that they do not check ATMs for tampering before withdrawing cash."

Touch typing defense

[rwa2]

Hmm, I knew there was a reason that I rested all of my fingers uniformly across the keypad, gently caressing their every ridge and facet as I discreetly pumped out my digits into their PIN pad. Well, another reason, at least.

Also I try to think about a completely different song than the one that corresponds to the letters that correspond to the numbers of my PIN, just to thwart any brainwave phreaking attacks as well.

But still hoping we score some decent security measures out of this, like maybe a bank-issued gold card or something.

Re:Touch typing defense

[Herkum01]

I rested all of my fingers uniformly across the keypad, gently caressing their every ridge and facet as I discreetly pumped out my digits

Have you considered a career writing Harlequin novels?

Re:Touch typing defense

[cyberchondriac]

or, after you've put in your PIN and gotten your money or whatever, press a few more random keys.

Re:Touch typing defense

[nedlohs]

Just set the keypad on fire.

Re:Touch typing defense

[MightyMartian]

I'm not sure whether I just read a method to obscure your PIN number from thermal cameras, or a description of one of your sexual exploits.

Re:Touch typing defense

[franoreilly]

Makes sense. Even though I cover my typing hand with my other hand, I always add a few more fake keypresses so that any camera can't make a rough guess, judging by the quadrant of the image showing slight movement, which key was actually pressed. So now I have to do this for infra red coverage also. Great.

Re:Touch typing defense

[Not_Wiggins]

It looks likely you were mostly joking (so, that makes me feel equally bad about admitting this).
But, when putting in my PIN, I typically rest several fingers on different numbers, move my hand around, and punch my PIN in that way, obscuring what I'm doing (not the typical one finger, one press approach).

For me, it was about making it tough for someone with a video camera set up to watch the ATM to figure out what my PIN is based on finger movement alone.

I suppose to that end, would getting the heat signature really be that superior to having a video camera set up with a telephoto lens?
And if we were ever worried about heat signature, wouldn't simply wearing gloves defeat this "potential attack?"

Seems someone has figured out a complex way of collecting PINs.

Why not set up a loop of wire and, based on the different lengths of connection between electricity that flows from pressed keys to the processor, infer which key is pressed?

Right... it would cost more in time, money, and effort than one could make simply waiting for someone to walk up and rob with a gun.

Re:Touch typing defense

[Bob+the+Super+Hamste]

Sounds like both. He has a thing for ATMs especially when they vibrate when discharging money.

Re:Touch typing defense

[need4mospd]

Hmm, I knew there was a reason that I rested all of my fingers uniformly across the keypad, gently caressing their every ridge and facet as I discreetly pumped out my digits into their PIN pad.

Do you do so while wearing a robe and wizard hat?

Re:Touch typing defense

[Jah-Wren+Ryel]

But, when putting in my PIN, I typically rest several fingers on different numbers, move my hand around, and punch my PIN in that way, obscuring what I'm doing (not the typical one finger, one press approach).

I do it too -- I start at the top row, one finger per button, and then slide my hand down the keypad making contact with every button but only putting pressure on the one button that needs pushing. I repeat the process for each digit but make sure to slide my hand across the entire keypad each time. It didn't take much practice to get good at it, it still takes a little bit longer than just punching the numbers in directly, but not enough to matter.

Re:Touch typing defense

[sconeu]

I picked up this habit after working in a classified area with a cipher lock.
After I'd enter the cipher, I'd swipe my fingers over all the buttons to make it harder for a potential bad guy to analyze the wear/fingerprint patterns on the lock.

Re:Touch typing defense

[cdrguru]

Right... it would cost more in time, money, and effort than one could make simply waiting for someone to walk up and rob with a gun.

Never forget that any sort of ATM attack is anonymous and impersonal, whereas holding up someone with a gun means you personally are standing there in front of someone with a gun in your hand.

What the Internet has proven beyond a shadow of a doubt is that ordinary people who wouldn't think of shoplifting will go to incredible lengths to steal stuff on the Internet where they are anonymous and the action is impersonal. Someone who would never break into a house in person will break into a computer with impunity, even to the point of advertising their exploits.

