Stealing ATM PINs with thermal cameras

Filed Under: Featured, Privacy, Vulnerability

At the USENIX Security Symposium last week, researchers Keaton Mowery, Sarah Meiklejohn and Stefan Savage from the University of California at San Diego presented their paper "Heat of the Moment: Characterizing the Efficacy of Thermal Camera-Based Attacks."

Inspired by previous research on safecracking by Michał Zalewski, they thought it would be easier for a criminal to snoop on ATM PINs using a thermal (infrared) camera to detect residual heat from keypresses rather than current techniques using traditional video cameras.

Thermal image of ATM PIN padThermal imaging provides several advantages. Unlike with traditional cameras, visually masking the PIN pad does not defeat the attack, and the ability to automate PIN harvesting using computer software further simplifies the task.

The researchers gathered 21 volunteers and had them test 27 randomly selected PIN numbers using both a plastic PIN pad and a brushed metal PIN pad.

The strength of the participants' button presses and their body temperature were shown to affect the results to some degree. The researchers discovered that the metal pad made the attack nearly impossible to implement, but with the plastic PIN pad, it was even possible to determine from the heat signatures not only the numbers pressed but also the number order.

With the plastic PIN pad, the custom software the researchers wrote to automate the analysis had approximately an 80% success rate at detecting all digits from a frame 10 seconds after the person entered their PIN. The success rate was still over 60% using a frame 45 seconds after the PIN was entered.

Button recovery chartThe researchers also compared human analysis of the video footage to their automation software. It turns out that not only does the software work, but often performs more accurately than the humans looking at the video.

While thermal cameras are a bit expensive, this research suggests that thieves could adopt this technique in the future. It's easier to place and hide the camera, allows automated analysis and could return enough useful results to be profitable.

As far as we know, this attack hasn't been used in the wild, but the cautious among us could opt to use ATMs with metal PIN pads to reduce the risk of becoming a victim.

, , , , ,

You might like

42 Responses to Stealing ATM PINs with thermal cameras

  1. James · 976 days ago

    Funny enough, when I'm not sure if someone has been watching me, I will enter random numbers then hit correction so that by the time I'm done, there's been about 15 keystrokes all over the keypad and nobody would know what I've done. That would probably resolve this issue as well!!

    • Dave · 976 days ago

      lol smart

    • BizzyM · 976 days ago

      Hurry up, James.... some of us need to get a little cash and back to work sometime today.

    • Mike · 976 days ago

      Smarter than that would be, instead of always entering 15 random keystrokes that you then correct, to always enter the *same* 15 keystrokes that you go on to "correct". Otherwise, if somebody is targetting you in particular and has multiple snapshots of your "random" attempts it is easier to eliminate which keys the multiple thermal snapshots do not have in common... and hone in on your true PIN.

      (Yes, I know it is less unlikely somebody is targetting you in particular, and has multiple thermal snapshots of your entries, but...)

  2. Robert · 976 days ago

    They would still have to get your card though.

    • Dirk · 976 days ago

      not necessarily. -->Skimming (at least where there is no EMV)

  3. Colleen · 976 days ago

    Ok so you got the pin, now what? What about the card? How can you get into someone's account without having their bank card? hmmmmm scientists??

    • Paul Ducklin · 976 days ago

      ATM skimming actually requires two data sources. The first is a copy of the magstripe on the card. This (usually) requires a miniature card read head inside or in front of the card slot. Every card inserted is thus digitally copied and clonable, assuming no smartcard aspect to the ATM transaction.

      So you don't "get" their card. You just make a usable copy. Remember that it doesn't get looked at by a human so it doesn't need to _look_ right. It can be cloned onto another bank's card or a simply onto grey blank. As long as the magstripe contains the same data as the original it will pass for it in a cashpoint machine.

      The hard part is getting the PINs, and lining them up with each card.

      Various techniques exist. A fake keypad glued over the real keypad to "copy" keystrokes whilst pushing down the keys underneath is one. Another uses a hidden camera to record your keypresses. This is a variation on the visible-spectrum camera approach.

      Installing the card skimmer is generally not a matter of science, but of engineering or craftsmanship - casting and making a polymer or metal "keyslot prosthesis" which looks realistic enough to blend in with the ATM itself.

      • Morten · 976 days ago

        Would ICC cards be the way to go, instead of the old magnetic strip technology?

        • BK201 · 975 days ago

          ICC's are more vulnerable because they wouldn't (not all, not always) even require contact. Thieves can snoop the data just by bumping into you with a reader in their backpack.

