Cheap Thermal Imagers Can Steal User PINs

Bismillah writes: A British infosec company has discovered that cheap thermal imaging attachments for smartphones can be used to work out which keys users press on -- for instance -- ATM PIN pads. The thermal imprint last for a minute or longer. That's especially worrying if your PIN takes the form of letters, as do many users' phone-unlock patterns.

Simple solution

A heating / cooling element in the keypad would remedy this.

Re:Simple solution

Wow you sound like a poor engineer.

Re:Simple solution

[Geoffrey.landis]

A simpler solution: press more numbers after you press "enter" on the keypad.

Re:Simple solution

[TeknoHog]

A simpler solution: press more numbers after you press "enter" on the keypad.

I thought this was old news. I usually hold some of my fingers lightly on the unused keys to warm them up without pressing, but this could be even better to keep the heating times equal.

Re: Simple solution

Scramble pads

Re:Simple solution

[Tx]

It is old news that thermal imaging cameras can be used to steal PINs. What I guess is news is that you can get a $250 phone add-on that's up to the task; I'm pretty sure that wasn't the case until quite recently.

I question the practicality of this technique for ATMs; you still need a clone of the card to use the PIN. And if you're going to install a card skimmer to clone cards, the traditional technique of using a pinhole camera to record the PIN entry works just fine, and probably way more reliable. So I'm not sure what the use-case is for this technique; maybe door-entry systems that only require a PIN, I guess.

Re:Simple solution

[TeknoHog]

Yet another way for the extra paranoid: use a pen or something instead of your fingers. As a bonus, they won't get your fingerprints. But first, cover the area with tinfoil and foam. The latter is important because audible clicks might reveal the keying pattern -- it's been done with computer keyboards to some extent.

Re: Simple solution

[O('_')O_Bush]

Or do what many games do and randomize the number pad for each user or key press.

Re:Simple solution

[petermgreen]

I question the practicality of this technique for ATMs; you still need a clone of the card to use the PIN.

Or just steal the card.

Re:Simple solution

[TeknoHog]

It is old news that thermal imaging cameras can be used to steal PINs. What I guess is news is that you can get a $250 phone add-on that's up to the task; I'm pretty sure that wasn't the case until quite recently.

In other old news, a lot of cameras are sensitive to infrared, and they use a blueish filter to limit themselves to the visible spectrum. Removing that and adding another filter for the higher frequencies is a cheap way to convert the phone's own camera for thermal imaging.

Re:Simple solution

[Cyberax]

It's not that easy. You can't detect infrared without cooling the sensor to temperatures that are below the temperatures you want to measure.

Re:Simple solution

[Man+On+Pink+Corner]

Interesting assertion. How do radio antennas work, then?

Re: Simple solution

[Cyberax]

They don't detect photons as particles, instead antennae detect the electricity induced by changing electromagnetic field. Anyway, you can check these thermal cameras, they all have a small Peltier cooler.

Re:Simple solution

[Sardaukar86]

How about simply using your keys to stab at the buttons? You're usually going to have them on you; a pen or stylus or something else may not be.

Re:Simple solution

Actually, the Russians also bought the space pen. No one used pencils in space, since the graphite dust would ruin everything.

Re:Simple solution

[jeffb+(2.718)]

You're confusing near infrared (700-900nm) with thermal infrared (5000-15000nm). The only way conventional cameras can detect thermal radiation is if the subject is hot enough to glow.

Radio Shack used to sell little cards with a phosphor that, once "charged" with blue light, would fluoresce visibly when it was hit with near-infrared. You could use a glass lens to focus and see a near-infrared image on the card. I was able to adjust the current through a heating element so that it wasn't visibly glowing, but could be seen on the card -- but it was still at a temperature of several hundred degrees C.

To see thermal radiation from something near room or body temperature, you need an entirely different type of sensor. The cheap imagers use "microbolometer arrays", essentially an array of little thermometers with extremely low thermal mass.

Re:Simple solution

[jeffb+(2.718)]

Untrue. All cheap contemporary thermal sensors are uncooled, and can measure temperatures well below their own operating temperature.

Think of it this way: each imaging element is exposed to thermal radiation from one small rectangle (pixel) of the overall scene. If the temperature of that part of the scene is higher than the imaging element's temperature, the element will gain energy; if the temperature of that part of the scene is lower than the imaging element's temperature, the element will lose energy, by radiating it toward the scene.

Re: Simple solution

[jeffb+(2.718)]

They don't detect photons as particles, instead antennae detect the electricity induced by changing electromagnetic field. Anyway, you can check these thermal cameras, they all have a small Peltier cooler.