I would say that there are plenty of people that if they could engage in ATM skimming and know they don't have to ever confront a human throughout the whole process they would do it, even to the point of spending more money than they are likely to get in return. ATM skimming kits are pretty good sellers on the Internet, if you know where to shop, because they are a gateway to anonymous, impersonal money.

Re:Touch typing defense

[tom17]

Naaah,
1,2,3,4(5,6,7,8,9,10,11,Twe-ee-e-ee-e-elve!)

Re:Touch typing defense

[jonbryce]

I think the idea is that after you leave the machine, four[1] of the keys will be glowing. The brightest one is the number you pressed last, and the dimmest is the one you pressed first.

[1] Assuming your PIN is made up of four unique numbers. If your pin contains repeated numbers, I guess it makes it more difficult to determine the order of them.

Re:Touch typing defense

[idontgno]

I say we take off and nuke the site from across the street. It's the only way to be sure.

-- Security Engineering Officer Ellen Ripley

Re:Touch typing defense

[black+soap]

48 permutations, assuming 4 known, unique digits. 36 permutations, assuming 3 digits, not knowing which is unique.

Re:Touch typing defense

[sam0737]

I usually keep hitting the keypad randomly when it's preparing the cash, for fun. Now that's a reason for me to keep doing it!

Re:Touch typing defense

[Ced_Ex]

What about all the other number keys you end up pressing when you define how much money you're depositing or withdrawing?

All this is making the simple task of stealing so complicated. Gypsy kids just hang around the ATM, wait for the withdraw screen to show up, run in, quickly press the auto denomination of the highest value and wait for the money to start spitting out before they grab and dash. Thermal cameras have got nothing on those kids.

Re:Touch typing defense

[karnal]

My ATM makes me use the touchscreen after entering the PIN on the number pad; so I guess I'm screwed.

Re:Touch typing defense

[anubi]

ATM skimming kits are pretty good sellers on the Internet, if you know where to shop,

That, my friend, is scary.

If the ATM programmer offered me the option of morse code, I wonder how easy that would be to crack.

Years ago, I configured my home security system to arm/disarm via the doorbell. I send it morse code to unlock it. Only the first press will actually ring the bell. Subsequent presses issued before timeout are interpreted ty the ATMEL microcontroller as morse code and are not routed to the bell. For all intents and purposes, it looks and works exactly like a doorbell, only it changes color to indicate system state.

If I were given the option to morse my PIN onto the "5" key, I would go for it.

Very few of us know Morse code, so this obviously isn't for everybody. For those of us who do, it could offer an additional layer of security by obscurity. It could be cracked, but it would likely discourage the thief by diverting him to easier prey.

Re:Touch typing defense

[AmiMoJo]

Seems like a risky thing to do. If you use a cloned card in a shop you will probably be on CCTV. If you use it on the internet then I suppose you can pay for some services (hiding behind a proxy or Tor) but any physical goods need to be delivered to an address. Most people don't have an address they can use to receive their ill-gotten gains.

Now get back in line.

[suso]

but a third of people surveyed admit that they do not check ATMs for tampering before withdrawing cash.

A person checking an ATM for tampering may look like they are tampering with an ATM. Now get back in line.

Re:Now get back in line.

[rwa2]

Word. Not to mention that most ATM skimmers are very difficult to detect, and are often indistinguishable from some of the regular "bling" that an ATM might have adorning their card slot.

But I guess it's worthwhile to attempt to rip it out anyway and see what happens :-P

http://images.google.com/search?q=ATM+skimmer&hl=en&prmd=ivns&tbm=isch&tbo=u&source=univ&sa=X&biw=1270&bih=810

Re:Now get back in line.

[The+Moof]

Not to mention that the average person likely has no idea what a card skimmer looks like when compared to the card reader on an ATM.

Re:Now get back in line.

This is what I was thinking. I actually *do* look for tampering, but even after seeing examples of card skimmers, I have doubts of my own ability to actually detect one.

