back to article Freeze, Glasshole! Stop spying on me at the ATM

Google Glass wearers can snoop on passcodes and other sensitive information with only a passing glance, according to a proof-of-concept demo by security researchers. Researchers from the University of Massachusetts Lowell were able to use video streams from wearables like Google Glass and the Samsung smartwatch to capture four …

COMMENTS

This topic is closed for new posts.
  1. NogginTheNog
    Alert

    CCTV

    To be honest I've been suspicious of entering my PIN on terminals in any number of dodgy looking corner shops and petrol stations for a while: it wouldn't be difficult for someone to set up a system to skim the card details, and a camera to record finger movements without needing clever software to identify numbers entered.

    1. petur

      Re: CCTV

      Actually that's what they are doing right now. Over here (.be) gangs have already been arrested for placing a tiny camera on some plants near an ATM. I admired how the banks provided the perfect camouflage....

    2. JeffyPoooh
      Pint

      Re: CCTV

      Camera? Puh...

      You swipe your card into the ATM and then you enter your PIN into the same ATM. You just gave the dodgy-looking machine everything needed to make another card and the PIN that goes along with the account. You'd better trust that the ATM is not owned, or pwned, by evil-doers™.

  2. Big_Ted
    FAIL

    WTF......

    I'm sorry but since when was a Panasonic camcorder a wearable device ?

    Thats whats quoted as 40 meters, Google Glass was only 83% useable for it at 3 meters.....

    Scaremongering and blatant missuse of data in the title,,,,

    1. petur
      Meh

      yes, misleading title is misleading.

      Also, since somebody is wearing the camera, at about the same spot as the eye, they can also just LOOK and note down your pin. No need to do the investment and I'm sure people will remember it when somebody was standing there with google glass on.

    2. Lionel Baden

      agreed

      Scaremongering,

      but foolish comment regarding you need to use a full sized hand held camera strapped to your head as a wearable device :/

      1. Anonymous Coward
        Anonymous Coward

        Re: agreed

        I think the point is that Glassholes are less obvious than someone holding a full sized camera. Obviously an image recorded on Google glass can also be blown up and manipulated (as mentioned in the article) so you could see what was typed where a person with normal eyesight couldn't.

        1. NumptyScrub

          Re: agreed

          The main difference is that holding a camera (or phone) up makes it obvious to bystanders that you are actively trying to do something to record the input. Wearing a Google Glass style device gives no such visible feedback that you are actively attempting to capture or record anything, meaning that people have to assume whether you are or are not. In other words, you get plausible deniability and a defense of "it's not even turned on" when questioned by the person behind you in the ATM queue, even if you are engaged in nefarious tasks.

          Since it is trivial to bypass any indicator LEDs on a device, the only secure assumption you can make for someone wearing a Glass like device is that it is recording. Much like someone waving a toy gun at a SWAT team, you shouldn't be surprised if people automatically make the worst assumption and act accordingly, even if that assumption turns out to be factually inaccurate.

    3. jai

      Re: WTF......

      I'm sure i saw an episode of Columbo or Diagnosis Murder or some other daytime 80s police proceedural where the wrong'un of the episode did exactly that with a camera to photograph the security keypad on a door so they could break in a kill the victim.

      Just because it's new technology, does not mean it is a new threat.

    4. Charles Manning

      Please be fair to El Reg

      They said 40 PACES, not 40 metres, and certainly not 40 meters (*).

      Glassholes wear tight pants so 3 metres for them is about 40 paces.

      (*) A meter is an alternative Register measurement based on the width of the electricity meter installed at the observatory in Greenwich and is approx. 12cm. 40 meters is thus approx 4.8 metres.

  3. Michael Hawkes
    Childcatcher

    BREAKING NEWS!

    People with cameras can record what you're doing.

    1. Miss Config

      Re: BREAKING NEWS!

      Like when you're having a piss in the adjoining urinal.

    2. Anonymous Coward
      Anonymous Coward

      Re: BREAKING NEWS!

      It's all rather pathetic that Google Glass scaremongering. You know very well it would be very different if it were Apple Glass. The media would be falling over themselves to praise it.