    • Richard · 970 days ago

      To get your card they simply pick pocket you. If there's two persons involved one quickly takes an IR photo of the keypad while the other robs you - simples

  4. Paul · 976 days ago

    use a pen to press the keypad?

  5. rolz · 976 days ago

    or use a plastic pen to depress the buttons.

  6. Sergio Sanguinetti · 976 days ago

    I would press a few buttons after I'm done with the ATM with plastic numeric keypad... that should solve the problem.

    • marcbl · 976 days ago

      I've never opted for the "fast cash" option, so there would be at least one non-zero numeral and three zeros.

  7. voidwave · 976 days ago

    Magstripes and EMV are broken and have been actively exploited for years, and we still coming out with new attacks against them. All I want to know is: Why haven't we fixed it yet?

    I'm no an expert, but the only proposals I know of involve adding some sort of biometrics like facial recognition. And then, this would only be done at ATMs and would obviously have a convenient backwards compatibility feature to bypass it anyway.

    • Lintilla · 976 days ago

      I would rather have criminals stealing my card data and pin (as long as you do what you are supposed to, the bank will give you the money back), then being held at gun point and forced to withdraw money for them.

      That said, I can't remember the last time I used an ATM. At least here in Norway everyone accepts and prefer payment by debit card. There have been a couple of incitents where criminals have replaced the complete payment terminal with a hacked one, but this is a lot more work.

    • sigalrm · 976 days ago

      Voidwave: The short answer to 'why haven't we fixed it" boils down to a business decision.

      The current rates of fraud incurred by major financial institutions (including legal costs, card replacement, investigation, etc) pale in comparison to the costs associated with completely revamping the payment system.

      If/when that balance shifts, you can be assured the problems will get addressed.

      Note that the inconvenience and costs to consumers and smaller businesses doesn't factor into the equation, and even if it did, for larger banks, a few million in fraud losses over the course of a year barely constitutes rounding error.

  8. Unknown · 976 days ago

    Of course you could just press loads of keys when your done getting your cash. Read that suckers!

  9. Dave · 976 days ago

    you could just rest your hand on top on the entire keypad while waiting for the card, receipt and cash to dispense...... that should heat up the while thing

    • That's what I always do; I also rest my fingertips on a fixed set of keys that just happen to only slightly overlap the ones I actually use to enter my pin. This way, instead of knowing they've got dodgy data, the software will think they've got a strong match on my card (which happens to be wrong)! Hopefully, this would be enough to flag the bank that my card's been skimmed.

      I also tend to use my thumbnail to enter some of my numbers while placing my finger on another button; this sleight of hand should confuse anyone attempting to shoulder surf my PIN, and I'd bet it has the added benefit of having almost no heat signature (while the finger touch would have one).

  10. haroon · 976 days ago

    We recently did some work in a similar vein (with stealing passwords/pins from on screen keyboards) http://blog.thinkst.com/2011/07/on-screen-keyboar...

  11. bob · 976 days ago

    What about making the ATM verify itself the same way websites do, with a digital signature? First make the box tamper evident to the bank--i.e. disable upon tampering. Then apply the same type of digital signature technology used by websites to verify that they are legit. The signature in question would be an encrypted visual artifact like a barcode, or a wireless transmission. The customer would then decrypt it using a bank-issued device or their personal smart phone to verify that it is legit before using it. This signature could be issued by the bank, since they are a trusted agent--it is simply the *ATM* that is untrusted.

  12. JD · 976 days ago

    Another prevention would be to just instead of having the options buttons beside the screen, to assign each option a number and have the user press a number for the desired action. That will definitely solve this problem quickly!

    • TrCi · 959 days ago

      Not a bad idea JD, And let's add to that: the number for each option could be changed after each transaction, giving more randomness to each customer.

  13. BizzyM · 976 days ago

    This is why I carry a can of compressed air with me when I go to the ATM. Shake, turn upside down, freeze the keypad. Nothing suspicious about that, right?

    -or-

    This is why I carry an axe with me when I go to the ATM. Get money, destroy terminal. That way, the criminals won't be able to retrieve their skimmers.

  14. Alice · 976 days ago

    Replace the keypad with a touchscreen that shows a 3x4 keypad with the numbers in random order.

    • Alex · 976 days ago

      worst. idea. ever.

      • JustSteve · 976 days ago

        I used to work in a place with a security system like this. The door keypads were basically 9 tiny LCD screens, and the numbers were randomly placed when you used it. even a simple 4 digit code is much harder to steal if the buttons won't be pressed in the same order every time.

  15. Rick · 976 days ago

    I imagine deliberate touching another four numbers, after entering my pin, would help, since they would then have the heat signature. Would the ATM machine be "confused" if I did this?

