I can see the title...
"Keypad heater market booms". Solution: Preheat keypads at about 37 degrees centigrade. If sick, stay home. May use cats if other heat source is unavailable.
Security researchers have found that thermal cameras can be combined with computer algorithms to automate the process of stealing payment card data processed by automatic teller machines. At the Usenix Security Symposium in San Francisco last week, the researchers said the technique has advantages over more common ATM skimming …
But in my experience, the best method is still to tie the guy/girl to a chair, nick his wallet and shoot him/her in the kneecap to get the PIN.
Personally, I always cover my fingers when I type my code and run them on random keys as well. I'm trying to ge tthe missus to do the same, but bah, can't be arsed can she. "Nothing will happen" she says. And if something DOES happen, the hubby (that's me) is there to grab the phone and clean up the sh*t.
...on the head.
Always keep your pin typing covered and as you said: when in doubt hit random keys. If you don't know what to do simply type a wrong (random) pin first, then your real pin in the second attempt.
This may look insignificant but can really go a very long way. Don't think thermal vision and such as is reported here; what about people smeering some gui on the keys to try and get the 4 digits that way ?
is more secure than one with 4 different digits (36 possible combinations against 24) - though you can also get a hint to the order of the digits from the size of the thermal imprint. Of course, you could just hit a 5th extra key (which I -think- the ATM will ignore) and give them 120 possibilities to play with.
Cunning stunt, though.
Card PIN numbers can be up to six digits normally and even up to 12 digits in specific circumstances. As for using the same digit twice, that might be picked up by a thermal signature that's hotter than a single press would allow, so the crooks would know (along with the fact less than the required digits were used). Given that knowledge, finding the right one can be done quickly even by trial and error.
For the same reason we see how fast we can make cars go, or how stealthily we can make aircraft fly.
In other words, it's human nature - curiosity, innovation and just plain old finding things out.
If we stopped pushing the limits of what can be done for fear of the bad guys misusing our work, we'd probably be a whole lot less "civilised" than we are today.
Exactly this technique was used as a plot device in one of the early Splinter Cell games by Sam Fisher. Albeit using his own thermal camera mode. Follow the guard through the pin coded door by looking at the heat given off by the pad.
Wonder who has the idea first? I could see UbiSoft claiming the IP on it and then demanding all the money from the criminals who use this technique.
I'm sure they didn't invent it, but The Real Hustle (BBC3...) did the same thing on a safe a year or two back.
They posed as shopping mall security guards and got the shopkeeper to open their safe to "check" it hadn't been emptied.
Then as soon as he'd entered the PIN, called him away on some "urgent" matter.
The other chap then took an IR image of the keypad, before entering the glowing digits into the safe, brightest last.
though not specifically to do with thermal imaging.. is to look at regular keypad-based locks on doors to look for buttons that are more worn down than the others. Based on the assumption that they don't bother changing the code, of course, which would level out the wear patterns and make them useless in trying to brute-force the code.
punching all the keys randomly after removing my card from now on. It wouldn't hurt to wipe the keys with an alcohol pad afterward. Evaporating alcohol would cool the keys enough to throw the algorithms for a loop. Wouldn't hurt to use something other than fingers for pressing keys also.
If you've been paying attention you will be doing that already. There's a software attack using some testing software (if I recall correctly) which can allow someone to find out all the digits in your PIN -- but using the same digit twice can confuse this in the way mentioned by previous posters.
(this would probably slow them down even more than a 1-finger typist on downers) but I recall 10+ years ago that the keypad for entry to an office I worked at had the digits re-order on every use, so the key that used to be 1 would become 0,2-9 / 2 would become 0,1,3-9 / etc. Then you actually had to see what the values were at the time the keypad was used (only illuminated on scanning of id card).
10,000 combinations of 4 digits with repeats allowed
5,040 combinations of 4 digits not having repeats, and 4,960 that do
(5,040 = 10 (any first digit) x 9 (any except the first) x 8 (and except the first 2) x 7
So you seem to have given up 1 bit of your around 13 bits PIN. (8192 = 2^13)
However, I wonder if they actually give out PINs which have the same digit 4 or 3 times. If they do not then we can exclude those, but counting how many there are is something I don't want to try to work out now.
Is anyone going to tell us that their PIN is the same digit 4 times? (Advice: don't!)
The ATMs around here will throw you full 50's or 100's if you let them. You must always withdraw $48 or $18 or it won't spill any change whatsoever.
Cashing $200 will get you 2 x $100 bills and you will have a hard time changing them. Or the Macdonald's lady looking at you in a pissed manner (although they are trained to disguise it very well).
One of the banks caught up and decided to answer our pleas: it spits out a $50, 2x 20 and a 10 when you cash out $100. Boy, did everybody notice and copied. Competition...
On the other hand, aluminum keypads and strong air-conditioning (for indoor atms) are the key.
And yes, I withdraw $150 which is always typed. They throw you straight 100 or 200 choices, but not 150.