Re:Now get back in line.

[GTRacer]

Am I alone in not using ATMs? I prolly wouldn't know if a skimmer had been installed because I almost never visit ATMs. I mean, in any given year I can count on one hand the number of ATM withfrawals and checks written on one, maybe two hands. I stopped carrying cash years ago and if I truly need some, most of the time a POS cashout is closer than the bank, and doesn't charge a fee.

To be fair, I *do* use the ATM whenever I need to deposit checks, which is rarely enough. All that said, if I saw mysterious ATM usage on the bank website, I could almost certainly refute it with my non-history.

Re:Now get back in line.

[Joce640k]

but a third of people surveyed admit that they do not check ATMs for tampering before withdrawing cash.

Two thirds of them do? I find that very hard to believe.

Re:Now get back in line.

[kevinNCSU]

After looking at the pictures of scanners in this ( Consumerist Security Briefing from Gawker) I don't think I could tell even if someone put 4 ATM machines in front of me and told me one of them had a skimmer, pick it out. These things fit so perfectly over the card reader it seems near impossible to tell without pulling out a knife and seeing if you can get anything to pop off, and I don't think that'd make most places happy.

Re:Now get back in line.

[gorzek]

The key word being "admit." I would suspect at least 90% of people don't actually look for ATM tampering, but in having it brought up are too embarrassed to admit to it.

Re:Now get back in line.

[advocate_one]

I'd have modded you up if /. hadn't changed the stoopid interface yet again and resulted in the moderate button going missing in action...

Re:Now get back in line.

[Sabriel]

I spotted only half the skimmers, and missed the cameras. Cunning little monsters. Glad I don't use ATMs often. Thanks for the link.

Nothing is safe

[mfh]

There is no level of applied security that can thwart applied freedom.

Wallet corner defense

I use the corner of my wallet to to press the keys, let's see them work with that.

Re:Wallet corner defense

[mapkinase]

Good idea. Also, stylo of your mobile. Mod the coward up.

Re:Wallet corner defense

[Heed00]

*snatch* Got your wallet! *runs away*

Re:Wallet corner defense

[LighterShadeOfBlack]

Except you already had your wallet out anyway to get to your cash card. And now your card is in the machine and you probably have no cash in it if you're at the ATM, so now they've got a wallet with things the average thief can't make use of, except maybe a condom or two. And given that this guy is posting on /. that condom has probably been there for 5+ years and is no longer effective. In nine months justice will be served. Take that, thief!

Re:Wallet corner defense

[Pope]

The what of my what?

I have a touchscreen, you insensitive clod!

Re:Wallet corner defense

[mapkinase]

I am a proud owner of Samsung i730

http://en.wikipedia.org/wiki/Samsung_SCH-i730

It is hard to overestimate ubiquitous practicality of a stylus. It's uses vary from direct use and clearing wax from one's ear.

Slashdot is advertising thermal imaging cameras...

[kotku]

when I viewed this story. Conflict of interest here?

Splinter Cell...

[neokushan]

They did this in Splinter Cell YEARS ago.

Re:Splinter Cell...

[wildstoo]

That's the first thing I thought of too. I remember using my Thermal Imaging goggles in Splinter Cell to steal door codes after watching someone else use the keypad.

Did the guys at UCSD play Splinter Cell? Did they thank Ubisoft in their paper? ;)

Re:Splinter Cell...

[ironjaw33]

They did this in Splinter Cell YEARS ago.

After doing that in game, I remember thinking that there was no way this would really work. I was hoping that Mythbusters would tackle it but it looks like academia beat them to it.

Re:Splinter Cell...

[Kunedog]

And in Cyberia years before that.

This was done on

[geeza81]

The Real Hustle on BBC3 to open a safe in a jewellery shop. How they got into the jewellery shop was pretty genius too.

Re:This was done on

[StillNeedMoreCoffee]

I don't know if that is where I saw that, but yes the technique has appeared in movies (years ago) This is life imitating art.

Re:Oh Sure, Academia Accepts THAT Paper

And don't ever use Gamma Rays, you don't want the Hulk chasing you after you've pilfered his bank account.