  16. mike · 975 days ago

    Having myself accidentally sneezed on an ATM terminal once, I can think of nothing worse than rubbing my hands all over the buttons.

    Did they do the test on glass screens? I would be interested in the result as many atms now use touch screens for the interface. Glass has a lower conductivity, as do the rubber buttons but the display also has its own heat source which would reduce the temperature difference.

    • Roland · 975 days ago

      Actually, insulators like glass would hold the heat print longer than a conductor like metal. Also metal shiny surfaces are the best because they reflect the surrounding infrared light such as the person's body IR who is holding the IR camera.

    • TrCi · 959 days ago

      Mike - I'd give thumbs down on the sneeze! And thumbs up on the Glass. So, I guess you break even on my points support. LOL

  17. Prashant Jain · 975 days ago

    Most of the people do multiple transcations like withdraw money, check balance, pay bills after entering the PIN, which leaves heat signature on multiple keys. I guess that itself solves the problem of leaving heat signatures!

  18. Feefers · 975 days ago

    As a PIN is only 4 digits long you can use the heat to trace when the buttons were pressed, unless you get repeat numbers in the pin, 2482 is going to be hard to identify if the 2 was pressed twice or the 4 was pressed twice as the more recent heat signature will be more prominant then the weaker one in both cases.

    But yes as other people have noted, it still relies on having your card taken from you and at that point they might as well threaten you with a knife/gun and demand your pin rather then use fancy thermal imaging.

  19. Steve H · 974 days ago

    people forget that some PIN codes can be longer than 4 numbers. My sister's PIN is 7 numbers. This is interesting when people watch you can you keep pushing buttons.
    I have also noted that in europe there are little shields on the side of the pin pad that allow your hand in and helps avoid shoulder surfing.
    I would think that a credit card, PIN code and RFID key fob that would read a RFID when you push a PIN code would be more secure. Then a thief would need your PIN and the fob to take your money.

  20. ColonelFazackerley · 969 days ago

    Have some repeated digits in your PIN...

    Also: normal digital cameras have a filter in to stop response to infra red. You can hack a cheap camera to respond to infra red. This can be very cheap.

  21. Ahmed · 968 days ago

    I have 12 digit PIN number. Each number is used at least once. I believe this such attack will not work on me.

  22. georgebutel · 967 days ago

    When a number is used more than once, it becomes more difficult to determine the order, but there are few possibilities. Most people in this country use 4 digit pin codes. If your pin code is xyzx, the thermal image will only show that y, z, and x were pressed sequentially. If you guess that the x was pressed twice, then the only possibilities that give you the yzx heat sequence would be xyzx and yzxx. But you would also have to guess that y was the one pressed twice, which gives yyzx as the only string to explain the yzx heat sequence, and you would also have to test the possibility that z was pressed twice, so zyzx and yzzx would have to be tested. In other words, there are 5 different pins that would explain that heat sequence.
    What messes that argument up is that pressing one key more than once would add to its heat signature, and might end up giving that particular key more of a heat signature than the key actually pressed last, so other combinations would have to be tested to bust your pin. In other words, the heat signature of yzx might result from yxxz because pressing the x twice might add more latent heat than pressing the z key once slightly later.
    If you use only 2 different numbers in a 4 digit pin, the heat signature would not be able to eliminate many of the possibilities, especially since the hacker would not know if one of the 2 numbers was used once, twice, or three times. Looking at each possible combination of 1-x and 3-y, 2-x and 2-y, and 3-x and 1-y gives 4, 6, and 4 possible sequences respectively. Because of multiple key pressings messing up the heat signature as far as inferring the chronology, almost every single combination would have to be tested.
    So using a simpler, less secure pin code might actually be more secure against the thermal camera hacking described in this article. The obvious cure is to press other keys at random after using the ATM.

  23. Dave · 965 days ago

    Thank's for the information, it is nice to be pre-warned about how the criminal fraternaty are intent on getting their hands on our cash, please keep up the good work and please keep us informed at all times. These warnings alone are a deterant to wouldbe crooks as it means their methods have been rumbled and must make them wonder if this method is worth the bother. I for one in future will use a different method of touching the keypad such as a coin or pen. I have always covered the pad from overhead cameras since being warned so I will now be careful of how I press the keypad too..... Thanks again for the warning

  24. Gerry · 965 days ago

    Re the need for skimmers to get your card: they do not. This type of crime is committed by using separate electronical mechanisms: One that captures your PIN, another to retrieve the info required info from your card's mechanical strip to generate a duplicate your card.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.