How thermal cameras could steal your PIN at ATMs

You probably know to protect yourself when using an ATM. For instance, maybe you cover the keypad so prying eyes and hidden cameras won't catch your personal identification number, or PIN, which unlocks your bank account. But what if data thieves could still pull that data—by simply exploiting how your body works?

At USENIX Security '11, a security conference in San Francisco last week, computer scientists from the University of California in San Diego showed how that might just be possible.

In a research paper titled "Heat of the Moment: Characterizing the Efficacy of Thermal Camera-Based Attacks," the scientist outlined how small infrared cameras and computer software can "steal" someone's PIN.

The cameras, which can be hidden on an ATM machine, are sensitive enough to pick up trace amounts of body heat left by someone using the machine's keypad. Once recorded, hackers could then analyze the thermal signatures using special software to determine which number keys were used in a PIN.

The researchers claim that the software is much more accurate at figuring out the key presses than mere human observation. What's more, the software can even determine the specific order in which plastic ATM keys were pressed—thereby revealing the person's exact PIN long after they've left the machine.

To complete the bank account takeover, hackers would need to install a phony card reader—usually cleverly hidden on top of the ATM's real reader—to scan for the information encoded on a person's ATM card. Tying when a specific card is used at the ATM with the keypad presses—and thus the thermal prints that reveal the PIN tied to that account—a criminal would then have all the data needed to break into the person's bank account.

Security experts say they're unaware of any digital bank robbers using the technique yet, partly because tiny infrared cameras are still quite pricey. But the research does point out how consumers need to rethink counter-measures to possible ATM threats.

A few safeguards to consider when using an ATM:

• Check for suspicious devices that might have been added on by hackers to capture your information. This would include looking at where your ATM card is inserted as well as inspecting the keypad area for anything that looks out of the ordinary.
• Cover the keypad when entering your PIN.
• Choose an ATM with metal keypads less prone to retaining thermal signatures.
• Use a pen, a plastic stylus or other object to press the ATM keypad instead of your fingers.

Stealing ATM PINs with thermal cameras [Naked Security Blog from Sophos]
20th USENIX Security Symposium [USENIX]
Heat of the Moment: Characterizing the Efficacy of Thermal Camera-Based Attacks (PDF) [USENIX]

—Paul Eng