Better ATM skimming through thermal imaging Security researchers have found that thermal cameras can be combined with computer algorithms to automate the process of stealing payment card data processed by automatic teller machines. At the Usenix Security Symposium in San Francisco last week, the researchers said the technique has advantages over more common ATM skimming …
Use a touchscreen, or a keyboard with individual miniature displays in each key; allowing the key layout to be remapped at random. Just knowing which *keys* were pressed does not then tell you what *numbers* were entered.
The original idea was to thwart shoulder-surfing of PIN entry machines in stores (even if you cover the whole keyboard with your hand, your tendons give away which keys you're pressing) but it would also quite nicely defeat thermal imaging of a conventional keyboard after use.
For patent purposes, this constitutes a declaration of Prior Art.
They've been using touch screens with randomized keyboard layouts for quite some time for entry into high secure facilities. This was done to get around "UV attacks" where "normal light invisible 'goo'" was placed on the users fingers then the thief came behind with a UV light source to illuminate the pressed keys. Also to help prevent social engineering attacks - which have been around a really long time but are just getting their cool name in the last few years.
That being said - nobody was using the UV attack (at least that we know of. Dum dum dum...) it was a precaution because not too long ago security research wasn't as easily available as it is today and when plausible new threats did arrive they were addressed. Now there is so much security research available no one can keep up: But if you fail you get tons of bad press and lots of visits to court. At what point does something truly constitute a threat?
Is this the same Michael Zalewski who put the MZ/ZM into EXE files?
On another note, if we're really worried about thermal imaging we could always use the idea endorsed by Bruce Schneier and just print the PIN on screen. That would handily short-circuit this technological arms race. (No, I haven't forgotten what a dumb idea that was).
Big Brother is Watching (Over your Shoulder).
as some have suggested, is that it fucks up those of us who, like myself, remember our PINs not as a number sequence, but as a pattern on the keyboard. My PIN forms a regular geometric shape when typed, but I can't remember what the number actually is unless I type out that shape.
I also have a few security measures I have when using ATMs. First, I pull hard on any flanges on the machine, and try to pick the keypad off with my fingers. This is to check for "overlays" - a common scam in Australia where the crooks put a fake keypad and ATM cover on the machine which then copies your card, keylogs what you type, or contains a hidden camera to spy on your PIN. I also cover the keypad with my left hand when typing my PIN, covering my right fingers while typing it. Finally, I always wipe the keypad thoroughly with my sleeve when I'm done, to prevent dusting to see which keys I pressed.) I suppose I'll now be adding pressing random keys before wiping to stop this particular attack vector.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