Easy to Avoid

[tucara]

Just make sure you add a bunch of heat on all the number keys before you leave to mess up their analysis. I recommend urinating on the keypad to get a good even distribution.

Re:Easy to Avoid

[GameboyRMH]

When I'm typing in my PIN I do a fancy jig with my fingers, and I use my fingernails - admittedly to avoid getting the ick from the ATM on my fingers - but that should help keep the thermal signatures down as well.

Re:Easy to Avoid

[S.O.B.]

Urine is likely cleaner than what you normally find on ATMs. So you're doing a public service by "rinsing off" the keypad.

Re:Easy to Avoid

[scorp1us]

You joke, but there is a scene in American Treasure II where they fingerprint a keyboard and deduce the password using letters hit and a dictionary attack. One shift or caps-lock key use and it blows the solution space exponentially high.

I am waiting for ATMs to have NFC support. That way, my card and/or phone is needed so that I don't have to even touch that machine.

Re:Easy to Avoid

[bughunter]

Reminds me of the apocryphal story of the D&D munchkin running a dwarven thief whose dungeon lockpicking strategy is to piss in the lock and then come back in a year or two after the mechanism had corroded...

Re:Easy to Avoid

[rubycodez]

if you find you can't urinate, rub one out on the keypad

Re:Easy to Avoid

[Pope]

I dunno, it'd feel like I was cheating on my oven.

Re:Easy to Avoid

[rubycodez]

not an issue for me, my microwave is a dependent ("Mike" on 1040A) and so I don't discuss sex life

Re:Easy to Avoid

[bughunter]

As would be his lack of immunity to one of my DM's favorite thief griefing critters: Rot Grubs.

Re:Easy to Avoid

[stoofa]

Anonymous Coward? Doh! Now, if I'd given a penguin a quick hug before posting then they might have spotted that I wasn't logged in and done that penguin thing that they do, whatever it is that penguins do to remind you that you haven't logged in on /.

Thermal imaging? That stuff is fun and expensive..

[Lonewolf666]

Even as a usually law-abiding citizen, I might be tempted to steal that camera thingy if i find it. The fact that it was put there by criminals would greatly reduce my pangs of conscience ;-)

So as far as i understood.

[drolli]

Tampering is not needed for taking a thermal photo as the next in line.

secure NFC transactions NOW!

[markhahn]

this is an even better reason we need secure NFC transactions (with your mobile) asap. it's absurd to be typing a by-definition-weak password into an unauditable terminal. why hasn't some bank hasn't noticed that at least early adopters would pay for the privilege of paying securely?

then again, if banks simply secured their terminals, much of the hacked-ATM problem would disappear. yes, toilet-like stalls for each ATM...

Re:secure NFC transactions NOW!

[TubeSteak]

this is an even better reason we need secure NFC transactions (with your mobile) asap.

Near field communication is only as secure as the size and sensitivity of the nearest antenna.
Just because your mobile phone has a weak antenna doesn't mean a malicious actor has to limit himself.

Re:secure NFC transactions NOW!

[rhsanborn]

Because it's a password, and last I checked, banks do not take responsibility for transactions that involved the PIN. They consider it the consumer's responsibility to maintain the secrecy of their PIN, regardless of it's weakness. As a result, the banks have relatively little exposure to PIN based attacks, and therefore have little incentive to spend any money making it more secure.

Re:secure NFC transactions NOW!

[IamTheRealMike]

it's absurd to be typing a by-definition-weak password into an unauditable terminal.

A hacked terminal isn't enough to break card security, obviously, the whole point is that you need both the card and the PIN. Merely having the PIN isn't enough. Modern cards can't be cloned unless you live somewhere still in the stone age, like the USA ;)

Re:secure NFC transactions NOW!

[quacking+duck]

This is partly why even though my credit card has a chip, it does not have a PIN. The other reason is my issuing bank didn't have the infrastructure set up to handle CC PINs when they started shipping chipped replacement cards out, but considering at least one guy's already been denied a disputed charge because his CC company claims the system is secure and it MUST have been him entering the PIN, I'll just keep signing my CC-paid bills for as long as I can.

