A Simple Trick To Protect Your PIN From Thieves With Thermal Cameras

Thermal cameras were once expensive and bulky hunks of equipment that very few people could get their hands on. No longer. With FLIR's new iPhone case thermal imaging cameras are now both affordable and incredibly discreet, which means that evil-doers can use it to see the thermal signature your fingers leave on a keypad and steal your ATM PIN. Here's a very simple way to thwart that.

Our good friend and former NASA JPL engineer Mark Rober has a FLIR One iPhone case, and he'd heard tell of these supposed nefarious persons who use them to steal PIN numbers, so he set out to see how easy it was to do and how it might be prevented. The bad news is that it's extremely easy to use one of these cameras for mischief. As he explains in the video, when you press a button with your finger, the two substances (i.e. the button and your finger) strive for thermal equilibrium. In other words, heat passes from your finger, into the button. Thermal cameras can see the leftover heat signature that your fingers leave in the buttons, and because the heat dissipates over time, they can generally tell the order in which you pushed the buttons. Scary right?

Well, the good news is that this is easily preventable. As Mark suggests in the video, simply touch a couple of other keys while you're punching in your code. The heat on the other buttons will throw off your potential dobadders. Alternatively, you could punch in your code and then lay your palm flat across all of the keys, which should have the same effect. Essentially, you're adding a bunch of extra heat to the keys which will make everything look muddy when someone looks at it with a thermal camera. Or, best of all, use the end of a pen to punch in your PIN and you won't be transferring any heat at all.

The other good news is that you generally don't have to worry about this if the keypad is metal. "Metal keypads reflect IR like a mirror," says Mark. "Plus they're highly conductive, which dissipates the heat quickly, which doesn't allow for a thermal signature to be left behind." That said, there are still a ton of keypads that use plastic or rubber buttons, and they're all vulnerable to this attack. Ever seen a metal keypad at a grocery store? Didn't think so.

So, now that we know the simple solution, will we be doing it every time we enter our ATM PIN? I guess it depends how paranoid we're feeling that day. If there are sketchy people around, or if the guy behind you in line has a particularly thick iPhone case, it couldn't hurt. [Mark Rober]


Comments

    It must really give them the shits when they spend all this time stealing PINs and then they realise they actually need the card, or the data off of it, to get anywhere nefarious.

      Yeah I was about to mention this but you beat me to it.

      What use is the PIN to them if they don't have your card?

        I assume the idea is to steal the pin and then steal the card.

      deleted

      Last edited 18/06/15 11:00 am

        How exactly do they skim your card if you're using it at, say, a supermarket or a retail store like the above clip? They aren't using an ATM here.

          There was a McDonalds that had the EFT terminals replaced with card-skimming devices once, but I'd imagine it's very hard to do and rare.

          Two step process would make it reasonably easy.
          Card skimmer at an ATM, discreetly casing users using it. As described, thermal would be difficult at the ATM, but, following a high value target to their next EFTPOS purchase location, would reveal all the info needed.
          BTW - Not condoning this and this should NOT be done. It is a reasonable example though IMO.

        You need to consider the side of the bank. If a thief clones your card and then "signs it" and uses the fake signature, then when you report the fraud, the signature is clearly not yours so the bank suffers the loss. If he steals the pin and uses it with his skimmed card, try proving to the bank that it wasn't you. You suffer the loss. The REAL reason for the banks wanting to move away from signatures to PINS is clear - shifting proof and risk from the bank to YOU!!!

    This shouldn't even be an issue..! The bank is responsible for keeping my money safe, as laughable as that sounds, they can bloody well fix this problem..!

      And how do you suppose they do that genius? At a certain point you have to take responsibility for your own actions. Do you drive with your eyes closed because you expect your insurance company to keep your car safe from harm?
      1. Think
      2. Post

        The video clearly shows how they can do that: metal buttons.