Nope. As far as I know, none of the sensors that are marketed at sub-five-figure (USD) price points are actively cooled.

Here's a video showing a teardown of the SeeK Thermal unit. Look, Ma -- no cooler!

Re:Simple solution

[Paradise+Pete]

It's the not-as-clever-as-you-think-you-are way to solve problems. Think of something "obvious" and then assume the people actually working on it were too stupid to consider it. Job's done.

Re: Simple solution

[Paradise+Pete]

Or do what many games do and randomize the number pad for each user or key press.

Brought to you by the Department of Making Things Worse.

Re:Simple solution

I already do that. I also pretend to press (press but not quite) many buttons WHILE entering the PIN. If you're watching over my shoulder you probably wouldn't be able to tell which I'm actually pressing. I also do this very quickly, and the same way each time. Basically, it looks like I'm pressing 412896183694374, basically, a number I've memorized a quartet of which are my actual PIN. (No, this isn't the actual number I use, but you get the idea.) Then I deliberately press and rub all the others to smudge out any evidence of which I touched, and in which order.

I'm probably really paranoid, admittedly. I also almost never use ATM's, which is a better solution.

Re:Simple solution

[dryeo]

Actually, the Russians also bought the space pen. No one used pencils in space, since the graphite dust would ruin everything.

Grease pencils, no graphite involved. https://en.wikipedia.org/wiki/...

Re: Simple solution

Uh ceramic buttons?

Re:Simple solution

[Mal-2]

A simpler solution: press more numbers after you press "enter" on the keypad.

Or before. Punch in a wrong code, hit clear, then enter the right one. Or both.

Or you could just use a longer PIN like I do. Even if they know what keys I pressed, they don't know what order -- and that's a significant problem when the code could be 4, 5, 6, 7, or 8 digits long. Default PINs are minimum length, but chances are you can choose a longer one.

Re:Simple solution

[flappinbooger]

A simpler solution: press more numbers after you press "enter" on the keypad.

I thought this was old news. I usually hold some of my fingers lightly on the unused keys to warm them up without pressing, but this could be even better to keep the heating times equal.

I appreciate the tactics and countermeasures, but seriously, is this really a concern?

really?

Re:Simple solution

[gl4ss]

do you enjoy taking money out of random asian country atm's?

then, no. you're not going to get a longer pin on your card even if your bank allowed it.

which made me wonder how many "letters" can you make with 4 buttons of a 9 pattern anyways? what a bizarre thing to add into the blurb. lowercase J, L , I? seriously what a bizarre thing to add! also I've never encountered anyone using a "letter" pin code on an atm/cc card.

Re:Simple solution

You're an idiot. http://www.snopes.com/business/genius/spacepen.asp

Re:Simple solution

[Mal-2]

do you enjoy taking money out of random asian country atm's?

then, no. you're not going to get a longer pin on your card even if your bank allowed it.

How onerous is it to use a 5-digit PIN instead of a 4-digit one, especially if you use the same digit twice in a row? Is it really that much harder to enter 11234 than it is to enter 1234? Doing so multiplies the search space for attackers though, completely disproportional to the extra effort for you.

Re:Simple solution

Use heavy gloves to input PIN and leave you fingers resting there a while, like I do. Problem solved. :|

Re: Simple solution

[Man+On+Pink+Corner]

Photons do not work that way.

wtf

[retchdog]

Just wipe the screen or keys and then breathe on it, if you're really worried about this (there's very, very little reason to be, really).

With modern oleophobic screens you might not even need to wipe it down.

Re:wtf

Most people don't even cover the keypad from shoulder surfers or set their burglar alarm when they leave their house. Expecting some complex ritual involving rubbing alcohol and sticking your tongue out while rubbing your tummy means the security interface is fundamentally broken.

Re:wtf

[retchdog]

yeah, most people don't bother with shit like that because they correctly don't give a shit about the ridiculous possibility of someone heat-scanning their phone (immediately after they key in their PIN and set it down without pressing anything else) to discover their super-secret address book.

but if you're really concerned, it's easily "defeated".

randomise the button

randomise the number keypad value position, or use multiple overlapping gestures, so the heat signature left is a blobby smear

How would they know the order?

They'd have to be watching them physically to know the order. This is bullshit.

Re:How would they know the order?

[sh0rtie]

different heat intensity, the older the colder, work backwards and you have your order (assuming its a keypad)

Re:How would they know the order?

[sribe]

They'd have to be watching them physically to know the order. This is bullshit.

4 digits: 10,000 possible combinations. Know the 4? 24 possible orders, in the worst case with no repeated digits. You really don't think that's important, huh?

