How To Steal ATM PINs With a Thermal Camera

An anonymous reader writes "Researchers from UCSD have demonstrated how thermal imagery cameras can be used to steal customers' PINs (PDF) when you withdraw cash from ATMs. Their paper, entitled 'Heat of the Moment: Characterizing the Efficacy of Thermal Camera-Based Attacks', (PDF) discovered that plastic PIN pads were the best for retaining heat signatures showing which numbers (and in which order) were used by bank customers. Fortunately the methodology does not appear to have been used by criminals yet, but a third of people surveyed admit that they do not check ATMs for tampering before withdrawing cash."

Oh Sure, Academia Accepts THAT Paper

[eldavojohn]

Their paper, entitled 'Heat of the Moment: Characterizing the Efcacy of Thermal Camera-Based Attacks' ...

Oh sure everybody wants to show how easy it is to steal everyone else's PIN but when you release a paper detailing how to do it with X-rays and guarantee the target develops cancer and dies within a month leaving their account ripe for unnoticed pilfering then you've "gone too far"!

Re:Oh Sure, Academia Accepts THAT Paper

[Anonymous Coward]

And don't ever use Gamma Rays, you don't want the Hulk chasing you after you've pilfered his bank account.

Re:

[sycodon]

Fortunately the methodology does not appear to have been used by criminals ye

But they'll be sure to get on it right away now that they have been clued in.

Re:

[fuzzyfuzzyfungus]

Based on the relative costs(and sizes) of the existing visible-spectrum-camera-hidden-on-the-ATM technology and the available thermal imaging gear, I'm somewhat inclined to doubt any significant uptake.

Even if you go fleabaying, a thermal imaging system up to the task will easily be north of $1,000, and the cheap seats are often rather bulky and don't exactly sip power. If you go with something handheld, the fact that many of them look very much unlike normal digital cameras will make you stand out a goo

Re:

[Eponymous Hero]

no, there will be a smartphone app for it soon.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[gorzek]

Where do you live, Mogadishu?

Touch typing defense

[rwa2]

Hmm, I knew there was a reason that I rested all of my fingers uniformly across the keypad, gently caressing their every ridge and facet as I discreetly pumped out my digits into their PIN pad. Well, another reason, at least.

Also I try to think about a completely different song than the one that corresponds to the letters that correspond to the numbers of my PIN, just to thwart any brainwave phreaking attacks as well.

But still hoping we score some decent security measures out of this, like maybe a bank-issued gold card or something.

Re:Touch typing defense

[Herkum01]

I rested all of my fingers uniformly across the keypad, gently caressing their every ridge and facet as I discreetly pumped out my digits

Have you considered a career writing Harlequin novels?

Re:

[cyberchondriac]

or, after you've put in your PIN and gotten your money or whatever, press a few more random keys.

Re:Touch typing defense

[nedlohs]

Just set the keypad on fire.

Re:

[idontgno]

I say we take off and nuke the site from across the street. It's the only way to be sure.

-- Security Engineering Officer Ellen Ripley

Re:

[franoreilly]

Makes sense. Even though I cover my typing hand with my other hand, I always add a few more fake keypresses so that any camera can't make a rough guess, judging by the quadrant of the image showing slight movement, which key was actually pressed. So now I have to do this for infra red coverage also. Great.

Re:

[sconeu]

I picked up this habit after working in a classified area with a cipher lock.
After I'd enter the cipher, I'd swipe my fingers over all the buttons to make it harder for a potential bad guy to analyze the wear/fingerprint patterns on the lock.

Re:

[MightyMartian]

I'm not sure whether I just read a method to obscure your PIN number from thermal cameras, or a description of one of your sexual exploits.

Re:

[Bob the Super Hamste]

Sounds like both. He has a thing for ATMs especially when they vibrate when discharging money.

Re:Touch typing defense

[Not_Wiggins]

It looks likely you were mostly joking (so, that makes me feel equally bad about admitting this).
But, when putting in my PIN, I typically rest several fingers on different numbers, move my hand around, and punch my PIN in that way, obscuring what I'm doing (not the typical one finger, one press approach).

