Cheap Thermal Imagers Can Steal User PINs

Bismillah writes: A British infosec company has discovered that cheap thermal imaging attachments for smartphones can be used to work out which keys users press on -- for instance -- ATM PIN pads. The thermal imprint last for a minute or longer. That's especially worrying if your PIN takes the form of letters, as do many users' phone-unlock patterns.

Re:

[dryeo]

Actually, the Russians also bought the space pen. No one used pencils in space, since the graphite dust would ruin everything.

Grease pencils, no graphite involved. https://en.wikipedia.org/wiki/... [wikipedia.org]

Re:

[Paradise Pete]

It's the not-as-clever-as-you-think-you-are way to solve problems. Think of something "obvious" and then assume the people actually working on it were too stupid to consider it. Job's done.

Re:

[Geoffrey.landis]

A simpler solution: press more numbers after you press "enter" on the keypad.

Re:

[TeknoHog]

A simpler solution: press more numbers after you press "enter" on the keypad.

I thought this was old news. I usually hold some of my fingers lightly on the unused keys to warm them up without pressing, but this could be even better to keep the heating times equal.

Re:Simple solution

[Tx]

It is old news [slashdot.org] that thermal imaging cameras can be used to steal PINs. What I guess is news is that you can get a $250 phone add-on that's up to the task; I'm pretty sure that wasn't the case until quite recently.

I question the practicality of this technique for ATMs; you still need a clone of the card to use the PIN. And if you're going to install a card skimmer to clone cards, the traditional technique of using a pinhole camera to record the PIN entry works just fine, and probably way more reliable. So I'm not sure what the use-case is for this technique; maybe door-entry systems that only require a PIN, I guess.

Re:

[petermgreen]

I question the practicality of this technique for ATMs; you still need a clone of the card to use the PIN.

Or just steal the card.

Re:

[TeknoHog]

It is old news [slashdot.org] that thermal imaging cameras can be used to steal PINs. What I guess is news is that you can get a $250 phone add-on that's up to the task; I'm pretty sure that wasn't the case until quite recently.

In other old news, a lot of cameras are sensitive to infrared, and they use a blueish filter to limit themselves to the visible spectrum. Removing that and adding another filter for the higher frequencies is a cheap way to convert the phone's own camera for thermal imaging.

Re:

[Cyberax]

It's not that easy. You can't detect infrared without cooling the sensor to temperatures that are below the temperatures you want to measure.

Re:

[Man On Pink Corner]

Interesting assertion. How do radio antennas work, then?

Re: Simple solution

[Cyberax]

They don't detect photons as particles, instead antennae detect the electricity induced by changing electromagnetic field. Anyway, you can check these thermal cameras, they all have a small Peltier cooler.

Re:

[jeffb (2.718)]

They don't detect photons as particles, instead antennae detect the electricity induced by changing electromagnetic field. Anyway, you can check these thermal cameras, they all have a small Peltier cooler.

Nope. As far as I know, none of the sensors that are marketed at sub-five-figure (USD) price points are actively cooled.

Here's a video [youtube.com] showing a teardown of the SeeK Thermal unit. Look, Ma -- no cooler!

Re:

[Man On Pink Corner]

Photons do not work that way.

Re:

[jeffb (2.718)]

Untrue. All cheap contemporary thermal sensors are uncooled, and can measure temperatures well below their own operating temperature.

Think of it this way: each imaging element is exposed to thermal radiation from one small rectangle (pixel) of the overall scene. If the temperature of that part of the scene is higher than the imaging element's temperature, the element will gain energy; if the temperature of that part of the scene is lower than the imaging element's temperature, the element will lose energy,

Re:Simple solution

[jeffb (2.718)]

You're confusing near infrared (700-900nm) with thermal infrared (5000-15000nm). The only way conventional cameras can detect thermal radiation is if the subject is hot enough to glow.