And that's assuming that the thermal imaging gives no clues about order, which I suspect is actually not true...

Re:How would they know the order?

[retchdog]

it's in the article. the devices usually don't have enough bitdepth to resolve order, but they found two s00p@r-s3kr!t ways to do it which they aren't disclosing.

Re:How would they know the order?

[JSG]

Ah, but I use a palindromic PIN - hah!

Re:How would they know the order?

[U2xhc2hkb3QgU3Vja3M]

My number is 11111, good luck figuring out the exact order.

Re:How would they know the order?

Actually with a single repeated digit (knowing only 3 keys instead of 4), the number of options increases significantly.

Re: How would they know the order?

[ironicsky]

Except though, how often do you only press the four digits of your pin. When you make a deposit of $10 or more you need to press at least 4 digits, the dollars and cents. So now you've pressed 8 numbers, and someone has to figure out which of the 8 buttons are for the pin #.

After 3 failed attempts the machine eats the card, and if it's retail the cars gets disabled.

So even best case scenario of having 24 combinations, you won't make it past 3 attempts.

Re:How would they know the order?

I would wait and see in which order the keys black out in the thermal camera which would pretty much give me the order correctly.

Re:How would they know the order?

24 tries? My French card will kill itself dead (and I get to go pay for a new one that can arrive in the mail in a week or so) if you try the wrong number 3 times.

Re:How would they know the order?

[AmiMoJo]

24 possible orders, 3 attempts before the card is blocked. That's only a 12.5% chance of success. It's not a practical attack for criminals. They will stick to more reliable methods.

Re:How would they know the order?

[sribe]

24 possible orders, 3 attempts before the card is blocked. That's only a 12.5% chance of success. It's not a practical attack for criminals. They will stick to more reliable methods.

According to the article, many locks do not have any lockout after any number of failed attempts.

Re:How would they know the order?

Are there still banks limiting their ATM pins to only 4 digits?

Re:How would they know the order?

[Gr8Apes]

I use different fingers for each key - now what?

simpler solution

press buttons with fingernail.

Re:simpler solution

I press the buttons with my penis. The ensuing hysteria prevents anyone from focusing on the touch screen.

Re: simpler solution

That would most certainly be most effective!

Re:simpler solution

I press the buttons with my penis.

I tried your method but it's difficult to point something so long and heavy at the correct button. Now, I envy those with a short penis.

Re: simpler solution

Dude... It's a PIN number, not a peen number!

Re:simpler solution

[Bing+Tsher+E]

How do you concentrate on the rest of the transaction with all the hysterical laughter distracting you?

Re: simpler solution

... It's a PIN number ...

No, it's a PIN, not a Personal Identification Number number. Please excuse me, I see someone using double hyphens.

Re: simpler solution

[harlequinn]

That's called a pleonasm.

Not new news

[93+Escort+Wagon]

I recall seeing a demo of this probably two years ago. It's easily countervened by placing your fingers on all the keys (without pressing, of course) after you've entered your PIN.

Re:Not new news

[ThatsLoseNotLoose]

You don't understand. When you can append "using a cell phone" to any behavior it becomes news all over again.

I'm pretty sure I saw this in the movie National Treasure over 10 years ago - and I doubt Hollywood invented the idea so it's probably decades old.

Re:Not new news

Can't people carry around a pencil and use that?

Re:Not new news

[AmiMoJo]

Android has supported randomizing the position of the the numbers on the virtual keypad for years. It's pretty funny watching smug gits who think they can unlock your phone by looking at the smudges on the screen fail.

ATMs could do the same thing. Samsung door entry keypads also have a feature where they require you to press a couple of randomly selected keys to keep wear even, which could easily be extended.

I played that game...

[pushing-robot]

Use the thermal goggles, Fisher. They should allow you to see the heat signatures on the keypads.

Re:I played that game...

[wardrich86]

the goggles... they do NOTHING!

Even simpler

Stand within view of the keypad and record it on your cell phone camera.

much ado about nothing

not worried about this at all, without the card, the pin is useless anyow, and chipped cards make it much more difficult

Re: much ado about nothing

No it isn't. They collect PINs of already stolen (online) cards and add them to the DB of numbers already online. Since your name was with the CC number already it's trivial to put the right PIN with the right card.

What's the threat?

OK, but they still need your card or phone right? There are a lot of ways to steal your PIN. How about a long zoom and video playback? But still, they need your card also. Some criminal walking up to the ATM right after you and imaging the keypad is useless unless you either forgot your card in the machine or you get mugged and he takes your card. You should be far more worried about card skimmers installed at pay-at-the-pump gas stations, or that bar tender that you hand your card to while out drinking.