  4. Flocke Kroes Silver badge

    I prefer the infra-red camera trick

    After the victim has typed the PIN and taken away the hand used to hide what he was typing, take an infrared photo. The most recent key pressed glows brightest.

    pic

    1. Richard 81

      Re: I prefer the infra-red camera trick

      Use a PIN with one number repeated.

      1. d3vy

        Re: I prefer the infra-red camera trick

        If you were really paranoid you could enter an incorrect pin first.. or just hold your finger on a few of the keys without pressing them...

      2. Charles Manning

        re: Use a PIN with one number repeated.

        I tried that once, but I could never remember the order to type them in.

    2. John H Woods Silver badge

      Re: I prefer the infra-red camera trick

      Possible countermeasure - heat keypad to 37C.

      1. Matt 21

        Re: I prefer the infra-red camera trick

        Or cool self to keypad temperature.

        On reflection it may be better just to just lightly touch all the keys in the row while only properly pressing the right one.

        1. John Latham

          Re: I prefer the infra-red camera trick

          Or wear gloves.

    3. Richard Plinston

      Re: I prefer the infra-red camera trick

      > The most recent key pressed glows brightest.

      I have always rested my hand flat on the keypad with all fingers on keys (and my other hand, or wallet, covering). It is then possible to press the appropriate keys with minimum finger movement, and no heat difference.

      I do see people using a single finger to poke the keys which makes it easy to read their number from metres away.

  5. Anonymous Coward
    Anonymous Coward

    ATM acquirers (i.e. machine owners) are required to regularly check machine environments for the presence of CCTV that might be used to record PINs, and to certify to the switching authority that they do so. Obviously with a UK estate of many thousand machines, many on remote sites not owned by the acquirer like petrol stations and in convenience stores, it's impractical to check them very often, but the risk is known about.

    In practice there are more reliable ways for the crims to capture PINs than cameras, such as overlay PIN pads which punch through to the real pad below (so the ATM still works normally). No need to worry about careful people obscuring the pad with their other hand. Some of the miniature wireless and storage tech that turns up in these devices was previously seen in Eastern Bloc espionage kit, organised Romanian gangs being behind a lot of UK ATM fraud.

    1. Anonymous Coward
      Anonymous Coward

      Simple solution

      I use a pre-paid card for many small purchases. If the PIN for it is nicked and the card cloned only the amount of ££££££ on the card can be purloined. As the card is issued by a different bank from my main account there is no direct link between the two setups.

      I have another two cards for use in Europe(in Euros) and the US (in USD). That way I only pay an exchange fee when I load the cards.

      Because I am paranoid about people looking over my shoulder, I'm going A/C in the hope that won't tempt and El-Reg hacker to try their luck with me.

  6. JeffyPoooh
    Pint

    SOP is as follows...

    When typing a 4-digit PIN, touch about 6 or 7 keys in sequence, but only press the 4 of your PIN (the others you don't actually press). Unless the evil-doers™ can also see (and record) the screen and note when the four '*'s appear, then they'll become confused and move on to easier targets.

    This is trivial to do. It's my Standard Operational Procedure. Probably about ~99% effective.

    1. Kane
      Trollface

      Re: SOP is as follows...

      Probably about ~99% effective

      So you admit then that it hasn't worked at least once?

      1. JeffyPoooh
        Pint

        Re: SOP is as follows...

        LOL. It would be unreasonable to advertise the technique as being 100% effective, but it's close.

        PS: I apologize for the redundant and unnecessarily-duplicated "about" and "~".

  7. sandman

    Card cloning

    I haven't used my card in a garage or convenience store ever since herself had her card cloned almost certainly after using it at the local garage (try proving that one though). Fortunately the card was then used at an Argos in Essex, so it was very easy to prove that it wasn't her using it - I mean, Argos! says he snobbishly.

  8. Gav
    FAIL

    Bad Source

    Since when is it acceptable to use the Daily Mail as a source for tech news?

    1. FrankAlphaXII

      Re: Bad Source

      Since its also acceptable to use The Guardian, which they also occasionally do, I suppose its only fair. It could be worse I guess, they could be sourcing articles from the Sun.