Radio Shack used to sell little cards with a phosphor that, once "charged" with blue light, would fluoresce visibly when it was hit with near-infrared. You could use a glass lens to focus and see a near-infrared image on the card. I was able to adjust the current through a heating element so that it wasn't visibly glowing, but could be seen on the card -- but it was still at a temperature of several hundred degrees C.

To see thermal radiation from something near room or body temperature, you need an entirely different type of sensor. The cheap imagers use "microbolometer arrays", essentially an array of little thermometers with extremely low thermal mass.

IR cameras [Re:Simple solution]

[Geoffrey.landis]

In other old news, a lot of cameras are sensitive to infrared, and they use a blueish filter to limit themselves to the visible spectrum. Removing that and adding another filter for the higher frequencies is a cheap way to convert the phone's own camera for thermal imaging.

Yes to the first part, no to the second.

Most cameras use silicon detectors (because they're cheap). Silicon is sensitive out to about 1 micron wavelength. Humans can't see much past 0.7 microns, so silicon is sensitive to some of the spectrum that's in the infrared... but one micron isn't yet in the thermal infrared, so you won't see heat from stuff that's around 310 K (body temperature) or so with a camera not specifially designed to go farther into the IR.

Re:

[TeknoHog]

Yet another way for the extra paranoid: use a pen or something instead of your fingers. As a bonus, they won't get your fingerprints. But first, cover the area with tinfoil and foam. The latter is important because audible clicks might reveal the keying pattern -- it's been done with computer keyboards to some extent.

Re:

[flappinbooger]

A simpler solution: press more numbers after you press "enter" on the keypad.

I thought this was old news. I usually hold some of my fingers lightly on the unused keys to warm them up without pressing, but this could be even better to keep the heating times equal.

I appreciate the tactics and countermeasures, but seriously, is this really a concern?

really?

Re:

[Mal-2]

A simpler solution: press more numbers after you press "enter" on the keypad.

Or before. Punch in a wrong code, hit clear, then enter the right one. Or both.

Or you could just use a longer PIN like I do. Even if they know what keys I pressed, they don't know what order -- and that's a significant problem when the code could be 4, 5, 6, 7, or 8 digits long. Default PINs are minimum length, but chances are you can choose a longer one.

Re:

[gl4ss]

do you enjoy taking money out of random asian country atm's?

then, no. you're not going to get a longer pin on your card even if your bank allowed it.

which made me wonder how many "letters" can you make with 4 buttons of a 9 pattern anyways? what a bizarre thing to add into the blurb. lowercase J, L , I? seriously what a bizarre thing to add! also I've never encountered anyone using a "letter" pin code on an atm/cc card.

Re:

[Mal-2]

do you enjoy taking money out of random asian country atm's?

then, no. you're not going to get a longer pin on your card even if your bank allowed it.

How onerous is it to use a 5-digit PIN instead of a 4-digit one, especially if you use the same digit twice in a row? Is it really that much harder to enter 11234 than it is to enter 1234? Doing so multiplies the search space for attackers though, completely disproportional to the extra effort for you.

Re: Simple solution

[O('_')O_Bush]

Or do what many games do and randomize the number pad for each user or key press.

Re:

[Paradise Pete]

Or do what many games do and randomize the number pad for each user or key press.

Brought to you by the Department of Making Things Worse.

Re:

[Sardaukar86]

How about simply using your keys to stab at the buttons? You're usually going to have them on you; a pen or stylus or something else may not be.

Random values

[Midnight Thunder]

The simplest solution would probably be to enter a random key sequence before the pass key phase. At that point it would be harder tell which keys were used for the pass key and which were random.

The main advantage is that this can be retrofitted via software fairly easily.

wtf

[retchdog]

Just wipe the screen or keys and then breathe on it, if you're really worried about this (there's very, very little reason to be, really).

With modern oleophobic screens you might not even need to wipe it down.

