Product Reviews
Take Action

Fight for Fair Finance

Tell the administration and Congress to stand up for the consumer watchdog that protects you from financial fraud and abuse.
Take Action
Why Do We Have Campaigns?
We're fighting to ensure you and your family can get a fair deal in the marketplace, especially on the choices that matter most: health care, privacy, automobiles, food, finances and more. Join our campaigns and together, we'll hold corporations and lawmakers accountable.

How thermal cameras could steal your PIN at ATMs

Consumer Reports News: August 18, 2011 12:08 PM

You probably know to protect yourself when using an ATM. For instance, maybe you cover the keypad so prying eyes and hidden cameras won't catch your personal identification number, or PIN, which unlocks your bank account. But what if data thieves could still pull that data—by simply exploiting how your body works?

At USENIX Security '11, a security conference in San Francisco last week, computer scientists from the University of California in San Diego showed how that might just be possible.

In a research paper titled "Heat of the Moment: Characterizing the Efficacy of Thermal Camera-Based Attacks," the scientist outlined how small infrared cameras and computer software can "steal" someone's PIN.

The cameras, which can be hidden on an ATM machine, are sensitive enough to pick up trace amounts of body heat left by someone using the machine's keypad. Once recorded, hackers could then analyze the thermal signatures using special software to determine which number keys were used in a PIN.

The researchers claim that the software is much more accurate at figuring out the key presses than mere human observation. What's more, the software can even determine the specific order in which plastic ATM keys were pressed—thereby revealing the person's exact PIN long after they've left the machine.

To complete the bank account takeover, hackers would need to install a phony card reader—usually cleverly hidden on top of the ATM's real reader—to scan for the information encoded on a person's ATM card. Tying when a specific card is used at the ATM with the keypad presses—and thus the thermal prints that reveal the PIN tied to that account—a criminal would then have all the data needed to break into the person's bank account.

Security experts say they're unaware of any digital bank robbers using the technique yet, partly because tiny infrared cameras are still quite pricey. But the research does point out how consumers need to rethink counter-measures to possible ATM threats.

A few safeguards to consider when using an ATM:

  • Check for suspicious devices that might have been added on by hackers to capture your information. This would include looking at where your ATM card is inserted as well as inspecting the keypad area for anything that looks out of the ordinary.
  • Cover the keypad when entering your PIN.
  • Choose an ATM with metal keypads less prone to retaining thermal signatures.
  • Use a pen, a plastic stylus or other object to press the ATM keypad instead of your fingers.

Stealing ATM PINs with thermal cameras [Naked Security Blog from Sophos]
20th USENIX Security Symposium [USENIX]
Heat of the Moment: Characterizing the Efficacy of Thermal Camera-Based Attacks (PDF) [USENIX]

Paul Eng

E-mail Newsletters

FREE e-mail Newsletters! Choose from cars, safety, health, and more!
Already signed-up?
Manage your newsletters here too.

Electronics News


Cars Build & Buy Car Buying Service
Save thousands off MSRP with upfront dealer pricing information and a transparent car buying experience.

See your savings


Mobile Get Ratings on the go and compare
while you shop

Learn more