Slashdot Mirror

← Back to Stories (view on slashdot.org)

Cheap Thermal Imagers Can Steal User PINs

Posted by timothy on from the palm-that-PIN-pad dept.

Bismillah writes: A British infosec company has discovered that cheap thermal imaging attachments for smartphones can be used to work out which keys users press on -- for instance -- ATM PIN pads. The thermal imprint last for a minute or longer. That's especially worrying if your PIN takes the form of letters, as do many users' phone-unlock patterns.

12 of 101 comments (clear)

  1. Re:How would they know the order? by sh0rtie · · Score: 2

    different heat intensity, the older the colder, work backwards and you have your order (assuming its a keypad)

  2. Not new news by 93+Escort+Wagon · · Score: 3, Insightful

    I recall seeing a demo of this probably two years ago. It's easily countervened by placing your fingers on all the keys (without pressing, of course) after you've entered your PIN.

    --
    #DeleteChrome
  3. Re:How would they know the order? by sribe · · Score: 4, Insightful

    They'd have to be watching them physically to know the order. This is bullshit.

    4 digits: 10,000 possible combinations. Know the 4? 24 possible orders, in the worst case with no repeated digits. You really don't think that's important, huh?

    And that's assuming that the thermal imaging gives no clues about order, which I suspect is actually not true...

  4. I played that game... by pushing-robot · · Score: 2

    Use the thermal goggles, Fisher. They should allow you to see the heat signatures on the keypads.

    --
    How can I believe you when you tell me what I don't want to hear?
  5. Not News by JustAnotherOldGuy · · Score: 2

    This has been possible for quite some time now, and is hardly breaking news. The story is so old that the first time it was posted, Slashdot still came on clay tablets.

    --
    Just cruising through this digital world at 33 1/3 rpm...
  6. Re:Simple solution by Tx · · Score: 3, Interesting

    It is old news that thermal imaging cameras can be used to steal PINs. What I guess is news is that you can get a $250 phone add-on that's up to the task; I'm pretty sure that wasn't the case until quite recently.

    I question the practicality of this technique for ATMs; you still need a clone of the card to use the PIN. And if you're going to install a card skimmer to clone cards, the traditional technique of using a pinhole camera to record the PIN entry works just fine, and probably way more reliable. So I'm not sure what the use-case is for this technique; maybe door-entry systems that only require a PIN, I guess.

    --
    Oh no... it's the future.
  7. Re:Simple solution by TeknoHog · · Score: 2

    Yet another way for the extra paranoid: use a pen or something instead of your fingers. As a bonus, they won't get your fingerprints. But first, cover the area with tinfoil and foam. The latter is important because audible clicks might reveal the keying pattern -- it's been done with computer keyboards to some extent.

    --
    Escher was the first MC and Giger invented the HR department.
  8. Seriously? by behrooz0az · · Score: 2

    I'm sorry but I see like two dozen people giving idiotic ideas and advising against eachothers workarounds. Put the damn phone in your pocket, it will be so hot your fingers simply won't matter.

    --
    Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion. -- Spazmania (174582)
  9. Soooo, hit all the pads by Snotnose · · Score: 2

    Enter your pin, then hit 1-0 on the keypad. Problem solved. I've actually been doing that for a couple years now, don't remember why.

  10. Re:Simple solution by jeffb+(2.718) · · Score: 3, Informative

    You're confusing near infrared (700-900nm) with thermal infrared (5000-15000nm). The only way conventional cameras can detect thermal radiation is if the subject is hot enough to glow.

    Radio Shack used to sell little cards with a phosphor that, once "charged" with blue light, would fluoresce visibly when it was hit with near-infrared. You could use a glass lens to focus and see a near-infrared image on the card. I was able to adjust the current through a heating element so that it wasn't visibly glowing, but could be seen on the card -- but it was still at a temperature of several hundred degrees C.

    To see thermal radiation from something near room or body temperature, you need an entirely different type of sensor. The cheap imagers use "microbolometer arrays", essentially an array of little thermometers with extremely low thermal mass.

  11. Re: Simple solution by jeffb+(2.718) · · Score: 2

    They don't detect photons as particles, instead antennae detect the electricity induced by changing electromagnetic field. Anyway, you can check these thermal cameras, they all have a small Peltier cooler.

    Nope. As far as I know, none of the sensors that are marketed at sub-five-figure (USD) price points are actively cooled.

    Here's a video showing a teardown of the SeeK Thermal unit. Look, Ma -- no cooler!

  12. Simple remedy by palion · · Score: 2

    My PIN is all ones, but nobody will find out in what order.

    --
    Well, well