back to article Better ATM skimming through thermal imaging

Security researchers have found that thermal cameras can be combined with computer algorithms to automate the process of stealing payment card data processed by automatic teller machines. At the Usenix Security Symposium in San Francisco last week, the researchers said the technique has advantages over more common ATM skimming …

COMMENTS

This topic is closed for new posts.
  1. P.W. Dragoix
    Boffin

    I can see the title...

    "Keypad heater market booms". Solution: Preheat keypads at about 37 degrees centigrade. If sick, stay home. May use cats if other heat source is unavailable.

  2. Anonymous Coward
    Devil

    Nice

    But in my experience, the best method is still to tie the guy/girl to a chair, nick his wallet and shoot him/her in the kneecap to get the PIN.

    Personally, I always cover my fingers when I type my code and run them on random keys as well. I'm trying to ge tthe missus to do the same, but bah, can't be arsed can she. "Nothing will happen" she says. And if something DOES happen, the hubby (that's me) is there to grab the phone and clean up the sh*t.

    1. Anonymous Coward
      Thumb Up

      You hit the nail...

      ...on the head.

      Always keep your pin typing covered and as you said: when in doubt hit random keys. If you don't know what to do simply type a wrong (random) pin first, then your real pin in the second attempt.

      This may look insignificant but can really go a very long way. Don't think thermal vision and such as is reported here; what about people smeering some gui on the keys to try and get the 4 digits that way ?

  3. Patrick R
    Meh

    Use same digit twice ?

    So a code like 1232 could be hard to differenciate from 1322 or 1332 ?? ( still, they'd get 3 chances). Or the programmer could leave a time to request "type anything on the keyboard for 5 seconds". Are we getting mad yet ?

  4. Chris Miller

    So a PIN with a repeated digit

    is more secure than one with 4 different digits (36 possible combinations against 24) - though you can also get a hint to the order of the digits from the size of the thermal imprint. Of course, you could just hit a 5th extra key (which I -think- the ATM will ignore) and give them 120 possibilities to play with.

    Cunning stunt, though.

    1. Charles 9

      No good.

      Card PIN numbers can be up to six digits normally and even up to 12 digits in specific circumstances. As for using the same digit twice, that might be picked up by a thermal signature that's hotter than a single press would allow, so the crooks would know (along with the fact less than the required digits were used). Given that knowledge, finding the right one can be done quickly even by trial and error.

      1. Matthew 25
        Holmes

        To change thermal signature

        hold the key down. Or you could always whip out a tin of freezer spray and give the keyboard a good dowsing :P

        1. heyrick Silver badge

          A much simpler solution

          While the machine is contacting my bank, counting out the cash, etc, I just let all five fingers of one hand linger on random keys. Sometimes I change keys when the machine starts making noises. Either way, good luck getting a useful heat signature...

  5. Giles Jones Gold badge

    Why?

    Why do they spend time developing such attacks knowing full well that copycat criminals will abuse them?

    Many criminals don't have the intelligence to devise such schemes and rely on information released so called "security researchers".

    1. JakeyC

      Re: Why?

      For the same reason we see how fast we can make cars go, or how stealthily we can make aircraft fly.

      In other words, it's human nature - curiosity, innovation and just plain old finding things out.

      If we stopped pushing the limits of what can be done for fear of the bad guys misusing our work, we'd probably be a whole lot less "civilised" than we are today.

    2. Brezin Bardout

      Because

      Security by obscurity is bad.

      Far better to fix flaws than just hope the bad guys are too stupid to find them.

      Sometimes the bad guys aren't stupid.

  6. Richard 31
    Paris Hilton

    Sam Fisher

    Exactly this technique was used as a plot device in one of the early Splinter Cell games by Sam Fisher. Albeit using his own thermal camera mode. Follow the guard through the pin coded door by looking at the heat given off by the pad.

    Wonder who has the idea first? I could see UbiSoft claiming the IP on it and then demanding all the money from the criminals who use this technique.

    1. JakeyC

      The Real Hustle

      I'm sure they didn't invent it, but The Real Hustle (BBC3...) did the same thing on a safe a year or two back.

      They posed as shopping mall security guards and got the shopkeeper to open their safe to "check" it hadn't been emptied.

      Then as soon as he'd entered the PIN, called him away on some "urgent" matter.

      The other chap then took an IR image of the keypad, before entering the glowing digits into the safe, brightest last.

