Researchers from UCSD pointed thermal cameras towards plastic ATM PIN pads and metal ATM PIN pads to test how effective they were at stealing PIN numbers. The thermal cams didn’t work against metal pads but on plastic pads the success rate of detecting all the digits was 80 per cent after 10 seconds and 60 per cent after 45 seconds. If you think about your average ATM trip, that’s a pretty wide window and an embarrassingly high success rate for thieves to take advantage of.
Thermal cameras are better suited at pilfering PINs than video cameras because they work even when a person shields her hand. The person’s body temperature, the strength of the button presses and the length of the press all helped thermal cams figure out the person’s PIN and sequence. I think it’s time to start pressing random numbers at the ATM before criminals and thieves realise how awesome thermal cams can be for their line of work. [Usenix (PDF) via Naked Security via Slashdot]
EckyThump
Thursday, August 18, 2011 at 9:42 AMOh, bloody hell,.. right! now I’m going to press every key after I’ve finished a transaction… #[
Ads
Thursday, August 18, 2011 at 9:51 AMJust hold your hand over the whole pad to warm it up..
stevjosco
Thursday, August 18, 2011 at 10:12 AMWhy do so many people say PIN number? PIN = Personal Identification Number, by adding “number” after PIN you’re effectively saying “Personal Identification Number number” and sounding like you don’t know what you’re talking about.
At least there’s no mention of the equally stupid “ATM machine”.
Mr Biggles
Thursday, August 18, 2011 at 10:35 AMDamn you for having perfectly executed grammar within your rant.
Bigmac
Thursday, August 18, 2011 at 11:39 AMIt is because a lot of people suffer from RAS Syndrome.
Chris
Thursday, August 18, 2011 at 2:40 PMAnd ATM Machines
Max
Thursday, August 18, 2011 at 8:13 PMA little acronym redundancy never hurt anyone.
juansmith
Friday, August 19, 2011 at 3:16 AMSee this post for a counterargument to your silly rant:
https://isoglossy.wordpress.com/2011/05/17/in-defense-of-redundancy-and-context/
Jordan
Wednesday, August 24, 2011 at 9:44 AMWhat, really? You’re going to use the ‘different language’ defence? When you are at a store buying something and someone asks you “Do you have a PIN or do you sign?” are you really going to start thinking about your sewing kit?
It’s not like PINs can be confused with pins in the same context. That linked argument is completely bunk.
Terry
Friday, August 19, 2011 at 12:28 PMAlso GNU
Gnu’s Not Unix
Azza
Thursday, August 18, 2011 at 10:27 AMNever seen a non-metal pad
codework
Thursday, August 18, 2011 at 10:40 AMGlove wearing time, I guess.
Hurry up on the retina scanning – I want to see bad guys carrying eyeballs in plastic bags.
joejoe
Thursday, August 18, 2011 at 12:17 PMBut after keying the PIN, the user may have also keyed in the dollar amount…
silne
Thursday, August 18, 2011 at 6:51 PMMost ATMs display a list of dollar amounts and have you choose one and it uses a different set of buttons. Sure you could key in the dollar amount manually, but if your amount is selectable with a single key press why would you?
Francis M
Saturday, August 20, 2011 at 2:19 AMBecause I like some 20′s in my cash out so I always key in a number that gets me 50′s and 20′s .. ever since they took away the option to pick how you wanted your money :)
TK
Thursday, August 18, 2011 at 12:24 PM“I can’t believe criminals haven’t jumped onto thermal cameras, because they’re apparently BOSS at stealing your ATM PIN number.”
It’s probably because they didn’t know this information until now, but THANKS for posting this to the world and making it much easier for them to steal our money now!
Serious man, WTF were you thinking when you published this?
Sarah
Thursday, August 18, 2011 at 1:29 PM10 secs for 80% accuracy is still a pretty small window for them to get inline behind you, I wish the average atm Transaction was 45 secs – a lot of people seem to take longer then that anway, adding in the pressing of the transaction amount potentially obscuring the heat from the pin and the time to actually walk away from the machine, and that they either need to skim your card at the same time or mug you for it, then I think we may be ok. For now.