Re:secure NFC transactions NOW!

[babywhiz]

heh. I can totally see the hookups in THOSE types of stalls....maybe not quite 'mile high club' worthy....but still an interesting hookup. Wonder what the tapes from those security cameras would look like?

Re:secure NFC transactions NOW!

[Jah-Wren+Ryel]

Near field communication is only as secure as the size and sensitivity of the nearest antenna.
Just because your mobile phone has a weak antenna doesn't mean a malicious actor has to limit himself.

Yes, screw NFC - we would be a lot better off with 2D barcodes displayed on the phone and a camera on the POS terminal. If you need 2-way communication (which I doubt is really necessary) then just use the camera on the phone and a small (e-ink?) display on the POS terminal. Bonus in that no new tech on the consumer end is needed, every smart phone currently on the market has all you need to pull it off.

Re:secure NFC transactions NOW!

[AmiMoJo]

True, but accepting card payments is far more risky than simply buying stuff on a stolen card. To get any return you have to provide a bank account for them to pay the money into, and an address to send billing information to.

People have tried this sort of thing in the past with premium rate phone lines. They stole mobile and then set up a rig to dial their premium rate number over and over again. Naturally they were caught pretty quickly once the phone company started getting complaints.

train my cold blooded pet snake

[schlachter]

this is why i need to train my cold blooded pet snack to enter my pin for me!

Re:train my cold blooded pet snake

[Daetrin]

this is why i need to train my cold blooded pet snack to enter my pin for me!

I would say something about the amount of time wasted by repeatedly training something that's going to be consumed in short order, but i'm more squicked out by the idea of keeping your snacks as pets.

The Efficient Method

[syntap]

Isn't it cheaper to simply mug the ATM user after they are done and take cash while out of sight of the ATM machine's own camera? You'd have to do that anyway to get the card from them. Why get all technical?

Re:The Efficient Method

[Lonewolf666]

The common method is using an ATM skimmer to copy the card, and a camera to record typing in of the code. No mugging necessary. Sometimes the keypad is faked too.

Re:The Efficient Method

[Kell+Bengal]

Except with a card skimmer, you don't - just make a replica card using the captured information and use the observed PIN combination.

Re:The Efficient Method

[PPH]

But now you can hit them over the head with the thermal camera.

Re:The Efficient Method

[DarthVain]

1) You're limited to the 20$ the tightwad took out.
2) You would have to be able to mug them over and over again until caught
3) Likely the charge is less if you don't actually have to threaten anyone with a knife or gun.
4) You just need the number not the card, but even if you do need it, you can secretly steal it, make a copy and even return it.
5) Its way cooler.

Touch more than 4 digits. Probelm solved.

[MindCrusher]

As I cover my hand to hide the numbers I always touch more than the four digits whenever I input my PIN as I center my hand on the keypad. Most of the time I also fake pressing some digits by keeping my finger onto them. I never thought of the thermal way to recover PIN numbers but I think I am safe.

Re:Touch more than 4 digits. Probelm solved.

[mapkinase]

Or you could have just used the tip of the pen or stylo from your mobile.

Re:Slashdot is advertising thermal imaging cameras

[Nadaka]

Google context sensitive advertising at work.

They probably also advertise ski masks on stories about bank robbery.

Re:Oh Sure, Academia Accepts THAT Paper

[sycodon]

Fortunately the methodology does not appear to have been used by criminals ye

But they'll be sure to get on it right away now that they have been clued in.

What good is the pin?

[ThorGod]

If I'm the only one with the card?

Re:What good is the pin?

[srobert]

Well now that we have your PIN we can just knock you over the head and take your card. Before we had to kidnap and torture you to get you to reveal the PIN. This is so much easier. Who says that technology isn't improving our lives?

Re:What good is the pin?