      1. Frumious Bandersnatch

        another precedent

        though not specifically to do with thermal imaging.. is to look at regular keypad-based locks on doors to look for buttons that are more worn down than the others. Based on the assumption that they don't bother changing the code, of course, which would level out the wear patterns and make them useless in trying to brute-force the code.

    2. Michael Chester
      Boffin

      WAY before that

      I saw it in the game Cyberia (1994).

      Now turn around real slow (but if you press the keyboard to turn rather than waiting for the cutscene you'll get shot)

  7. Jdoe1

    I guess I'll be...

    punching all the keys randomly after removing my card from now on. It wouldn't hurt to wipe the keys with an alcohol pad afterward. Evaporating alcohol would cool the keys enough to throw the algorithms for a loop. Wouldn't hurt to use something other than fingers for pressing keys also.

  8. Antony Riley

    Simple Workaround

    Don't use metal / thermally conductive keys.

    Muppets

    1. Loyal Commenter Silver badge

      Wrong

      _DO_ use thermally conductive keys, so that the heat is (hint in the name here) conducted away. Plastic keys, having low thermal conductivity, would retain the heat for longer, making this technique more feasible.

  9. Cameron Colley

    RE: Using the smae digit twice.

    If you've been paying attention you will be doing that already. There's a software attack using some testing software (if I recall correctly) which can allow someone to find out all the digits in your PIN -- but using the same digit twice can confuse this in the way mentioned by previous posters.

  10. Anonymous Coward
    Trollface

    From my cold dead hands...

    I'll use Charlton's paws to push the buttons.

  11. trashbat
    Mushroom

    ATMs vs Predator

    This just provides us with yet another reason not to trust fictional extraterrestrial warrior species.

  12. Anthony Hulse
    Happy

    The return of the Stylus!!!

    Finally a use for the old Palm one I still have stuck in a drawer.

  13. mark 63 Silver badge

    ive got a double!

    yay i've got a repeated number i'm safe!

    wait i minute, does telling you that compromise anything?

    I suppose if you rest your fingers on some random buttons while you're waiting for the machine to finish its endless clicking and whirring , that'd screw the thermal camera up

    1. Robert Carnegie Silver badge

      "does that compromise anything?" Just a bit...

      10,000 combinations of 4 digits with repeats allowed

      5,040 combinations of 4 digits not having repeats, and 4,960 that do

      (5,040 = 10 (any first digit) x 9 (any except the first) x 8 (and except the first 2) x 7

      So you seem to have given up 1 bit of your around 13 bits PIN. (8192 = 2^13)

      However, I wonder if they actually give out PINs which have the same digit 4 or 3 times. If they do not then we can exclude those, but counting how many there are is something I don't want to try to work out now.

      Is anyone going to tell us that their PIN is the same digit 4 times? (Advice: don't!)

      1. Anonymous Coward
        Anonymous Coward

        @Robert Carnegie

        Out of curiosity I just tried changing my PIN to all four digits the same at my bank's ATM - the machine gives an error and doesn't change it.

  14. Wind Farmer

    If it wasn't for the dumb-ass ATM users that queue ahead of me.......

    (this would probably slow them down even more than a 1-finger typist on downers) but I recall 10+ years ago that the keypad for entry to an office I worked at had the digits re-order on every use, so the key that used to be 1 would become 0,2-9 / 2 would become 0,1,3-9 / etc. Then you actually had to see what the values were at the time the keypad was used (only illuminated on scanning of id card).

  15. Dave Murray

    Type more than your PIN

    Surely the act of typing how much cash you want will screw this up by adding several extra keys to the thermal image? You always have to request ammounts that end with a zero so if your PIN has a zero in it then it will be much harder to work out by this method.

    1. Sir Cosmo Bonsor

      When

      was the last time you used a cash machine that expected you to type the amount?

      1. Charles 9

        Almost every time.

        Since I don't usually withdraw money in convenient amounts like $20, $40, or $100. It's a multiple of $20, sure, but one of the usual ones, so I'm forced to tell the ATM by keypad (and the keypad is mandatory for security reasons).

        1. Anonymous Coward
          Angel

          Convenient amounts???

          The ATMs around here will throw you full 50's or 100's if you let them. You must always withdraw $48 or $18 or it won't spill any change whatsoever.

          Cashing $200 will get you 2 x $100 bills and you will have a hard time changing them. Or the Macdonald's lady looking at you in a pissed manner (although they are trained to disguise it very well).

          One of the banks caught up and decided to answer our pleas: it spits out a $50, 2x 20 and a 10 when you cash out $100. Boy, did everybody notice and copied. Competition...

          On the other hand, aluminum keypads and strong air-conditioning (for indoor atms) are the key.