For me, it was about making it tough for someone with a video camera set up to watch the ATM to figure out what my PIN is based on finger movement alone.

I suppose to that end, would getting the heat signature really be that superior to having a video camera set up with a telephoto lens?
And if we were ever worried about heat signature, wouldn't simply wearing gloves defeat this "potential attack?"

Seems someone has figured out a complex way of collecting PINs.

Why not set up a loop of wire and, based on the different lengths of connection between electricity that flows from pressed keys to the processor, infer which key is pressed?

Right... it would cost more in time, money, and effort than one could make simply waiting for someone to walk up and rob with a gun.

Re:

[Jah-Wren Ryel]

But, when putting in my PIN, I typically rest several fingers on different numbers, move my hand around, and punch my PIN in that way, obscuring what I'm doing (not the typical one finger, one press approach).

I do it too -- I start at the top row, one finger per button, and then slide my hand down the keypad making contact with every button but only putting pressure on the one button that needs pushing. I repeat the process for each digit but make sure to slide my hand across the entire keypad each time. It didn't take much practice to get good at it, it still takes a little bit longer than just punching the numbers in directly, but not enough to matter.

Re:

[cdrguru]

Right... it would cost more in time, money, and effort than one could make simply waiting for someone to walk up and rob with a gun.

Never forget that any sort of ATM attack is anonymous and impersonal, whereas holding up someone with a gun means you personally are standing there in front of someone with a gun in your hand.

What the Internet has proven beyond a shadow of a doubt is that ordinary people who wouldn't think of shoplifting will go to incredible lengths to steal stuff on the Internet where they are anonymous and the action is impersonal. Someone who would never break into a house in person will break into a computer with impu

Re:

[AmiMoJo]

Seems like a risky thing to do. If you use a cloned card in a shop you will probably be on CCTV. If you use it on the internet then I suppose you can pay for some services (hiding behind a proxy or Tor) but any physical goods need to be delivered to an address. Most people don't have an address they can use to receive their ill-gotten gains.

Re:

[jonbryce]

I think the idea is that after you leave the machine, four[1] of the keys will be glowing. The brightest one is the number you pressed last, and the dimmest is the one you pressed first.

[1] Assuming your PIN is made up of four unique numbers. If your pin contains repeated numbers, I guess it makes it more difficult to determine the order of them.

Re:

[black soap]

48 permutations, assuming 4 known, unique digits. 36 permutations, assuming 3 digits, not knowing which is unique.

Re:

[Ced_Ex]

What about all the other number keys you end up pressing when you define how much money you're depositing or withdrawing?

All this is making the simple task of stealing so complicated. Gypsy kids just hang around the ATM, wait for the withdraw screen to show up, run in, quickly press the auto denomination of the highest value and wait for the money to start spitting out before they grab and dash. Thermal cameras have got nothing on those kids.

Re:

[karnal]

My ATM makes me use the touchscreen after entering the PIN on the number pad; so I guess I'm screwed.

Best way to prevent observers of any type

[gr8_phk]

I visited a company that had keypads on the doors. These pads would randomly arrange the digits with LEDs in the keys every time. It was a bit harder to find the keys you needed because they were always in a different place, but even if someone watched from the side they had a very narrow field of view, and this silly thermal approach wouldn't work either because the numbers went away after the door opened - you might know which keys they pressed, but not which digits.

Re:

[need4mospd]

Hmm, I knew there was a reason that I rested all of my fingers uniformly across the keypad, gently caressing their every ridge and facet as I discreetly pumped out my digits into their PIN pad.

Do you do so while wearing a robe and wizard hat?

Re:

[sam0737]

I usually keep hitting the keypad randomly when it's preparing the cash, for fun. Now that's a reason for me to keep doing it!

Re:

[tom17]

Naaah,
1,2,3,4(5,6,7,8,9,10,11,Twe-ee-e-ee-e-elve!)

Now get back in line.

[suso]

but a third of people surveyed admit that they do not check ATMs for tampering before withdrawing cash.

