How To Steal ATM PINs With a Thermal Camera

← Back to Stories (view on slashdot.org)

How To Steal ATM PINs With a Thermal Camera

Posted by CmdrTaco on Wednesday August 17, 2011 @03:24AM from the i-see-what-you-did-there dept.

An anonymous reader writes "Researchers from UCSD have demonstrated how thermal imagery cameras can be used to steal customers' PINs (PDF) when you withdraw cash from ATMs. Their paper, entitled 'Heat of the Moment: Characterizing the Efficacy of Thermal Camera-Based Attacks', (PDF) discovered that plastic PIN pads were the best for retaining heat signatures showing which numbers (and in which order) were used by bank customers. Fortunately the methodology does not appear to have been used by criminals yet, but a third of people surveyed admit that they do not check ATMs for tampering before withdrawing cash."

35 of 157 comments (clear)

Min score:

Reason:

Sort:

Touch typing defense by rwa2 · 2011-08-17 03:25 · Score: 4, Funny

Hmm, I knew there was a reason that I rested all of my fingers uniformly across the keypad, gently caressing their every ridge and facet as I discreetly pumped out my digits into their PIN pad. Well, another reason, at least.
Also I try to think about a completely different song than the one that corresponds to the letters that correspond to the numbers of my PIN, just to thwart any brainwave phreaking attacks as well.
But still hoping we score some decent security measures out of this, like maybe a bank-issued gold card or something.
1. Re:Touch typing defense by Herkum01 · 2011-08-17 03:29 · Score: 4, Funny
  
  I rested all of my fingers uniformly across the keypad, gently caressing their every ridge and facet as I discreetly pumped out my digits
  Have you considered a career writing Harlequin novels?
2. Re:Touch typing defense by cyberchondriac · 2011-08-17 03:29 · Score: 2
  
  or, after you've put in your PIN and gotten your money or whatever, press a few more random keys.
  
  --
  
  Look back up at my post, now look back down, you're on the Internet. Now look back up. I'm a signature.
3. Re:Touch typing defense by nedlohs · 2011-08-17 03:31 · Score: 4, Funny
  
  Just set the keypad on fire.
4. Re:Touch typing defense by MightyMartian · 2011-08-17 03:33 · Score: 2
  
  I'm not sure whether I just read a method to obscure your PIN number from thermal cameras, or a description of one of your sexual exploits.
  
  --
  The world's burning. Moped Jesus spotted on I50. Details at 11.
5. Re:Touch typing defense by franoreilly · 2011-08-17 03:36 · Score: 2
  
  Makes sense. Even though I cover my typing hand with my other hand, I always add a few more fake keypresses so that any camera can't make a rough guess, judging by the quadrant of the image showing slight movement, which key was actually pressed. So now I have to do this for infra red coverage also. Great.
  
  --
  -- --- Learn language vocabulary with mnemonics: http://www.memorista.com
6. Re:Touch typing defense by Not_Wiggins · 2011-08-17 03:43 · Score: 3, Insightful
  
  It looks likely you were mostly joking (so, that makes me feel equally bad about admitting this).
  But, when putting in my PIN, I typically rest several fingers on different numbers, move my hand around, and punch my PIN in that way, obscuring what I'm doing (not the typical one finger, one press approach).
  For me, it was about making it tough for someone with a video camera set up to watch the ATM to figure out what my PIN is based on finger movement alone.
  I suppose to that end, would getting the heat signature really be that superior to having a video camera set up with a telephoto lens?
  And if we were ever worried about heat signature, wouldn't simply wearing gloves defeat this "potential attack?"
  Seems someone has figured out a complex way of collecting PINs.
  Why not set up a loop of wire and, based on the different lengths of connection between electricity that flows from pressed keys to the processor, infer which key is pressed?
  Right... it would cost more in time, money, and effort than one could make simply waiting for someone to walk up and rob with a gun.
  
  --
  Diplomacy is the art of saying, "Nice doggie!" until you can find a rock.
7. Re:Touch typing defense by sconeu · 2011-08-17 04:51 · Score: 2
  
  I picked up this habit after working in a classified area with a cipher lock.
  After I'd enter the cipher, I'd swipe my fingers over all the buttons to make it harder for a potential bad guy to analyze the wear/fingerprint patterns on the lock.
  