[hellkyng]

Because shortly you will not be the only one with the card. As others mentioned there is a skimmer attached somewhere on the ATM. This reads the data contained on the magnetic stripe of your card and records. It may transmit this data via bluteooth to a local attacker, or store it locally. Skimmers usually can contain anywhere from 7-10,000 cards on them roughly.

Once this is accomplished the attacker will then either sell the data online, or begin creating his own fake credit cards. This process involves purchasing blanks, which look like plain white cards, and reloading your mag stripe onto it. They may be more sophisticated as well but that gets more expensive. Then its off to the local big box retailer to buy a few TVs courtesy of you!

ATMs are the obvious case as well, this can be easily done in gas pumps as well...

Re:Oh Sure, Academia Accepts THAT Paper

[fuzzyfuzzyfungus]

Based on the relative costs(and sizes) of the existing visible-spectrum-camera-hidden-on-the-ATM technology and the available thermal imaging gear, I'm somewhat inclined to doubt any significant uptake.

Even if you go fleabaying, a thermal imaging system up to the task will easily be north of $1,000, and the cheap seats are often rather bulky and don't exactly sip power. If you go with something handheld, the fact that many of them look very much unlike normal digital cameras will make you stand out a good deal.

Your dinky little pinhole spycam, either from a skimmer-vendor or modified from a cheap cellphone or some chintzy perv-market 'security' camera is going to be at least a factor of ten cheaper, able to run much longer on batteries, and substantially smaller.

Was on The Real Hustle a few weeks ago

[DJRikki]

On BBC iPlayer, they did a con involving a safe keypad and a FLIR thermal camera to show the heat on the keypad.

Equipment cooling

[PPH]

I'd never heard of this method of attack until now. But it might explain why some of my bank's ATMs seem to have a high volume of cooling air blasting through any cracks and openings in the machine. Metal keys as well.

There was an article in a recent electronics magazine about building a code entry keypad that scrambles the digit positions between each entry attempt. This would make filming the keyboard difficult if one were to make the digit displays hard to see other than straight on. It would cause problems for people who enter their PIN based upon positional memory rather than looking at the numbers.

Re:Equipment cooling

[jfuredy]

Yes, these keypads have been in use for at least 10 years. You press a button to activate the keypad, and it randomly places the digits onto the pad so they're in a different place each time. After you successfully enter your code all of the numbers disappear. It certainly makes it slower to enter your PIN, but it also makes it impossible to surreptitiously determine your PIN.

Re:Equipment cooling

[jonbryce]

It also makes it impossible for blind people to enter the PIN, so probably violates Disability Discrimination legislation. Keypads usually have a dimple on the No 5 button, and a blind person can figure out where the other buttons are from that.

Re:Equipment cooling

[quacking+duck]

Take a page from the iPhone's touchscreen accessibility mode. When you move a finger over an element, it reads it out. Obviously you don't want it read aloud so others can hear, but this would be a good use of most of my bank's ATMs audio-out jack.

Okay yes, then the criminals hack or replace the audio jack with their own. I assume Disability Discrimination laws don't allow fully-abled people to use features disabled ones can't (translation: blind people must be able to access new, more secure features, otherwise the 90%+ of the population who aren't blind aren't allowed to use it either), so maybe we just go back to face-to-face tellers.

What about ambient temperature?

[chiph]

Right now in Texas, we're hitting over 104F in the afternoons, several degrees higher than body temperature. Would the buttons be cooled by people touching them?

Re:What about ambient temperature?

[Em+Adespoton]

You really have ATMs operating in 104F environments? More likely there's an AC unit right above the thing blasting cold air on it.

Re:What about ambient temperature?

[Em+Adespoton]

The issue isn't that the ATMs can't handle the heat -- I've worked with the kiosks myself and know how they're rated -- the issue is that PEOPLE can't handle the heat, so ATMs are usually placed in locations more comfortable to humans. However, I know that drive-through ATMs are used in Texas, so he's probably on to something for those.

Why aren't these things obselete?

[geekmux]

Is it just me, or does anyone else tire over stories of ATM skimming/tampering? I guess my main point here is who the hell still uses an ATM anymore?

