Thermal cameras were once expensive and bulky hunks of equipment that very few people could get their hands on. No longer. With FLIR’s new iPhone case thermal imaging cameras are now both affordable and incredibly discreet, which means that evil-doers can use it to see the thermal signature your fingers leave on a keypad and steal your ATM PIN. Here’s a very simple way to thwart that.
Our good friend and former NASA JPL engineer Mark Rober has a FLIR One iPhone case, and he’d heard tell of these supposed nefarious persons who use them to steal PIN numbers, so he set out to see how easy it was to do and how it might be prevented. The bad news is that it’s extremely easy to use one of these cameras for mischief. As he explains in the video, when you press a button with your finger, the two substances (i.e. the button and your finger) strive for thermal equilibrium. In other words, heat passes from your finger, into the button. Thermal cameras can see the leftover heat signature that your fingers leave in the buttons, and because the heat dissipates over time, they can generally tell the order in which you pushed the buttons. Scary right?
Well, the good news is that this is easily preventable. As Mark suggests in the video, simply touch a couple of other keys while you’re punching in your code. The heat on the other buttons will throw off your potential dobadders. Alternatively, you could punch in your code and then lay your palm flat across all of the keys, which should have the same effect. Essentially, you’re adding a bunch of extra heat to the keys which will make everything look muddy when someone looks at it with a thermal camera. Or, best of all, use the end of a pen to punch in your PIN and you won’t be transferring any heat at all.
The other good news is that you generally don’t have to worry about this if the keypad is metal. “Metal keypads reflect IR like a mirror,” says Mark. “Plus they’re highly conductive, which dissipates the heat quickly, which doesn’t allow for a thermal signature to be left behind.” That said, there are still a ton of keypads that use plastic or rubber buttons, and they’re all vulnerable to this attack. Ever seen a metal keypad at a grocery store? Didn’t think so.
So, now that we know the simple solution, will we be doing it every time we enter our ATM PIN? I guess it depends how paranoid we’re feeling that day. If there are sketchy people around, or if the guy behind you in line has a particularly thick iPhone case, it couldn’t hurt. [Mark Rober]