  --
  General Relativity: Space-time tells matter where to go; Matter tells space-time what shape to be.
8. Re:Touch typing defense by cdrguru · 2011-08-17 04:59 · Score: 2
  
  Right... it would cost more in time, money, and effort than one could make simply waiting for someone to walk up and rob with a gun.
  Never forget that any sort of ATM attack is anonymous and impersonal, whereas holding up someone with a gun means you personally are standing there in front of someone with a gun in your hand.
  What the Internet has proven beyond a shadow of a doubt is that ordinary people who wouldn't think of shoplifting will go to incredible lengths to steal stuff on the Internet where they are anonymous and the action is impersonal. Someone who would never break into a house in person will break into a computer with impunity, even to the point of advertising their exploits.
  I would say that there are plenty of people that if they could engage in ATM skimming and know they don't have to ever confront a human throughout the whole process they would do it, even to the point of spending more money than they are likely to get in return. ATM skimming kits are pretty good sellers on the Internet, if you know where to shop, because they are a gateway to anonymous, impersonal money.
Now get back in line. by suso · 2011-08-17 03:27 · Score: 3, Insightful

but a third of people surveyed admit that they do not check ATMs for tampering before withdrawing cash.
A person checking an ATM for tampering may look like they are tampering with an ATM. Now get back in line.
1. Re:Now get back in line. by rwa2 · 2011-08-17 03:33 · Score: 2
  
  Word. Not to mention that most ATM skimmers are very difficult to detect, and are often indistinguishable from some of the regular "bling" that an ATM might have adorning their card slot.
  But I guess it's worthwhile to attempt to rip it out anyway and see what happens :-P
  http://images.google.com/search?q=ATM+skimmer&hl=en&prmd=ivns&tbm=isch&tbo=u&source=univ&sa=X&biw=1270&bih=810
2. Re:Now get back in line. by The+Moof · 2011-08-17 03:33 · Score: 5, Insightful
  
  Not to mention that the average person likely has no idea what a card skimmer looks like when compared to the card reader on an ATM.
3. Re:Now get back in line. by Anonymous Coward · 2011-08-17 04:55 · Score: 2, Insightful
  
  This is what I was thinking. I actually *do* look for tampering, but even after seeing examples of card skimmers, I have doubts of my own ability to actually detect one.
4. Re:Now get back in line. by Joce640k · 2011-08-17 06:37 · Score: 4, Interesting
  
  but a third of people surveyed admit that they do not check ATMs for tampering before withdrawing cash.
  Two thirds of them do? I find that very hard to believe.
  
  --
  No sig today...
5. Re:Now get back in line. by kevinNCSU · 2011-08-17 07:35 · Score: 4, Interesting
  
  After looking at the pictures of scanners in this ( Consumerist Security Briefing from Gawker) I don't think I could tell even if someone put 4 ATM machines in front of me and told me one of them had a skimmer, pick it out. These things fit so perfectly over the card reader it seems near impossible to tell without pulling out a knife and seeing if you can get anything to pop off, and I don't think that'd make most places happy.
6. Re:Now get back in line. by advocate_one · 2011-08-17 09:14 · Score: 2
  
  I'd have modded you up if /. hadn't changed the stoopid interface yet again and resulted in the moderate button going missing in action...
  
  --
  Donald 'Duck' Dunn: We had a band powerful enough to turn goat piss into gasoline.
Wallet corner defense by Anonymous Coward · 2011-08-17 03:30 · Score: 3, Insightful

I use the corner of my wallet to to press the keys, let's see them work with that.
1. Re:Wallet corner defense by LighterShadeOfBlack · 2011-08-17 06:29 · Score: 2
  
  Except you already had your wallet out anyway to get to your cash card. And now your card is in the machine and you probably have no cash in it if you're at the ATM, so now they've got a wallet with things the average thief can't make use of, except maybe a condom or two. And given that this guy is posting on /. that condom has probably been there for 5+ years and is no longer effective. In nine months justice will be served. Take that, thief!
  
  --
  Spelling mistakes, grammatical errors, and stupid comments are intentional.
Slashdot is advertising thermal imaging cameras... by kotku · 2011-08-17 03:31 · Score: 2

when I viewed this story. Conflict of interest here?

--
The bikini - security through obscurity since 1943
Splinter Cell... by neokushan · 2011-08-17 03:31 · Score: 2

They did this in Splinter Cell YEARS ago.