          The other good news is that you generally don’t have to worry about this if the keypad is metal. “Metal keypads reflect IR like a mirror,” says Mark. “Plus they’re highly conductive, which dissipates the heat quickly, which doesn’t allow for a thermal signature to be left behind.”

          That is all.

        Its not hard to build a warmer into the keypad. Pre heated key pads solves this problem quite cheaply.

        Last edited 29/08/14 10:27 am

        You mention thinking... Did you actually do any before posting..?
        The bank is responsible for reimbursing any losses incurred due to their facilities being hacked..! The only thing the customer has to do, is regularly check their account..!
        Maybe you shouldn't bother posting if you don't know what 'yer talking about eh..?

    This reminds me of the scene in Captain America 2 when they use fingerprints to figure out the PIN to break into the old SHIELD facility - how do they know the order of the numbers?!?

    I suppose at least with heat transfer you could tell which were touched first. Problem being though it would be quickly stuffed up if the same number is used more than once!

    Last edited 29/08/14 8:48 am

      Most pins are 4 digits. If you know what 4 digits are used then there are only 24 possible pin combinations. Assuming only 3 pin combinations a tried each day to avoid raising suspicion, it wouldn't take too long to establish the correct pin.

        There are actually more like 10,000 different potential combinations from 4 digits. See this post: https://answers.yahoo.com/question/index?qid=20060822135305AAOvcrm

          Um... I think this only counts if you don't know which of the 10 digits in our numbering system comprise the 4 you are using. If you already know the 4 digits - and assuming they are different so each can only be used once, the number of combinations is 4 factorial (4!) which expands to 4x3x2(x1) or 24.

    I haven't tried it but also tapping numbers after pressing the enter button could work around the issue

    PIN numbers to use in ATM machines, right?

      Yeah, the same PIN you use to get cash out at Woolies, or pay for your groceries.

      You are the clever one aren't you?
      You should be so proud that it was you that picked it up.
      Clever clever boy

      Personal Identification Number number to use in the Automatic Teller Machine machines...right.

    ... or if you can, just pay with tapping - no PIN required.

    They still have to steal your card though ...

      He knows who that pin belongs too. All he has to do is follow her out of the store and grab her bag.

    I've been doing this for a while, but to prevent "fingerprint" attacks where a criminal would clean a keypad first, then wait for the first person to use it, then look for prints to get a PIN code. Possible order of numbers can be obtained by watching arm movements via a video camera.

    When I tell people, they laugh, but wiping your palm across the keypad takes less than a second, can also foil thermal camera attacks and is a good habit to have.

    Just like picking a secure password because "LOL NOBODY WOULD WANT MY PASSWORD LOL!"

      Possible order of numbers can be obtained by watching arm movements via a video camera.
      I'm inadvertently immune to this it seems. I use different fingers for each button so I never move my arm. Just my way of doing it though, never thought about it.

    Wearing gloves won't transfer any heat either, i guess that's no good in summer though.

    There are millions of techniques to get the data off your card for them to use with your PIN to get money out. If you keep your card safe though, preferably with other things between it and the outside of your pocket, this shouldn't be an issue for you. Or buy one of those card protectors for your card that goes into your wallet and stops everything except a card skimmer at the retail store (which are found at times BTW) or ATM.

    At the end of the day the most any regular person can do is to keep a close eye on your online banking, and report any transactions you know you didn't make as soon as possible.

    These sort of articles and videos are like terrorism - designed to create fear in the community. If you live your life ultra paranoid, they win.

    Surely there's a better option. Like not have a pin? Biometrics? Co-location with you phone GPS? The pin should be dead by now.

      Biometrics is good until you run into a Minority Report style thing where you rip out the eyeballs of someone rich and use that to get access to an ATM. GPS wouldn't work either, because you can easily fake your location (Android allows mock locations for development purposes).

