Security researchers have found that thermal cameras can be combined with computer algorithms to automate the process of stealing payment card data processed by automatic teller machines. At the Usenix Security Symposium in San Francisco last week, the researchers said the technique has advantages over more common ATM skimming …
Use same digit twice ?
So a code like 1232 could be hard to differenciate from 1322 or 1332 ?? ( still, they'd get 3 chances). Or the programmer could leave a time to request "type anything on the keyboard for 5 seconds". Are we getting mad yet ?
I can see the title...
"Keypad heater market booms". Solution: Preheat keypads at about 37 degrees centigrade. If sick, stay home. May use cats if other heat source is unavailable.
But in my experience, the best method is still to tie the guy/girl to a chair, nick his wallet and shoot him/her in the kneecap to get the PIN.
Personally, I always cover my fingers when I type my code and run them on random keys as well. I'm trying to ge tthe missus to do the same, but bah, can't be arsed can she. "Nothing will happen" she says. And if something DOES happen, the hubby (that's me) is there to grab the phone and clean up the sh*t.
You hit the nail...
...on the head.
Always keep your pin typing covered and as you said: when in doubt hit random keys. If you don't know what to do simply type a wrong (random) pin first, then your real pin in the second attempt.
This may look insignificant but can really go a very long way. Don't think thermal vision and such as is reported here; what about people smeering some gui on the keys to try and get the 4 digits that way ?
So a PIN with a repeated digit
is more secure than one with 4 different digits (36 possible combinations against 24) - though you can also get a hint to the order of the digits from the size of the thermal imprint. Of course, you could just hit a 5th extra key (which I -think- the ATM will ignore) and give them 120 possibilities to play with.
Cunning stunt, though.
Card PIN numbers can be up to six digits normally and even up to 12 digits in specific circumstances. As for using the same digit twice, that might be picked up by a thermal signature that's hotter than a single press would allow, so the crooks would know (along with the fact less than the required digits were used). Given that knowledge, finding the right one can be done quickly even by trial and error.
To change thermal signature
hold the key down. Or you could always whip out a tin of freezer spray and give the keyboard a good dowsing :P
A much simpler solution
While the machine is contacting my bank, counting out the cash, etc, I just let all five fingers of one hand linger on random keys. Sometimes I change keys when the machine starts making noises. Either way, good luck getting a useful heat signature...
Why do they spend time developing such attacks knowing full well that copycat criminals will abuse them?
Many criminals don't have the intelligence to devise such schemes and rely on information released so called "security researchers".
For the same reason we see how fast we can make cars go, or how stealthily we can make aircraft fly.
In other words, it's human nature - curiosity, innovation and just plain old finding things out.
If we stopped pushing the limits of what can be done for fear of the bad guys misusing our work, we'd probably be a whole lot less "civilised" than we are today.
Security by obscurity is bad.
Far better to fix flaws than just hope the bad guys are too stupid to find them.
Sometimes the bad guys aren't stupid.
Exactly this technique was used as a plot device in one of the early Splinter Cell games by Sam Fisher. Albeit using his own thermal camera mode. Follow the guard through the pin coded door by looking at the heat given off by the pad.
Wonder who has the idea first? I could see UbiSoft claiming the IP on it and then demanding all the money from the criminals who use this technique.
The Real Hustle
I'm sure they didn't invent it, but The Real Hustle (BBC3...) did the same thing on a safe a year or two back.
They posed as shopping mall security guards and got the shopkeeper to open their safe to "check" it hadn't been emptied.
Then as soon as he'd entered the PIN, called him away on some "urgent" matter.
The other chap then took an IR image of the keypad, before entering the glowing digits into the safe, brightest last.
though not specifically to do with thermal imaging.. is to look at regular keypad-based locks on doors to look for buttons that are more worn down than the others. Based on the assumption that they don't bother changing the code, of course, which would level out the wear patterns and make them useless in trying to brute-force the code.
WAY before that
I saw it in the game Cyberia (1994).
Now turn around real slow (but if you press the keyboard to turn rather than waiting for the cutscene you'll get shot)
I guess I'll be...
punching all the keys randomly after removing my card from now on. It wouldn't hurt to wipe the keys with an alcohol pad afterward. Evaporating alcohol would cool the keys enough to throw the algorithms for a loop. Wouldn't hurt to use something other than fingers for pressing keys also.
