Stealing ATM Pin Numbers Using A Thermal Camera Is Too Easy

I can't believe criminals haven't jumped onto thermal cameras, because they're apparently BOSS at stealing your ATM PIN number. Not only can they figure out the set of numbers in a pin but sometimes they can even tell the order too. Scary.

Researchers from UCSD pointed thermal cameras towards plastic ATM PIN pads and metal ATM PIN pads to test how effective they were at stealing PIN numbers. The thermal cams didn't work against metal pads but on plastic pads the success rate of detecting all the digits was 80 per cent after 10 seconds and 60 per cent after 45 seconds. If you think about your average ATM trip, that's a pretty wide window and an embarrassingly high success rate for thieves to take advantage of.

Thermal cameras are better suited at pilfering PINs than video cameras because they work even when a person shields her hand. The person's body temperature, the strength of the button presses and the length of the press all helped thermal cams figure out the person's PIN and sequence. I think it's time to start pressing random numbers at the ATM before criminals and thieves realise how awesome thermal cams can be for their line of work. [Usenix (PDF) via Naked Security via Slashdot]


Comments

    Oh, bloody hell,.. right! now I'm going to press every key after I've finished a transaction... #[

    Just hold your hand over the whole pad to warm it up..

    Why do so many people say PIN number? PIN = Personal Identification Number, by adding "number" after PIN you're effectively saying "Personal Identification Number number" and sounding like you don't know what you're talking about.
    At least there's no mention of the equally stupid "ATM machine".

      Damn you for having perfectly executed grammar within your rant.

      It is because a lot of people suffer from RAS Syndrome.

      A little acronym redundancy never hurt anyone.

      See this post for a counterargument to your silly rant:

      https://isoglossy.wordpress.com/2011/05/17/in-defense-of-redundancy-and-context/

        What, really? You're going to use the 'different language' defence? When you are at a store buying something and someone asks you "Do you have a PIN or do you sign?" are you really going to start thinking about your sewing kit?

        It's not like PINs can be confused with pins in the same context. That linked argument is completely bunk.

      Also GNU
      Gnu's Not Unix

    Glove wearing time, I guess.
    Hurry up on the retina scanning - I want to see bad guys carrying eyeballs in plastic bags.

    But after keying the PIN, the user may have also keyed in the dollar amount...

      Most ATMs display a list of dollar amounts and have you choose one and it uses a different set of buttons. Sure you could key in the dollar amount manually, but if your amount is selectable with a single key press why would you?

        Because I like some 20's in my cash out so I always key in a number that gets me 50's and 20's .. ever since they took away the option to pick how you wanted your money :)

    "I can’t believe criminals haven’t jumped onto thermal cameras, because they’re apparently BOSS at stealing your ATM PIN number."

    It's probably because they didn't know this information until now, but THANKS for posting this to the world and making it much easier for them to steal our money now!

    Serious man, WTF were you thinking when you published this?

      10 secs for 80% accuracy is still a pretty small window for them to get inline behind you, I wish the average atm Transaction was 45 secs - a lot of people seem to take longer then that anway, adding in the pressing of the transaction amount potentially obscuring the heat from the pin and the time to actually walk away from the machine, and that they either need to skim your card at the same time or mug you for it, then I think we may be ok. For now.

      Plus the guy hanging round in the line behind you who looks like a Borg is probably a bit of a give away.

    You could totally do that in splinter cell years ago.

    A few things, you rarely enter your pin and do nothing else with the machine so the chances of this being overly dangerous is pretty small (especially given that someone has to be standing behind you with a thermal camera). At best the person behind you with a (presumably) fairly large thermal camera would be able to tell how much cash you withdrew and if you're withdrawing 40 bucks and your pin includes a 4 and a 0 then you're probably okay

    Second, you did this exact trick in one of the early Splinter Cell games, I think Pandora Tomorrow to get through a security door

      Hmmm,.. Good point! #]

      IIRC you could do that in the very first splinter cell game. Pandora Tomorrow was #3.

      IIRC you could do that in the very first splinter cell game. Pandora Tomorrow was #2.

      Not really, a lot of people use the shortcut buttons on the sides of the screen.

    This comment has been deemed inappropriate and has been deleted

      Dude, you might want to go troll somewhere else!

    Don't they need your keypass too?

    I think you guys are looking at this sideways.
    It's not about the whole, window of opportunity thing, some badguy lining up behind you and snapping a pic of the keypad after every transaction.

    This is about a mounted camera on or near the ATM. Traditional cameras only caught the PIN if whoever entered it did not cover the pad while they were entering it. However, with a thermal camera, it's likely it will be possible to grab the PIN in the time between entering it, and entering say, the sum of cash you want to withdraw.

    I suspect they're not using them because there's not much point investing in a thermal camera when they already make plenty of money with a much cheaper camera, seeing as most people don't seem to cover the keypad.

    It would make more economical sense and be less of a hassle to just mug someone at knife point, honestly...

    They could just heat the keypad up to 30 or 40 degrees, which would stop the thermal cameras from working (see Hollow man).

    nooooooooooooooooooooo

    Hmmm.
    Forgot all about all the other key presses that come after, like cash amounts etc.?
    Seems a bit futile to me!
    Interesting thought though

    This is all fine and well, but if you can find a small Thermal Infra-red imaging camera for less than $50, tell me, because I want one. I think they are cool. Ebay has them at over $1000 and they are not small.

    Okay, well that's the pin part sorted. How are you gonna go about grabbing the card?
    They would've had to use it at the ATM so the card must be obtained afterwards, and you don't have long to rush to the ATM in order to get it in time, so what are you going to do? take a photo, finish the "pretend" transaction, and hopefully catch up the the victim?

    Please... it's impractical

Join the discussion!

Trending Stories Right Now