      I still think PIN numbers are the way to go, perhaps with two-factor authentication (like a hardware token) or perhaps making PINs longer. From The Simpsons (Last Exit to Springfield):

      Phoney McRingring: Well, scientists have discovered that even monkeys can memorize ten numbers. Are you stupider than a monkey?
      Chief Wiggum: How big of a monkey?
      Phoney McRingring Haha. Of course you're not!

    Can't you use your phone to get money out of the atm nowadays and as for supermarkets and shops, you have pay wave and no pin number is needed. Haven't used an ATM for ages anyway. I get ready cash from my account when I do shopping but I mostly don't use cash any more. There's very little reason to use cash for anything.

      I don't like paywave. It's less secure than having a pin. Sure it's only for smaller amounts but whats to stop someone from pinching your card and spending $25 here and $25 there until they've racked up hundreds on your account? All without a pin or signature, no security at all.

      Maybe if there was a way to set up your preferred maximum amount per transaction and per day on paywave I'd feel more comfortable about it. Then I could set it to $5 max transaction and $20 per day. So I could buy a loaf of bread or a can of coke and that's about all.

        The banks would cover any money you have lost, so I wouldn't be worrying too much. It's just an inconvenience. I've had money taken out of my bank a couple of times. Not from my card but from the account. Somehow the overseas thief's managed to make a couple of fake transactions. It took 3 or 4 days to get the money back. Moral of the story... If a thief wants your money and he's smart enough, nothing will stop them.

          I had the same thing happen. Got a call from the bank asking me if I'd been in Holland. Apparently someone bought some sex stuff from a place in Amsterdam using my card details. Which made me laugh I must admit. I probably wouldn't have laughed if I didn't get the money back though. Boggles the mind how they managed to get the details.

          That said, it was an easy proof - making a purchase in Holland when I live in Australia. Not so sure getting a refund on a hundred bucks worth of paywave purchases at food/dept stores nearby would be as easy to dispute.

    My biggest question is 'PayWave'. Any RFID detector can pick it up, if close enough. Transfer that info to a dummy card and 'Wave' away. How is this secured??
    P.S. I'm not being sarcastic, truly curious as to how 'secure' PayWave is??

      It's as secure as anything else. Yes all these things can be stolen from, that won't change and your bank will always refund your money.

        I suppose I didn't really ask the question I was wanting.

        PayWave, to me, seems a lot easier to steal. No visible hardware required, no waving infra-red over kepads, no camera phone watching over someones shoulder.
        Just an RFID scanner in your pocket as you walk down the street.

        Is 'convenience' really worth the risk?? /tinfoilhaton Is there a way to prevent scanning?? /tinfoilhatoff

        Not that I had the choice, my new card came with PayWave, without requesting the 'service'. If asked, I would have said, no thanks!

          I suppose if your paranoid about it, you could make a little lead Holder for it. I don't think it could be read that way. Maybe a little faraway cage. (I think the spelling is wrong) basically it's a little wire cage.

          Just remembered, they have little card purses for sale that can stop people from skimming your card and they're cheap too. :)

      The biggest weakness for PayWave appears to be continued support for card magnetic strips. You can dump card data from a PayWave card sufficient to construct the magnetic strip for the same card, but you can't clone the PayWave or Chip-and-pin aspect of the card because of the integrated transaction security features.
      There have been attacks against the EMV protocol which provides the transaction security, but I've not seen any evidence that card cloning (or at least, cloning the PayWave or Chip+Pin aspects of the card) is presently possible.

        you can't clone the PayWave or Chip-and-pin aspect of the card because of the integrated transaction security features
        I've not seen any evidence that card cloning (or at least, cloning the PayWave or Chip+Pin aspects of the card) is presently possible

        I did not know that, cheers for the info. I figured it mustn't have been too difficult to do, but as the saying goes; to assume ...

          NP. These slides provide some interesting information about the security issues that PayWave does have. It isn't cloning of PayWave or Chip+Pin, but there is still plenty to be troubled by (e.g. transaction history, dumping credit card number - but not CCV, etc.)

Join the discussion!

Trending Stories Right Now