Re:

[retchdog]

yeah, most people don't bother with shit like that because they correctly don't give a shit about the ridiculous possibility of someone heat-scanning their phone (immediately after they key in their PIN and set it down without pressing anything else) to discover their super-secret address book.

but if you're really concerned, it's easily "defeated".

Re:

[sh0rtie]

different heat intensity, the older the colder, work backwards and you have your order (assuming its a keypad)

Re:

[JSG]

Ah, but I use a palindromic PIN - hah!

Re:

[Gr8Apes]

I use different fingers for each key - now what?

Re:How would they know the order?

[sribe]

They'd have to be watching them physically to know the order. This is bullshit.

4 digits: 10,000 possible combinations. Know the 4? 24 possible orders, in the worst case with no repeated digits. You really don't think that's important, huh?

And that's assuming that the thermal imaging gives no clues about order, which I suspect is actually not true...

Re:

[retchdog]

it's in the article. the devices usually don't have enough bitdepth to resolve order, but they found two s00p@r-s3kr!t ways to do it which they aren't disclosing.

Re: How would they know the order?

[ironicsky]

Except though, how often do you only press the four digits of your pin. When you make a deposit of $10 or more you need to press at least 4 digits, the dollars and cents. So now you've pressed 8 numbers, and someone has to figure out which of the 8 buttons are for the pin #.

After 3 failed attempts the machine eats the card, and if it's retail the cars gets disabled.

So even best case scenario of having 24 combinations, you won't make it past 3 attempts.

Re:

[AmiMoJo]

24 possible orders, 3 attempts before the card is blocked. That's only a 12.5% chance of success. It's not a practical attack for criminals. They will stick to more reliable methods.

Re:

[sribe]

24 possible orders, 3 attempts before the card is blocked. That's only a 12.5% chance of success. It's not a practical attack for criminals. They will stick to more reliable methods.

According to the article, many locks do not have any lockout after any number of failed attempts.

Re:

[U2xhc2hkb3QgU3Vja3M]

My number is 11111, good luck figuring out the exact order.

Re:

[Anonymous Coward]

I press the buttons with my penis. The ensuing hysteria prevents anyone from focusing on the touch screen.

Re:

[harlequinn]

That's called a pleonasm.

Re:

[Bing Tsher E]

How do you concentrate on the rest of the transaction with all the hysterical laughter distracting you?

Not new news

[93 Escort Wagon]

I recall seeing a demo of this probably two years ago. It's easily countervened by placing your fingers on all the keys (without pressing, of course) after you've entered your PIN.

Re:

[ThatsLoseNotLoose]

You don't understand. When you can append "using a cell phone" to any behavior it becomes news all over again.

I'm pretty sure I saw this in the movie National Treasure over 10 years ago - and I doubt Hollywood invented the idea so it's probably decades old.

Re:

[AmiMoJo]

Android has supported randomizing the position of the the numbers on the virtual keypad for years. It's pretty funny watching smug gits who think they can unlock your phone by looking at the smudges on the screen fail.

ATMs could do the same thing. Samsung door entry keypads also have a feature where they require you to press a couple of randomly selected keys to keep wear even, which could easily be extended.

I played that game...

[pushing-robot]

Use the thermal goggles, Fisher. They should allow you to see the heat signatures on the keypads.

Re:

[wardrich86]

the goggles... they do NOTHING!

Not News

[JustAnotherOldGuy]

This has been possible for quite some time now, and is hardly breaking news. The story is so old that the first time it was posted, Slashdot still came on clay tablets.

Seriously?

[Behrooz Amoozad]

I'm sorry but I see like two dozen people giving idiotic ideas and advising against eachothers workarounds. Put the damn phone in your pocket, it will be so hot your fingers simply won't matter.