Don't use metal / thermally conductive keys.
_DO_ use thermally conductive keys, so that the heat is (hint in the name here) conducted away. Plastic keys, having low thermal conductivity, would retain the heat for longer, making this technique more feasible.
RE: Using the smae digit twice.
If you've been paying attention you will be doing that already. There's a software attack using some testing software (if I recall correctly) which can allow someone to find out all the digits in your PIN -- but using the same digit twice can confuse this in the way mentioned by previous posters.
From my cold dead hands...
I'll use Charlton's paws to push the buttons.
ATMs vs Predator
This just provides us with yet another reason not to trust fictional extraterrestrial warrior species.
The return of the Stylus!!!
Finally a use for the old Palm one I still have stuck in a drawer.
If it wasn't for the dumb-ass ATM users that queue ahead of me.......
(this would probably slow them down even more than a 1-finger typist on downers) but I recall 10+ years ago that the keypad for entry to an office I worked at had the digits re-order on every use, so the key that used to be 1 would become 0,2-9 / 2 would become 0,1,3-9 / etc. Then you actually had to see what the values were at the time the keypad was used (only illuminated on scanning of id card).
ive got a double!
yay i've got a repeated number i'm safe!
wait i minute, does telling you that compromise anything?
I suppose if you rest your fingers on some random buttons while you're waiting for the machine to finish its endless clicking and whirring , that'd screw the thermal camera up
"does that compromise anything?" Just a bit...
10,000 combinations of 4 digits with repeats allowed
5,040 combinations of 4 digits not having repeats, and 4,960 that do
(5,040 = 10 (any first digit) x 9 (any except the first) x 8 (and except the first 2) x 7
So you seem to have given up 1 bit of your around 13 bits PIN. (8192 = 2^13)
However, I wonder if they actually give out PINs which have the same digit 4 or 3 times. If they do not then we can exclude those, but counting how many there are is something I don't want to try to work out now.
Is anyone going to tell us that their PIN is the same digit 4 times? (Advice: don't!)
Out of curiosity I just tried changing my PIN to all four digits the same at my bank's ATM - the machine gives an error and doesn't change it.
Type more than your PIN
Surely the act of typing how much cash you want will screw this up by adding several extra keys to the thermal image? You always have to request ammounts that end with a zero so if your PIN has a zero in it then it will be much harder to work out by this method.
was the last time you used a cash machine that expected you to type the amount?
Almost every time.
Since I don't usually withdraw money in convenient amounts like $20, $40, or $100. It's a multiple of $20, sure, but one of the usual ones, so I'm forced to tell the ATM by keypad (and the keypad is mandatory for security reasons).
The ATMs around here will throw you full 50's or 100's if you let them. You must always withdraw $48 or $18 or it won't spill any change whatsoever.
Cashing $200 will get you 2 x $100 bills and you will have a hard time changing them. Or the Macdonald's lady looking at you in a pissed manner (although they are trained to disguise it very well).
One of the banks caught up and decided to answer our pleas: it spits out a $50, 2x 20 and a 10 when you cash out $100. Boy, did everybody notice and copied. Competition...
On the other hand, aluminum keypads and strong air-conditioning (for indoor atms) are the key.
And yes, I withdraw $150 which is always typed. They throw you straight 100 or 200 choices, but not 150.
I dunno about big cities, but out rural the cash machines offer €10 and €20. It is even nice enough to give "mostly twenties with a couple of tens", whether you're asking for forty or four hundred.
Soft keys don't help
Why don't the ATMs force the use of the PIN pad for more than the just the PIN? It strikes me that using it for all interactions would make this attack very hard and others more difficult.
They don't force it because there's no evidence that anybody is actually trying this stunt in the real world. Hell, it sounds like they had enough trouble just doing it in the lab.
...such as over here in Costa Rica. US$ 100 is CRC 50,000, so for a hundred and fifty bucks you type a lot of zeros. And yes, there's a zero in my pin.