A person checking an ATM for tampering may look like they are tampering with an ATM. Now get back in line.

Re:

[rwa2]

Word. Not to mention that most ATM skimmers are very difficult to detect, and are often indistinguishable from some of the regular "bling" that an ATM might have adorning their card slot.

But I guess it's worthwhile to attempt to rip it out anyway and see what happens :-P

http://images.google.com/search?q=ATM+skimmer&hl=en&prmd=ivns&tbm=isch&tbo=u&source=univ&sa=X&biw=1270&bih=810 [google.com]

Re:Now get back in line.

[The Moof]

Not to mention that the average person likely has no idea what a card skimmer looks like when compared to the card reader on an ATM.

Re:

[Anonymous Coward]

This is what I was thinking. I actually *do* look for tampering, but even after seeing examples of card skimmers, I have doubts of my own ability to actually detect one.

Re:Now get back in line.

[kevinNCSU]

After looking at the pictures of scanners in this ( Consumerist Security Briefing from Gawker [gawker.com]) I don't think I could tell even if someone put 4 ATM machines in front of me and told me one of them had a skimmer, pick it out. These things fit so perfectly over the card reader it seems near impossible to tell without pulling out a knife and seeing if you can get anything to pop off, and I don't think that'd make most places happy.

Re:

[advocate_one]

I'd have modded you up if /. hadn't changed the stoopid interface yet again and resulted in the moderate button going missing in action...

Re:

[Sabriel]

I spotted only half the skimmers, and missed the cameras. Cunning little monsters. Glad I don't use ATMs often. Thanks for the link.

Re:

[GTRacer]

Am I alone in not using ATMs? I prolly wouldn't know if a skimmer had been installed because I almost never visit ATMs. I mean, in any given year I can count on one hand the number of ATM withfrawals and checks written on one, maybe two hands. I stopped carrying cash years ago and if I truly need some, most of the time a POS cashout is closer than the bank, and doesn't charge a fee.

To be fair, I *do* use the ATM whenever I need to deposit checks, which is rarely enough. All that said, if I saw mysteriou

Re:Now get back in line.

[Joce640k]

but a third of people surveyed admit that they do not check ATMs for tampering before withdrawing cash.

Two thirds of them do? I find that very hard to believe.

Re:

[gorzek]

The key word being "admit." I would suspect at least 90% of people don't actually look for ATM tampering, but in having it brought up are too embarrassed to admit to it.

Nothing is safe

[mfh]

There is no level of applied security that can thwart applied freedom.

Wallet corner defense

[Anonymous Coward]

I use the corner of my wallet to to press the keys, let's see them work with that.

Re:

[mapkinase]

Good idea. Also, stylo of your mobile. Mod the coward up.

Re:

[mapkinase]

I am a proud owner of Samsung i730

http://en.wikipedia.org/wiki/Samsung_SCH-i730 [wikipedia.org]

It is hard to overestimate ubiquitous practicality of a stylus. It's uses vary from direct use and clearing wax from one's ear.

Re:

[Heed00]

*snatch* Got your wallet! *runs away*

Re:

[LighterShadeOfBlack]

Except you already had your wallet out anyway to get to your cash card. And now your card is in the machine and you probably have no cash in it if you're at the ATM, so now they've got a wallet with things the average thief can't make use of, except maybe a condom or two. And given that this guy is posting on /. that condom has probably been there for 5+ years and is no longer effective. In nine months justice will be served. Take that, thief!

Slashdot is advertising thermal imaging cameras...

[kotku]

when I viewed this story. Conflict of interest here?

Re:

[Nadaka]

Google context sensitive advertising at work.

They probably also advertise ski masks on stories about bank robbery.

Splinter Cell...

[neokushan]

They did this in Splinter Cell YEARS ago.

Re:

[wildstoo]

That's the first thing I thought of too. I remember using my Thermal Imaging goggles in Splinter Cell to steal door codes after watching someone else use the keypad.

Did the guys at UCSD play Splinter Cell? Did they thank Ubisoft in their paper? ;)

Re:

[ironjaw33]

They did this in Splinter Cell YEARS ago.