Rub your hand on the screen.

Just wipe it down or press for a moment. That should probably help obfuscate it.

Stroke it!

Over a decade ago I started using a simple keypad countermeasure. I put three fingers on the top row of keys, and stroke downwards so that I end up touching every single key. It didn't take long for me to be able to actually press a specific key without a significant pause. Stroke the keypad 5+ times to input a 4-digit pin and no camera will be able to record what keys you actually pressed or in what order. It also means all the keys get roughly equal heat signatures and anyone 'dusting'' for prints won't be able to tell which keys were pressed and which keys were just touched.

No security measure is 100%, but stroking the keypad is low-cost with high return which is the best kind of security.

Re:Stroke it!

Personally more concerned with picking up cold and flu virus from the keypad. This would make that worse

Re:Stroke it!

Been doing it for over a decade and haven't caught anything yet.

If you are that worried about infection, carry some purell around in with you to use every time you touch a door knob.

PS purell is the new face of fear.

this is very old tech

even included in portions of old games like the original Splinter Cell.

Not News

[JustAnotherOldGuy]

This has been possible for quite some time now, and is hardly breaking news. The story is so old that the first time it was posted, Slashdot still came on clay tablets.

Low tech

I could hang back until you withdraw your cash, then I punch you in the face and take your money.

Heat the pad or scramble the digit positions.

Just heat the pad to a temperature a few degrees higher with a few PTC resistors, or implement a scramble pad where the digits move to random positions.

Easy cure

After you key in your code and the machine goes to the other screen, just push the other buttons until all have been pressed.

Seriously?

[behrooz0az]

I'm sorry but I see like two dozen people giving idiotic ideas and advising against eachothers workarounds. Put the damn phone in your pocket, it will be so hot your fingers simply won't matter.

Max Headroom

Demonstrated this trick 20 years ago....

My ATM is Walmart/Sam's Club

[marciot]

I haven't used an ATM in decades. I simply buy something at Walmart or Sam's Club and get cash back using my Discover card. It's far easier to find a Walmart than your bank's ATM. It's not uncommon for me to walk in to Walmart and walk out with $60 cash and a bag of Lindt chocolates. I even have a name for it, I call it a "truffle withdrawal".

Re:My ATM is Walmart/Sam's Club

[DamonHD]

And you think that a retail outlet handles your credentials more securely than a bank/ATM?

Rgds

Damon

Re:My ATM is Walmart/Sam's Club

[marciot]

And you think that a retail outlet handles your credentials more securely than a bank/ATM?

Rgds

Damon

Credit cards are pretty good about not making you pay for fraudulent activities.

Re:My ATM is Walmart/Sam's Club

[cfalcon]

I do think that, actually.

I'm not sure of it though. Anyway, here's my reasoning: if I go to a grocery store and punch my PIN in, I'm using a device that a ton of people are using, with witnesses all around pretty much 24/7 (or at least when the store is open- I normally use a 24/7 store). It's not there to begrudgingly service night life and charge some fee, or as an obligation because bankers hours are a joke, it's there to run transaction pretty much full time.

This makes it a tempting target for an attack, but importantly, it makes it OBVIOUSLY so- the stores have employees there watching things and helping and checking you out and stuff.

It's not proof against, "oops we kept our data in the closet and someone noticed that fact", a Target style error. But notice that even THAT is a pretty big deal- the Target hack made international news. When my ATM info got stolen (I'm about 100% certain it was at a gas station) about ten years ago, that was some place with a lot of card traffic but not much employee presence (and I absolutely recommend using credit cards at gas stations- greatly limits the inconvenience). A retail outlet has a lot more employee presence. Tellingly, the failures of stores like Target aren't at the retail point, they are at the IT level, and less likely to hurt you in general.

Re:My ATM is Walmart/Sam's Club

[DamonHD]

And you're not paying (heavily) for cash advances on a credit card?

Rgds

Damon

Re:My ATM is Walmart/Sam's Club

[DamonHD]

Banks care all about reputation (nominally) and normal retail cares all about minimising costs.

Thus data breaches, hacked PIN entry pads, etc, are generally a retail phenomenon.

Rgds

Damon

Re:My ATM is Walmart/Sam's Club

What do you need cash for, you have a credit card.

*makes note and puts Damon on the no-fly list*

Re:My ATM is Walmart/Sam's Club

[DamonHD]

I already gave up flying years ago, and in particular was tired of US surly behaviour towards flying foreigners long before 9/11. Even if it hadn't invented the TSA the USA lost my tourism and in-person business dollars long back.