By the by, I always cover the keypad and cough loudly when entering my pin, in case anyone's using AV gear. Seems a lot more likely then thermal imaging, IMO.
answers and questions...
the people that ask why these attacks are developed because criminal types will exploit them have had the answers given time and time again in this thread.... so that a defense against it can be formulated.
The fact that it appears the idea of thermal cameras be3ing used has been done if a few TV programmes and computer games makes it even more an issue for the defenders of my money to find out if its really possible.
the fact that it really is possible will lead to a solution before the criminals can exploit it.
a combination of several of the solutions that people have come up with will actually do it quite well... non heat conductive pads, along with additional steps on the numerical keypad, or at random indicating you to roll around your pin by a certain number of places...(1234 will become 3412 if requested a rotate by 2)... or how about biometric scans and facial recognition systems ATMs all have cameras anyway, make use of them to secure our money before the fact.....
now where the hell is my card !
non-heat conducting pads is a bad thing
because being an insulator, they retain heat.
Pads need to be conducting, to return to ambient temperature ASAP.
If people pressed with the tip or flat of their nails or lingered on the first 2 digits, that would consistently misdirect a recovery algorithm to consistently fail, given that there are only 3 attempts to guess correctly.
Asking the generally thick public to 'rotate their pins' is ridiculous!
Citizen, be paranoid!
I can see that quite all of the comments are from paranoid enough people. I keep the fingers on random keys while waiting for the ATM to show me a lot of useless information that cannot be skipped, then enter the pin at lightning speed (I am good at typing fast), and then I keep the fingers on random keys again. I do all of this while keeping my wallet over the keypad with my other hand. (I suppose that we can all enter the pin without looking at the keys, do we?)
If my atm pin is hard to get, and everyone else's is easy to get, guess who will lose his money? Everyone else. It's "security by being such a bitch". If stealing from me is hard, and stealing from someone else is easy, why should the thief steal from me?
I have the perfect solution
Have a wife and three kids, then you'll permanently have a bank account with no money in it to steal.
... Use pattern-shape entry; or
... Use a matrix which has movable digits and/or extra keys allowing positional replacement
Keep your money in your mattress.
Two is good, four is better
If having a twice-repeated number is more secure, I'm putting my faith in the fact that repeating the same number four times is twice-as-twice-as secure. I am Paris, it's what I'd do.
Cost would obviously be an issue, but what about...
Keys with a built in display, where the numbers are randomised before you enter the pin and after you're done?
What about the blind?
Blind people can't use randomized keypads and instead must rely on the bump on the 5 to help them figure out the layout of the keypad (and yes, ATMs have to accommodate the blind--by law; that's why they have Braille instructions). Blind people MUST type by touch.
Why use the full PIN?
Most, if not all banks ask you for a selection characters from your PIN password when doing online or telephone banking.
So why can't ATMs ask you for 3 random digits from your PIN. That way, the scammer won't have your full PIN or any idea of the order of the digits.
Alternatively, wash the keyboard with hot coffee...
Uhh, that's dangerous
If they know the pin, then the system's not secure. I thought the pin was never stored anywhere, but the result of hashing it with the (either account or card) number was?
(I could be wrong, but I do recall this discussion from somewhere).
My bank requires random characters from a security phrase (which is insulting to the bank;-) )
If you have a bank that uses a PIN as the only form of security for your online banking, switch bank!
Beer, because swabbing the keys with alcohol before AND after use would prevent this attack, and bacterial contamination.
A good excuse for my ingrained habit of pissing on the ATM after I have used it. Perhaps I will get more respect from the rest of the queue in future?
Keep ya gloves on then no thermal trace left.
""you could always whip out a tin of freezer spray "
But carrying around a biro might be less cumbersome, and would transfer very little heat to the keytops.
thermal imaging pins
why not simply press all of the keys (or a selection including say 2 of your actual pin) when the transcation is over. that should confuse the system.
- Vid Hubble 'scope scans 200,000-ton CHUNKY CRUMBLE ENIGMA
- Bugger the jetpack, where's my 21st-century Psion?
- Google offers up its own Googlers in cloud channel chumship trawl
- Interview Global Warming IS REAL, argues sceptic mathematician - it just isn't THERMAGEDDON
- Apple to grieving sons: NO, you cannot have access to your dead mum's iPad