After doing that in game, I remember thinking that there was no way this would really work. I was hoping that Mythbusters would tackle it but it looks like academia beat them to it.

Re:

[Kunedog]

And in Cyberia years before that.

This was done on

[geeza81]

The Real Hustle on BBC3 to open a safe in a jewellery shop. How they got into the jewellery shop was pretty genius too.

Re:

[StillNeedMoreCoffee]

I don't know if that is where I saw that, but yes the technique has appeared in movies (years ago) This is life imitating art.

Easy to Avoid

[tucara]

Just make sure you add a bunch of heat on all the number keys before you leave to mess up their analysis. I recommend urinating on the keypad to get a good even distribution.

Re:

[GameboyRMH]

When I'm typing in my PIN I do a fancy jig with my fingers, and I use my fingernails - admittedly to avoid getting the ick from the ATM on my fingers - but that should help keep the thermal signatures down as well.

Re:Easy to Avoid

[S.O.B.]

Urine is likely cleaner than what you normally find on ATMs. So you're doing a public service by "rinsing off" the keypad.

Re:

[scorp1us]

You joke, but there is a scene in American Treasure II where they fingerprint a keyboard and deduce the password using letters hit and a dictionary attack. One shift or caps-lock key use and it blows the solution space exponentially high.

I am waiting for ATMs to have NFC support. That way, my card and/or phone is needed so that I don't have to even touch that machine.

Re:

[bughunter]

Reminds me of the apocryphal story of the D&D munchkin running a dwarven thief whose dungeon lockpicking strategy is to piss in the lock and then come back in a year or two after the mechanism had corroded...

Re:

[rubycodez]

if you find you can't urinate, rub one out on the keypad

Re:

[rubycodez]

not an issue for me, my microwave is a dependent ("Mike" on 1040A) and so I don't discuss sex life

Thermal imaging? That stuff is fun and expensive..

[Lonewolf666]

Even as a usually law-abiding citizen, I might be tempted to steal that camera thingy if i find it. The fact that it was put there by criminals would greatly reduce my pangs of conscience ;-)

Re:

[Arlet]

The camera wouldn't be near the ATM. Someone behind you in line would take the camera out of their pocket, and take a picture of the keypad you just touched.

So as far as i understood.

[drolli]

Tampering is not needed for taking a thermal photo as the next in line.

secure NFC transactions NOW!

[markhahn]

this is an even better reason we need secure NFC transactions (with your mobile) asap. it's absurd to be typing a by-definition-weak password into an unauditable terminal. why hasn't some bank hasn't noticed that at least early adopters would pay for the privilege of paying securely?

then again, if banks simply secured their terminals, much of the hacked-ATM problem would disappear. yes, toilet-like stalls for each ATM...

Re:

[TubeSteak]

this is an even better reason we need secure NFC transactions (with your mobile) asap.

Near field communication is only as secure as the size and sensitivity of the nearest antenna.
Just because your mobile phone has a weak antenna doesn't mean a malicious actor has to limit himself.

Re:

[Jah-Wren Ryel]

Near field communication is only as secure as the size and sensitivity of the nearest antenna.
Just because your mobile phone has a weak antenna doesn't mean a malicious actor has to limit himself.

Yes, screw NFC - we would be a lot better off with 2D barcodes [wikimedia.org] displayed on the phone and a camera on the POS terminal. If you need 2-way communication (which I doubt is really necessary) then just use the camera on the phone and a small (e-ink?) display on the POS terminal. Bonus in that no new tech on the consumer end is needed, every smart phone currently on the market has all you need to pull it off.

Re:

[AmiMoJo]

True, but accepting card payments is far more risky than simply buying stuff on a stolen card. To get any return you have to provide a bank account for them to pay the money into, and an address to send billing information to.

People have tried this sort of thing in the past with premium rate phone lines. They stole mobile and then set up a rig to dial their premium rate number over and over again. Naturally they were caught pretty quickly once the phone company started getting complaints.