...such as over here in Costa Rica. US$ 100 is CRC 50,000, so for a hundred and fifty bucks you type a lot of zeros. And yes, there's a zero in my pin.
By the by, I always cover the keypad and cough loudly when entering my pin, in case anyone's using AV gear. Seems a lot more likely then thermal imaging, IMO.
the people that ask why these attacks are developed because criminal types will exploit them have had the answers given time and time again in this thread.... so that a defense against it can be formulated.
The fact that it appears the idea of thermal cameras be3ing used has been done if a few TV programmes and computer games makes it even more an issue for the defenders of my money to find out if its really possible.
the fact that it really is possible will lead to a solution before the criminals can exploit it.
a combination of several of the solutions that people have come up with will actually do it quite well... non heat conductive pads, along with additional steps on the numerical keypad, or at random indicating you to roll around your pin by a certain number of places...(1234 will become 3412 if requested a rotate by 2)... or how about biometric scans and facial recognition systems ATMs all have cameras anyway, make use of them to secure our money before the fact.....
now where the hell is my card !
because being an insulator, they retain heat.
Pads need to be conducting, to return to ambient temperature ASAP.
If people pressed with the tip or flat of their nails or lingered on the first 2 digits, that would consistently misdirect a recovery algorithm to consistently fail, given that there are only 3 attempts to guess correctly.
Asking the generally thick public to 'rotate their pins' is ridiculous!
I can see that quite all of the comments are from paranoid enough people. I keep the fingers on random keys while waiting for the ATM to show me a lot of useless information that cannot be skipped, then enter the pin at lightning speed (I am good at typing fast), and then I keep the fingers on random keys again. I do all of this while keeping my wallet over the keypad with my other hand. (I suppose that we can all enter the pin without looking at the keys, do we?)
If my atm pin is hard to get, and everyone else's is easy to get, guess who will lose his money? Everyone else. It's "security by being such a bitch". If stealing from me is hard, and stealing from someone else is easy, why should the thief steal from me?
Most, if not all banks ask you for a selection characters from your PIN password when doing online or telephone banking.
So why can't ATMs ask you for 3 random digits from your PIN. That way, the scammer won't have your full PIN or any idea of the order of the digits.
Alternatively, wash the keyboard with hot coffee...
If they know the pin, then the system's not secure. I thought the pin was never stored anywhere, but the result of hashing it with the (either account or card) number was?
(I could be wrong, but I do recall this discussion from somewhere).
My bank requires random characters from a security phrase (which is insulting to the bank;-) )
If you have a bank that uses a PIN as the only form of security for your online banking, switch bank!
Beer, because swabbing the keys with alcohol before AND after use would prevent this attack, and bacterial contamination.
Use a touchscreen, or a keyboard with individual miniature displays in each key; allowing the key layout to be remapped at random. Just knowing which *keys* were pressed does not then tell you what *numbers* were entered.
The original idea was to thwart shoulder-surfing of PIN entry machines in stores (even if you cover the whole keyboard with your hand, your tendons give away which keys you're pressing) but it would also quite nicely defeat thermal imaging of a conventional keyboard after use.
For patent purposes, this constitutes a declaration of Prior Art.
They've been using touch screens with randomized keyboard layouts for quite some time for entry into high secure facilities. This was done to get around "UV attacks" where "normal light invisible 'goo'" was placed on the users fingers then the thief came behind with a UV light source to illuminate the pressed keys. Also to help prevent social engineering attacks - which have been around a really long time but are just getting their cool name in the last few years.
That being said - nobody was using the UV attack (at least that we know of. Dum dum dum...) it was a precaution because not too long ago security research wasn't as easily available as it is today and when plausible new threats did arrive they were addressed. Now there is so much security research available no one can keep up: But if you fail you get tons of bad press and lots of visits to court. At what point does something truly constitute a threat?
Is this the same Michael Zalewski who put the MZ/ZM into EXE files?
On another note, if we're really worried about thermal imaging we could always use the idea endorsed by Bruce Schneier and just print the PIN on screen. That would handily short-circuit this technological arms race. (No, I haven't forgotten what a dumb idea that was).
Big Brother is Watching (Over your Shoulder).
as some have suggested, is that it fucks up those of us who, like myself, remember our PINs not as a number sequence, but as a pattern on the keyboard. My PIN forms a regular geometric shape when typed, but I can't remember what the number actually is unless I type out that shape.
I also have a few security measures I have when using ATMs. First, I pull hard on any flanges on the machine, and try to pick the keypad off with my fingers. This is to check for "overlays" - a common scam in Australia where the crooks put a fake keypad and ATM cover on the machine which then copies your card, keylogs what you type, or contains a hidden camera to spy on your PIN. I also cover the keypad with my left hand when typing my PIN, covering my right fingers while typing it. Finally, I always wipe the keypad thoroughly with my sleeve when I'm done, to prevent dusting to see which keys I pressed.) I suppose I'll now be adding pressing random keys before wiping to stop this particular attack vector.
Biting the hand that feeds IT © 1998–2019