          And yes, I withdraw $150 which is always typed. They throw you straight 100 or 200 choices, but not 150.

          1. heyrick Silver badge

            Wow...

            I dunno about big cities, but out rural the cash machines offer €10 and €20. It is even nice enough to give "mostly twenties with a couple of tens", whether you're asking for forty or four hundred.

  16. Matt Collins

    Soft keys don't help

    Why don't the ATMs force the use of the PIN pad for more than the just the PIN? It strikes me that using it for all interactions would make this attack very hard and others more difficult.

    1. Sir Cosmo Bonsor

      Sigh

      They don't force it because there's no evidence that anybody is actually trying this stunt in the real world. Hell, it sounds like they had enough trouble just doing it in the lab.

      1. gringo guy

        Some do...

        ...such as over here in Costa Rica. US$ 100 is CRC 50,000, so for a hundred and fifty bucks you type a lot of zeros. And yes, there's a zero in my pin.

        By the by, I always cover the keypad and cough loudly when entering my pin, in case anyone's using AV gear. Seems a lot more likely then thermal imaging, IMO.

  17. Anonymous Coward
    Coat

    answers and questions...

    the people that ask why these attacks are developed because criminal types will exploit them have had the answers given time and time again in this thread.... so that a defense against it can be formulated.

    The fact that it appears the idea of thermal cameras be3ing used has been done if a few TV programmes and computer games makes it even more an issue for the defenders of my money to find out if its really possible.

    the fact that it really is possible will lead to a solution before the criminals can exploit it.

    a combination of several of the solutions that people have come up with will actually do it quite well... non heat conductive pads, along with additional steps on the numerical keypad, or at random indicating you to roll around your pin by a certain number of places...(1234 will become 3412 if requested a rotate by 2)... or how about biometric scans and facial recognition systems ATMs all have cameras anyway, make use of them to secure our money before the fact.....

    now where the hell is my card !

  18. Anonymous Coward
    Anonymous Coward

    non-heat conducting pads is a bad thing

    because being an insulator, they retain heat.

    Pads need to be conducting, to return to ambient temperature ASAP.

    If people pressed with the tip or flat of their nails or lingered on the first 2 digits, that would consistently misdirect a recovery algorithm to consistently fail, given that there are only 3 attempts to guess correctly.

    Asking the generally thick public to 'rotate their pins' is ridiculous!

  19. Kurgan
    Thumb Up

    Citizen, be paranoid!

    I can see that quite all of the comments are from paranoid enough people. I keep the fingers on random keys while waiting for the ATM to show me a lot of useless information that cannot be skipped, then enter the pin at lightning speed (I am good at typing fast), and then I keep the fingers on random keys again. I do all of this while keeping my wallet over the keypad with my other hand. (I suppose that we can all enter the pin without looking at the keys, do we?)

    If my atm pin is hard to get, and everyone else's is easy to get, guess who will lose his money? Everyone else. It's "security by being such a bitch". If stealing from me is hard, and stealing from someone else is easy, why should the thief steal from me?

  20. thesykes

    I have the perfect solution

    Have a wife and three kids, then you'll permanently have a bank account with no money in it to steal.

    Sorted.

  21. Anonymous Coward 99

    Or...

    ... Use pattern-shape entry; or

    ... Use a matrix which has movable digits and/or extra keys allowing positional replacement

    1. Matthew 25
      Coat

      Or

      Keep your money in your mattress.

  22. Anonymous Coward
    Paris Hilton

    Two is good, four is better

    If having a twice-repeated number is more secure, I'm putting my faith in the fact that repeating the same number four times is twice-as-twice-as secure. I am Paris, it's what I'd do.

  23. Anonymous Coward
    Anonymous Coward

    Cost would obviously be an issue, but what about...

    Keys with a built in display, where the numbers are randomised before you enter the pin and after you're done?

    1. Charles 9

      What about the blind?

      Blind people can't use randomized keypads and instead must rely on the bump on the 5 to help them figure out the layout of the keypad (and yes, ATMs have to accommodate the blind--by law; that's why they have Braille instructions). Blind people MUST type by touch.

  24. Red Bren
    Coffee/keyboard

    Why use the full PIN?

    Most, if not all banks ask you for a selection characters from your PIN password when doing online or telephone banking.

    So why can't ATMs ask you for 3 random digits from your PIN. That way, the scammer won't have your full PIN or any idea of the order of the digits.

    Alternatively, wash the keyboard with hot coffee...

