Join the Community

22,256
Expert opinions
44,229
Total members
397
New members (last 30 days)
197
New opinions (last 30 days)
28,760
Total comments

Heat from your fingers could disclose your PIN at an ATM

  0 1 comment

Thermal cameras can apparently detect heat signatures from your fingers on the keys after you have left an ATM. The degree of heat residue can also indicate in which order you touched them! This technology will not work effectively on metal key pads, only on plastic ones, and the successs window is limited.

The message "cover your PIN when making an ATM or payment transaction" is constantly offered as best practice security advice to cardholders. Doing so protects it from visual compromise, although there is still a risk of compromise if a key pad overlay is used. Now thermal cameras have added an additional risk.

The technology was first highlighted by Michael Zalewski in 2005, and research has recently been carried out at the University of San Diego by Keaton Mowery, Sarah Meiklejohn, and Stefan Savage. This was presented at the Woot '11 5th USENIX Workshop on Offensive Technologies held on 8th August 2011 in San Francisco, in a presentation entitled "Heat of the Moment: Characterizing the Efficacy of Thermal Camera-Based Attacks." The research detected PINs on plastic key pads with approximately 80 percent accuracy 10 seconds after the person entered their PIN. 45 seconds after being pressed, the thermal cameras were still able to determine PINs with 60 percent accuracy.

Is this methodology commercially viable for criminals? The researchers state that: "...In large-scale attacks involving many unique codes, such as on ATM PINs, our success rate indicates that an adversary can correctly recover enough codes to make such an attack economically viable. " I'm not convinced. Apparently the researchers' camera costs US$1,950 per month to rent, and US$17,950 to buy, although the technology can only get cheaper over time.

What can we do? Keep covering our PINs when using ATMs or payment terminals as this eradicates the most significant risk - visual compromise. If an ATM with a plastic key pad is used, I suppose touching a few additional keys after your transaction might mitigate the risk of thermal compromise, as might shielding the PIN pad for a few extra seconds.

If you want to know more about the threat to your PIN from thermal imaging you can visit the website of the USENIX Workshop and download the slide presentation made by Mowery et al and/or the full research paper.

External

This content is provided by an external author without editing by Finextra. It expresses the views and opinions of the author.

Join the Community

22,256
Expert opinions
44,229
Total members
397
New members (last 30 days)
197
New opinions (last 30 days)
28,760
Total comments

Now Hiring