It's probably been at least 6 months since I've stepped in front of one. I can withdraw up to $100 at just about any store I go into when I use my debit card(multiple times a day too), and since there seems to be a rather large void of evidence regarding tampering of debit terminals inside stores and banks, the most obvious solution seems to be the answer here.

And if I find myself in need of more than a few hundred dollars in cash(cash? what's that?) on any given day, then I go to the most secure place to get it; the actual bank.

In today's cashless society, I still struggle to find why ATMs haven't gone the way of the pay phone yet. Perhaps it's because a good portion of banking revenue is still generated off their ripoff fees for transactions? Chances are greed is in the answer there somewhere.

Re:Why aren't these things obselete?

[Asic+Eng]

I think your experience is probably in the US? Being able to get cash back from the store is not unheard of in other countries, but it's a lot less common than in the US. Also card payments are less common in other countries, usually cash is preferred. (On average it's a lot quicker, plus many people prefer not to leave a record of every little purchase they make.)

As for withdrawal fees - my German bank (DKB) lets me withdraw money anywhere in the world using my visa card, and they swallow the withdrawal fee. (They don't charge for the account either and pay interest on my savings - it's a pretty good deal.) Very convenient when you are traveling, and I'm getting rather good exchange rates as well.

Re:Why aren't these things obselete?

[rubycodez]

I hit up ATMs for -large- amounts of cash at a time ($200 or more) and have anonymous spending money for a couple of weeks

you must be single. Married with children, I can pull $400 out of an ATM and have it gone in days.

Re:Why aren't these things obselete?

[Pope]

Is it just me, or does anyone else tire over stories of ATM skimming/tampering? I guess my main point here is who the hell still uses an ATM anymore?

Yes, it's just you. Judging by the lines I see for the ATMs at the bank on the main floor of my office building, cash is far from dead. Just because YOU don't use it doesn't mean everyone else doesn't.

Re:Why aren't these things obselete?

[Worthless_Comments]

Because drug dealers don't take plastic.

Re:Thermal imaging? That stuff is fun and expensiv

[Arlet]

The camera wouldn't be near the ATM. Someone behind you in line would take the camera out of their pocket, and take a picture of the keypad you just touched.

Score one for moderate OCD

[Culture20]

I can't stand to touch those PIN pads. Keys or gloves (in winter).

Worse yet, the chip cards

[dontmakemethink]

These cards with 'security chips' are a much greater risk. After entering your PIN, you must wait with the card sticking halfway out of the terminal pad while the transaction proceeds, during which time nobody guards their card. Who needs a heat camera when you can just peep over at someone entering their pin in the grocery line, snag their neatly exposed card, and drain their account at the nearest ATM? You can even yank it before the transaction completes to leave more money in the account! It's one thing that the pin pads are highly exposed, but to make the card itself vulnerable to easy theft is really ridiculous, especially in the name of security.

Max Headroom

[John+Bayko]

When I saw this done on Max Headroom, I was skeptical that it could work. Not because a regular news camera had an "infra-red" mode, I expected that could happen (and some do, just not enough to be heat sensitive yet), but I thought the keys would cool down too fast. Good to know how scientifically accurate a show about a simulated human infecting the world's computer networks was.

Thermal camera?

[houghi]

You can have my PIN
if you pry it from my dead COLD fingers.

And two thirds of people are liars.

"but a third of people surveyed admit that they do not check ATMs for tampering before withdrawing cash"

Yeah, I get it, some of you are typical Internet paranoid freaks who do this, but 99% of people don't. Why? I've never heard of anyone having their pin stolen. Ever. I've never known anyone who had money stolen from a bank account. We know the vast majority of cases of this are identity theft (which isn't pin theft). If someone did steal my PIN, they'd also need my wallet. My wallet was only stolen in an armed robbery by people who made no attempt to use my cards.

And what evidence of tampering are you looking for? Wires hanging out? Screws not flush? Seriously, wtf does this even mean?

Re:Oh Sure, Academia Accepts THAT Paper

[Eponymous+Hero]

no, there will be a smartphone app for it soon.