    1. Martin 71 Silver badge
      Pint

      Uhh, that's dangerous

      If they know the pin, then the system's not secure. I thought the pin was never stored anywhere, but the result of hashing it with the (either account or card) number was?

      (I could be wrong, but I do recall this discussion from somewhere).

      My bank requires random characters from a security phrase (which is insulting to the bank;-) )

      If you have a bank that uses a PIN as the only form of security for your online banking, switch bank!

      Beer, because swabbing the keys with alcohol before AND after use would prevent this attack, and bacterial contamination.

  25. Anonymous Coward
    Thumb Up

    At last!

    A good excuse for my ingrained habit of pissing on the ATM after I have used it. Perhaps I will get more respect from the rest of the queue in future?

  26. darklord
    WTF?

    Urmmmmm

    Keep ya gloves on then no thermal trace left.

  27. Harry
    Alert

    ""you could always whip out a tin of freezer spray "

    But carrying around a biro might be less cumbersome, and would transfer very little heat to the keytops.

  28. Anonymous Coward
    Anonymous Coward

    thermal imaging pins

    why not simply press all of the keys (or a selection including say 2 of your actual pin) when the transcation is over. that should confuse the system.

  29. SpaceJuice

    How about....

    Gloves???

  30. Anonymous Coward
    Anonymous Coward

    Wear gloves

    Problem solved for 4 months of the year?

  31. A J Stiles
    Thumb Up

    I already invented the solution for this some years ago

    Use a touchscreen, or a keyboard with individual miniature displays in each key; allowing the key layout to be remapped at random. Just knowing which *keys* were pressed does not then tell you what *numbers* were entered.

    The original idea was to thwart shoulder-surfing of PIN entry machines in stores (even if you cover the whole keyboard with your hand, your tendons give away which keys you're pressing) but it would also quite nicely defeat thermal imaging of a conventional keyboard after use.

    For patent purposes, this constitutes a declaration of Prior Art.

    1. Anonymous Coward
      Thumb Up

      "knowing which *keys* were pressed does not then tell you what *numbers* were entered."

      unless there was some kind of device that could produce a pictorial representation of what the keys looked like before you pressed them

    2. Solomon Grundy
      Black Helicopters

      Layout Randomized Keys

      They've been using touch screens with randomized keyboard layouts for quite some time for entry into high secure facilities. This was done to get around "UV attacks" where "normal light invisible 'goo'" was placed on the users fingers then the thief came behind with a UV light source to illuminate the pressed keys. Also to help prevent social engineering attacks - which have been around a really long time but are just getting their cool name in the last few years.

      That being said - nobody was using the UV attack (at least that we know of. Dum dum dum...) it was a precaution because not too long ago security research wasn't as easily available as it is today and when plausible new threats did arrive they were addressed. Now there is so much security research available no one can keep up: But if you fail you get tons of bad press and lots of visits to court. At what point does something truly constitute a threat?

  32. Anonymous Coward
    Big Brother

    Just out of curiousity ...

    Is this the same Michael Zalewski who put the MZ/ZM into EXE files?

    On another note, if we're really worried about thermal imaging we could always use the idea endorsed by Bruce Schneier and just print the PIN on screen. That would handily short-circuit this technological arms race. (No, I haven't forgotten what a dumb idea that was).

    Big Brother is Watching (Over your Shoulder).

  33. Steven Roper

    The problem with randomising key positions

    as some have suggested, is that it fucks up those of us who, like myself, remember our PINs not as a number sequence, but as a pattern on the keyboard. My PIN forms a regular geometric shape when typed, but I can't remember what the number actually is unless I type out that shape.

    I also have a few security measures I have when using ATMs. First, I pull hard on any flanges on the machine, and try to pick the keypad off with my fingers. This is to check for "overlays" - a common scam in Australia where the crooks put a fake keypad and ATM cover on the machine which then copies your card, keylogs what you type, or contains a hidden camera to spy on your PIN. I also cover the keypad with my left hand when typing my PIN, covering my right fingers while typing it. Finally, I always wipe the keypad thoroughly with my sleeve when I'm done, to prevent dusting to see which keys I pressed.) I suppose I'll now be adding pressing random keys before wiping to stop this particular attack vector.

  34. Purlieu

    After you've finished

    just press random keys for a few seconds

    there. that was nice and cheap

  35. Anonymous Coward
    Anonymous Coward

    Move to a warmer climate

    Move to a warmer climate and when the ambient temperature is higher than the body, thermal imaging is useless.

    --Steve Jobs

    Posted on my iPad

This topic is closed for new posts.

Other stories you might like