Francis M
Saturday, August 20, 2011 at 2:20 AMPlus the guy hanging round in the line behind you who looks like a Borg is probably a bit of a give away.
Steve
Thursday, August 18, 2011 at 12:24 PMYou could totally do that in splinter cell years ago.
Aliasalpha
Thursday, August 18, 2011 at 12:31 PMA few things, you rarely enter your pin and do nothing else with the machine so the chances of this being overly dangerous is pretty small (especially given that someone has to be standing behind you with a thermal camera). At best the person behind you with a (presumably) fairly large thermal camera would be able to tell how much cash you withdrew and if you’re withdrawing 40 bucks and your pin includes a 4 and a 0 then you’re probably okay
Second, you did this exact trick in one of the early Splinter Cell games, I think Pandora Tomorrow to get through a security door
EckyThump
Thursday, August 18, 2011 at 12:45 PMHmmm,.. Good point! #]
CraftyNinja
Thursday, August 18, 2011 at 3:57 PMIIRC you could do that in the very first splinter cell game. Pandora Tomorrow was #3.
CraftyNinja
Thursday, August 18, 2011 at 3:57 PMIIRC you could do that in the very first splinter cell game. Pandora Tomorrow was #2.
CraftyNinja
Thursday, August 18, 2011 at 3:58 PMsorry guys, my bad….
stupid IE @ work
Azza
Friday, August 19, 2011 at 10:40 AMNot really, a lot of people use the shortcut buttons on the sides of the screen.
bob
Thursday, August 18, 2011 at 2:05 PMThis comment has been deemed inappropriate and has been deleted
EckyThump
Thursday, August 18, 2011 at 2:56 PMDude, you might want to go troll somewhere else!
ChemZ
Thursday, August 18, 2011 at 6:08 PMDon’t they need your keypass too?
Chewman
Thursday, August 18, 2011 at 6:44 PMI think you guys are looking at this sideways.
It’s not about the whole, window of opportunity thing, some badguy lining up behind you and snapping a pic of the keypad after every transaction.
This is about a mounted camera on or near the ATM. Traditional cameras only caught the PIN if whoever entered it did not cover the pad while they were entering it. However, with a thermal camera, it’s likely it will be possible to grab the PIN in the time between entering it, and entering say, the sum of cash you want to withdraw.
Max
Thursday, August 18, 2011 at 8:16 PMI suspect they’re not using them because there’s not much point investing in a thermal camera when they already make plenty of money with a much cheaper camera, seeing as most people don’t seem to cover the keypad.
Lillee
Thursday, August 18, 2011 at 10:28 PMIt would make more economical sense and be less of a hassle to just mug someone at knife point, honestly…
Doug
Thursday, August 18, 2011 at 10:28 PMThey could just heat the keypad up to 30 or 40 degrees, which would stop the thermal cameras from working (see Hollow man).
cool
Friday, August 19, 2011 at 2:27 AMnooooooooooooooooooooo
Terry
Friday, August 19, 2011 at 12:29 PMHmmm.
Forgot all about all the other key presses that come after, like cash amounts etc.?
Seems a bit futile to me!
Interesting thought though
Michael
Friday, August 19, 2011 at 8:08 PMThis is all fine and well, but if you can find a small Thermal Infra-red imaging camera for less than $50, tell me, because I want one. I think they are cool. Ebay has them at over $1000 and they are not small.
Daniel
Saturday, August 20, 2011 at 6:33 PMOkay, well that’s the pin part sorted. How are you gonna go about grabbing the card?
They would’ve had to use it at the ATM so the card must be obtained afterwards, and you don’t have long to rush to the ATM in order to get it in time, so what are you going to do? take a photo, finish the “pretend” transaction, and hopefully catch up the the victim?
Please… it’s impractical