My ATM is Walmart/Sam's Club

[marciot]

I haven't used an ATM in decades. I simply buy something at Walmart or Sam's Club and get cash back using my Discover card. It's far easier to find a Walmart than your bank's ATM. It's not uncommon for me to walk in to Walmart and walk out with $60 cash and a bag of Lindt chocolates. I even have a name for it, I call it a "truffle withdrawal".

Re:

[DamonHD]

And you think that a retail outlet handles your credentials more securely than a bank/ATM?

Rgds

Damon

Re:

[marciot]

And you think that a retail outlet handles your credentials more securely than a bank/ATM?

Rgds

Damon

Credit cards are pretty good about not making you pay for fraudulent activities.

Re:

[DamonHD]

And you're not paying (heavily) for cash advances on a credit card?

Rgds

Damon

Re:

[DamonHD]

I already gave up flying years ago, and in particular was tired of US surly behaviour towards flying foreigners long before 9/11. Even if it hadn't invented the TSA the USA lost my tourism and in-person business dollars long back.

But in any case, yes, I don't feel the need to give out difficult-to-replace-and-repudiate identifiers, especially those to do with money, to others willy-nilly. Cash still works well for many things. Yes, and I used to be CTO of a credit-card company.. %-P

Also, specifically, cr

Re:

[cfalcon]

I do think that, actually.

I'm not sure of it though. Anyway, here's my reasoning: if I go to a grocery store and punch my PIN in, I'm using a device that a ton of people are using, with witnesses all around pretty much 24/7 (or at least when the store is open- I normally use a 24/7 store). It's not there to begrudgingly service night life and charge some fee, or as an obligation because bankers hours are a joke, it's there to run transaction pretty much full time.

This makes it a tempting target for an at

Re:

[DamonHD]

Banks care all about reputation (nominally) and normal retail cares all about minimising costs.

Thus data breaches, hacked PIN entry pads, etc, are generally a retail phenomenon.

Rgds

Damon

Soooo, hit all the pads

[Snotnose]

Enter your pin, then hit 1-0 on the keypad. Problem solved. I've actually been doing that for a couple years now, don't remember why.

I got this...

[marciot]

I only use the center key and type my PIN in Morse code.

You can also look at wear and tear. ..

[mark-t]

... to notice general trends. Over multiple ATM's in my city, I have concluded that the number 5 is the most frequently used digit on a pin pad. Whether that is enough information to make it easier to crack someone's pin is debatable, but I thought it was interesting.

Get a gun

[Threni]

This only works if someone has your PIN and a gun, and you don't have a gun. If they don't have a gun and that use this to get your PIN and then they tell you to give you your card, you just shoot them in the neck, make an ironic comment about them not needing your PIN, and go home. If they've got a gun and you haven't, then you're giving them the card and PIN anyway. There's like no scenario when you need to breath on the keys, press extra ones etc.

randomize the keyboard layout

[Skapare]

randomize the keyboard layout. i've seen the door keypads at an FBI office which randomize the keypad layout. re-randomizing it after each press could help, too. who says passwords need to be letters and numbers? how about passwords that are a sequence of cat picture?

Re:

[toonces33]

Why not a fingerprint scanner like we have on a variety of smartphones..

Re:

[Whorhay]

Because once your fingerprint is compromised you can't change it to something else. Well that's not exactly true but it is much more difficult to change than a simple pass code. The same is pretty much true for all biometric security systems.

Love the video

[GrumpySteen]

The video shows someone pressing each of the keys firmly for a second or longer so that the keys have time to heat up. Who the hell enters a PIN like that?

Simple remedy

[palion]

My PIN is all ones, but nobody will find out in what order.

breaking: cheap guns can harm users at a distance

[retchdog]

A "security" company has discovered that a cheap, easily available gun can be used to harm or even kill a user at a distance by projecting a small piece of dense metal into the body. The damage has been shown to last a minute or longer.

That's especially worrying if you are ever within the line-of-sight of another human being, as so many users are! Click through for our press release and support our pioneering work.