But in any case, yes, I don't feel the need to give out difficult-to-replace-and-repudiate identifiers, especially those to do with money, to others willy-nilly. Cash still works well for many things. Yes, and I used to be CTO of a credit-card company.. %-P

Also, specifically, credit cards are quite expensive for the merchants, especially for small transactions. Debit cards less so but the risks are higher for the customer.

Rgds

Damon

Soooo, hit all the pads

[Snotnose]

Enter your pin, then hit 1-0 on the keypad. Problem solved. I've actually been doing that for a couple years now, don't remember why.

I got this...

[marciot]

I only use the center key and type my PIN in Morse code.

You can also look at wear and tear. ..

[mark-t]

... to notice general trends. Over multiple ATM's in my city, I have concluded that the number 5 is the most frequently used digit on a pin pad. Whether that is enough information to make it easier to crack someone's pin is debatable, but I thought it was interesting.

one possible solution.

If this becomes a prevalent problem, a touch screen pin pad to randomise the ordering of the keys/letters could be used. A bit annoying for the user, which might also cause delays in input and cause it's own problems if being recorded, but a simple enough solution to solve the first problem.

Ultimately, your bank account is one of the things you want most secure and adding in some form of biometric identification as well as text message tokens to get some multi-factor authentication isn't going to piss you off unless you're trying to get some cash out for the bus a minute before it leaves. It's the complete opposite to what's currently happening, where credit cards don't even require a pin, with these new contactless payments. There is no security there at all.

All the more reason to make systems as secure as possible instead of trying to have sanctioned holes through everything. It's security not Swiss cheese.

"security research" gets more press

This got a lot of press right after FLIR launched the iPhone attachment.... but it goes back even further than that probably even further than this stuff i found from 2011.. https://nakedsecurity.sophos.com/2011/08/17/stealing-atm-pins-with-thermal-cameras/

I'll just leave this here

Tl;DW it's bunk.

Go to 13:00
https://youtu.be/uVaXe33-o_M

Get a gun

[Threni]

This only works if someone has your PIN and a gun, and you don't have a gun. If they don't have a gun and that use this to get your PIN and then they tell you to give you your card, you just shoot them in the neck, make an ironic comment about them not needing your PIN, and go home. If they've got a gun and you haven't, then you're giving them the card and PIN anyway. There's like no scenario when you need to breath on the keys, press extra ones etc.

randomize the keyboard layout

[Skapare]

randomize the keyboard layout. i've seen the door keypads at an FBI office which randomize the keypad layout. re-randomizing it after each press could help, too. who says passwords need to be letters and numbers? how about passwords that are a sequence of cat picture?

Re:randomize the keyboard layout

[toonces33]

Why not a fingerprint scanner like we have on a variety of smartphones..

Re:randomize the keyboard layout

[Whorhay]

Because once your fingerprint is compromised you can't change it to something else. Well that's not exactly true but it is much more difficult to change than a simple pass code. The same is pretty much true for all biometric security systems.

Love the video

[GrumpySteen]

The video shows someone pressing each of the keys firmly for a second or longer so that the keys have time to heat up. Who the hell enters a PIN like that?

IR cameras [Re:Simple solution]

[Geoffrey.landis]

In other old news, a lot of cameras are sensitive to infrared, and they use a blueish filter to limit themselves to the visible spectrum. Removing that and adding another filter for the higher frequencies is a cheap way to convert the phone's own camera for thermal imaging.

Yes to the first part, no to the second.

Most cameras use silicon detectors (because they're cheap). Silicon is sensitive out to about 1 micron wavelength. Humans can't see much past 0.7 microns, so silicon is sensitive to some of the spectrum that's in the infrared... but one micron isn't yet in the thermal infrared, so you won't see heat from stuff that's around 310 K (body temperature) or so with a camera not specifially designed to go farther into the IR.

Random values

[Midnight+Thunder]

The simplest solution would probably be to enter a random key sequence before the pass key phase. At that point it would be harder tell which keys were used for the pass key and which were random.

The main advantage is that this can be retrofitted via software fairly easily.

Simple remedy

[palion]

My PIN is all ones, but nobody will find out in what order.

breaking: cheap guns can harm users at a distance

[retchdog]

A "security" company has discovered that a cheap, easily available gun can be used to harm or even kill a user at a distance by projecting a small piece of dense metal into the body. The damage has been shown to last a minute or longer.

That's especially worrying if you are ever within the line-of-sight of another human being, as so many users are! Click through for our press release and support our pioneering work.