If i see

[hesaigo999ca]

If i see someone hunched over the ATM i just finished using, with this thermal camera, guess what I will be doing....
smashing that camera to pieces in front of him.....

Seriously though, I think whether you dust for prints or heat or etc..... there is always a way to find the pin, which is why i subscribe to the new sms identification method gmail/facebook/hotmail uses, they should use that for banks and for credit cards

Re:Oh Sure, Academia Accepts THAT Paper

[hairyfeet]

Not to mention anybody who has watched the news lately has seen that the threat at ATMs isn't some hacker nerd but a "Thug Life!"er sticking a gun in your ribs or bashing your head in with a rock and just taking the money after you have put in the pin.

And has anyone else noticed that for the "Thug Life!"ers there is no such thing as robbery? There is murder with a cash bonus. We had a typical "Thug life!"er robbery in the next town over a couple of months ago, the "Thug Life!"er walks into a nail salon, blows away everyone in the place THEN goes for the til. Got something like $363 for 3 dead and 1 wounded.

Frankly having a geek go to all that trouble to rob you with infrared would probably be refreshing since all I see anymore is someone blowing you away and then rifling through your pockets.

I type with the back of my nails

[ace37]

I typically type two of the four numbers with the back of my fingernails. It won't help videocameras unless I would try to obfuscate it further, but for any type of fingerprinting, thermal, oil, or other attempts to duplicate my PIN that I've seen on Hollywood movies or CSI, it's hard enough to figure out that the imaginary criminal would probably just jack the next guy instead. Plus it gives my wife something to make fun of if she ever catches it.

But honestly, if you manage to steal a card and get the PIN, all you could get is repeated $500 draws until the account is empty, and for most of us, that account balance isn't anything to retire on. If you want to steal money using cards on a small-time scale, it's easier to just work at any restaurant or small business for a few weeks.

The really capable criminals go after larger scale heists than snooping at the ATM, copying credit cards, or offering cash swaps with Nigerian princes. I think typically we elect them or have them appointed.

work around

[scharkalvin]

After you are finished with the ATM just press all the buttons on the keypad in random order leaving your finger on each key for a long hard press to really soak up your body heat. Kinda like scrambling the combination on a lock.

Re:Oh Sure, Academia Accepts THAT Paper

[gorzek]

Where do you live, Mogadishu?

NOT a new idea

[Parhelion]

This trick was revealed back in the 1980's in a Commodore 64 game I had (I forget the name). The player is a spy who breaks into a top secret installation and at one point he comes to a door with a keypad. You have to think to use your thermal imaging device to look at the keys and guess the code based on how much each one is glowing. It's not a new idea at all. Of course, thermal cameras have always been very expensive, and remain so even today.

Heat of the Moment?

[wickedskaman]

I really don't know what 80s pop sensation Asia has to do with the research they did. I'd like to know how that fits in.

I can do this just by looking at a store

[chemosh6969]

People type their PIN when they use a debit card at places like 7-11. The real trick is to get the card.

Summer

[Forthan+Red]

It's 103F outside. Good luck with that whole thermal detection thing. (And I always touch all three buttons in a row at once, but only press down one, and will touch random rows without pressing any, just in case there's a camera nearby.)

in Cyberia before that

[majid_aldo]

Cyberia came out in 1994.

Change ATM card to smartcard

The problem with ATMs are that the 'something you have' can be copied so easily. I already have a chip on my credit card and use it at point of sale terminals. How about using smartcard authentication that can't be copied as easily as the magnetic strip?

Best way to prevent observers of any type

[gr8_phk]

I visited a company that had keypads on the doors. These pads would randomly arrange the digits with LEDs in the keys every time. It was a bit harder to find the keys you needed because they were always in a different place, but even if someone watched from the side they had a very narrow field of view, and this silly thermal approach wouldn't work either because the numbers went away after the door opened - you might know which keys they pressed, but not which digits.

Ha!

[arsemonkey]

Wont work on me! I have to enter the wrong pin 3 times,,, call my wife, and then get it right!! Too bad I hit all the f'n keys!!