  9. Anonymous Coward
    Anonymous Coward

    There's one type of behaviour of using Google Glass that I hope will happen

    If the person wearing them sees someone in distress, they'll let the Google Glass do the video recording and be proactive in the situation, instead of whipping out their mobile phone to record the event as so many lemmings on this planet are doing, like these useless bystanders who stood around and filmed a 27 year old woman get beaten up in front of her 2 year old (who the attacker also threatened to kick in the face)

  10. PatientOne

    Perhaps it's time to change the security model

    It's fairly simple: I go to log onto my online account and I'm asked for three numbers from the pin, in a random order, and any number can be duplicated. Which three numbers changes each time I log in.

    Why hasn't this been adopted for cash points?

    Plus, you could then have longer pin numbers for extra security.

    1. Robert E A Harvey

      Re: Perhaps it's time to change the security model

      Why can't we have a touchable token as well as a pin? Have an RFID pen that we would have to have in pocket when we use the machine? Finger prints? Iris prints?

      I envisage terminals accepting up to 8 forms of ID, and we could choose 4 of them, and if we wanted ask it to pay out on at least 2.

    2. Anonymous Coward
      Anonymous Coward

      Re: Perhaps it's time to change the security model

      It's not simple. the PIN is encrypted at the point it is typed in. This encrypted PIN is transmitted across various networks, and the PIN block is then compared to the host system (Card Issuers system). Such a change would require that the PIN digits be decrypted in order to caompre them with a PIN stored IN THE CLEAR on the Card Issuers host. Not going to happen.

  11. Alan Edwards

    Misleading headline

    > Wearable cams can RECORD your PIN from 40 METRES

    No they can't, wearables like Glass don't have an optical zoom. The article itself admits they only made it work 3m away with an iPhone.

    Strap the 2x extender on the 60x zoom on my Sony (equivalent to something like 1.2m focal length on a 35mm IIRC) and I reckon you could stretch it to 100m; it's not exactly subtle though, and to do it in the real world you'd need an angle to see which keys are being pressed on the keypad - easy from 3m, not so much at 40m.

    Give me access to Hubble (and a mod that lets it focus that close) and I can grab your PIN from space!

    > Daily Mail reports.

    Oh, that explains it.

  12. Mint Sauce
    Devil

    "We designed Glass with privacy in mind"

    Oh, that's all ok then..

  13. phil dude
    Coat

    thunderbirds...

    good thing google glass wont work in Thunderbird 2....

    P.

  14. Huw Jarce

    Randomise the keypad keypad

    I used a similar device to Scramble keypad 20 years ago to access secure computer room in a government building. This was a physical device. Simples.

    http://www.swhouse.com/Products/readers_Schlage_Scramble_Keypad.aspx

    1. DNTP

      Re: Randomise the keypad keypad

      This is a great idea, but ATM operators will never go for it because the number of people who accidentally lock themselves out after entering the wrong code too many times will increase by at least two orders of magnitude. Also, the never ending stream of people who will call up screaming in frustration WHY DOES IT KEEP CHANGING ON ME.

      Personally I prefer to use bank ATMs since no fees (this is the States) which I figure keeps the chance of dodgy gimmicks a little lower. And I cover the pad with my wallet when entering my PIN because I've been conditioned to do that by the mother since I was 12.

  15. Turtle

    And they said.

    "'Unfortunately, stealing passwords by watching people as they type them into ATMs and laptops is nothing new and so there's no reason for us to care. We designed Glass with deprivation of privacy in mind. The fact that Glass is worn above the eyes and the screen lights up whenever it's activated clearly signals it's in use and makes it a fairly lousy surveillance device because it's apparent to anyone who thinks about it that, in order to steal your PIN at an ATM, the glasshole must be standing directly in front of the victim who can therefore... Ooops. Never mind. Just buy the glasses, 'kay?'" .

    Mmm'kay.

  16. Anonymous Coward
    Anonymous Coward

    Sheild your PIN

    Any camera could do the same. Don't look for people who may be spying. Sheild your PIN every time you use uit. It's your responsibility, not the glasshole over the road.

  17. Gannettt

    Why do Google Glass need a camera anyway?

  18. Matt Bryant Silver badge
    Pirate

    Pfffft!

    I'd say the most effective way of getting the PIN (and the card itself) is still a baseball bat.....

This topic is closed for new posts.

Other stories you might like