--
+1 IDisagreeSoHeMustBeATrollOrAnAstroturferOrAShill
This was done on by geeza81 · 2011-08-17 03:32 · Score: 2

The Real Hustle on BBC3 to open a safe in a jewellery shop. How they got into the jewellery shop was pretty genius too.
Re:Oh Sure, Academia Accepts THAT Paper by Anonymous Coward · 2011-08-17 03:34 · Score: 4, Funny

And don't ever use Gamma Rays, you don't want the Hulk chasing you after you've pilfered his bank account.
Easy to Avoid by tucara · 2011-08-17 03:35 · Score: 5, Funny

Just make sure you add a bunch of heat on all the number keys before you leave to mess up their analysis. I recommend urinating on the keypad to get a good even distribution.
1. Re:Easy to Avoid by GameboyRMH · 2011-08-17 03:42 · Score: 2
  
  When I'm typing in my PIN I do a fancy jig with my fingers, and I use my fingernails - admittedly to avoid getting the ick from the ATM on my fingers - but that should help keep the thermal signatures down as well.
  
  --
  "When information is power, privacy is freedom" - Jah-Wren Ryel
2. Re:Easy to Avoid by S.O.B. · 2011-08-17 04:18 · Score: 3, Insightful
  
  Urine is likely cleaner than what you normally find on ATMs. So you're doing a public service by "rinsing off" the keypad.
  
  --
  Some of what I say is fact, some is conjecture, the rest I'm just blowing out my ass...you guess.
Thermal imaging? That stuff is fun and expensive.. by Lonewolf666 · 2011-08-17 03:35 · Score: 4, Funny

Even as a usually law-abiding citizen, I might be tempted to steal that camera thingy if i find it. The fact that it was put there by criminals would greatly reduce my pangs of conscience ;-)

--
C - the footgun of programming languages
secure NFC transactions NOW! by markhahn · 2011-08-17 03:39 · Score: 2

this is an even better reason we need secure NFC transactions (with your mobile) asap. it's absurd to be typing a by-definition-weak password into an unauditable terminal. why hasn't some bank hasn't noticed that at least early adopters would pay for the privilege of paying securely?
then again, if banks simply secured their terminals, much of the hacked-ATM problem would disappear. yes, toilet-like stalls for each ATM...
1. Re:secure NFC transactions NOW! by TubeSteak · 2011-08-17 03:56 · Score: 2
  
  this is an even better reason we need secure NFC transactions (with your mobile) asap.
  
  Near field communication is only as secure as the size and sensitivity of the nearest antenna.
  Just because your mobile phone has a weak antenna doesn't mean a malicious actor has to limit himself.
  
  --
  [Fuck Beta]
  o0t!
2. Re:secure NFC transactions NOW! by rhsanborn · 2011-08-17 03:58 · Score: 2
  
  Because it's a password, and last I checked, banks do not take responsibility for transactions that involved the PIN. They consider it the consumer's responsibility to maintain the secrecy of their PIN, regardless of it's weakness. As a result, the banks have relatively little exposure to PIN based attacks, and therefore have little incentive to spend any money making it more secure.
The Efficient Method by syntap · 2011-08-17 03:42 · Score: 3, Informative

Isn't it cheaper to simply mug the ATM user after they are done and take cash while out of sight of the ATM machine's own camera? You'd have to do that anyway to get the card from them. Why get all technical?
1. Re:The Efficient Method by Lonewolf666 · 2011-08-17 03:48 · Score: 2
  
  The common method is using an ATM skimmer to copy the card, and a camera to record typing in of the code. No mugging necessary. Sometimes the keypad is faked too.
  
  --
  C - the footgun of programming languages
Re:Oh Sure, Academia Accepts THAT Paper by sycodon · 2011-08-17 03:45 · Score: 2

Fortunately the methodology does not appear to have been used by criminals ye
But they'll be sure to get on it right away now that they have been clued in.

--
When Fascism comes to America, it will call itself Anti-Fascism, and tell you to give up your guns.
Re:Equipment cooling by jfuredy · 2011-08-17 04:49 · Score: 2

Yes, these keypads have been in use for at least 10 years. You press a button to activate the keypad, and it randomly places the digits onto the pad so they're in a different place each time. After you successfully enter your code all of the numbers disappear. It certainly makes it slower to enter your PIN, but it also makes it impossible to surreptitiously determine your PIN.
Re:Oh Sure, Academia Accepts THAT Paper by gorzek · 2011-08-17 07:24 · Score: 2

Where do you live, Mogadishu?

--
Check out my world simulator thingy.
Re:Why aren't these things obselete? by Worthless_Comments · 2011-08-17 08:04 · Score: 2

Because drug dealers don't take plastic.