Re:

[rhsanborn]

Because it's a password, and last I checked, banks do not take responsibility for transactions that involved the PIN. They consider it the consumer's responsibility to maintain the secrecy of their PIN, regardless of it's weakness. As a result, the banks have relatively little exposure to PIN based attacks, and therefore have little incentive to spend any money making it more secure.

Re:

[quacking duck]

This is partly why even though my credit card has a chip, it does not have a PIN. The other reason is my issuing bank didn't have the infrastructure set up to handle CC PINs when they started shipping chipped replacement cards out, but considering at least one guy's already been denied a disputed charge because his CC company claims the system is secure and it MUST have been him entering the PIN, I'll just keep signing my CC-paid bills for as long as I can.

Re:

[IamTheRealMike]

it's absurd to be typing a by-definition-weak password into an unauditable terminal.

A hacked terminal isn't enough to break card security, obviously, the whole point is that you need both the card and the PIN. Merely having the PIN isn't enough. Modern cards can't be cloned unless you live somewhere still in the stone age, like the USA ;)

train my cold blooded pet snake

[schlachter]

this is why i need to train my cold blooded pet snack to enter my pin for me!

Re:

[Daetrin]

this is why i need to train my cold blooded pet snack to enter my pin for me!

I would say something about the amount of time wasted by repeatedly training something that's going to be consumed in short order, but i'm more squicked out by the idea of keeping your snacks as pets.

The Efficient Method

[syntap]

Isn't it cheaper to simply mug the ATM user after they are done and take cash while out of sight of the ATM machine's own camera? You'd have to do that anyway to get the card from them. Why get all technical?

Re:

[Lonewolf666]

The common method is using an ATM skimmer to copy the card, and a camera to record typing in of the code. No mugging necessary. Sometimes the keypad is faked too.

Re:

[Kell Bengal]

Except with a card skimmer, you don't - just make a replica card using the captured information and use the observed PIN combination.

Re:

[PPH]

But now you can hit them over the head with the thermal camera.

Re:

[DarthVain]

1) You're limited to the 20$ the tightwad took out.
2) You would have to be able to mug them over and over again until caught
3) Likely the charge is less if you don't actually have to threaten anyone with a knife or gun.
4) You just need the number not the card, but even if you do need it, you can secretly steal it, make a copy and even return it.
5) Its way cooler.

Touch more than 4 digits. Probelm solved.

[MindCrusher]

As I cover my hand to hide the numbers I always touch more than the four digits whenever I input my PIN as I center my hand on the keypad. Most of the time I also fake pressing some digits by keeping my finger onto them. I never thought of the thermal way to recover PIN numbers but I think I am safe.

Re:

[mapkinase]

Or you could have just used the tip of the pen or stylo from your mobile.

What good is the pin?

[ThorGod]

If I'm the only one with the card?

Re:

[srobert]

Well now that we have your PIN we can just knock you over the head and take your card. Before we had to kidnap and torture you to get you to reveal the PIN. This is so much easier. Who says that technology isn't improving our lives?

Re:

[hellkyng]

Because shortly you will not be the only one with the card. As others mentioned there is a skimmer attached somewhere on the ATM. This reads the data contained on the magnetic stripe of your card and records. It may transmit this data via bluteooth to a local attacker, or store it locally. Skimmers usually can contain anywhere from 7-10,000 cards on them roughly.

Once this is accomplished the attacker will then either sell the data online, or begin creating his own fake credit cards. This process involves pu

Was on The Real Hustle a few weeks ago

[DJRikki]

On BBC iPlayer, they did a con involving a safe keypad and a FLIR thermal camera to show the heat on the keypad.

Equipment cooling

[PPH]

I'd never heard of this method of attack until now. But it might explain why some of my bank's ATMs seem to have a high volume of cooling air blasting through any cracks and openings in the machine. Metal keys as well.

There was an article in a recent electronics magazine about building a code entry keypad that scrambles the digit positions between each entry attempt. This would make filming the keyboard difficult if one were to make the digit displays hard to see other than straight on. It would cause prob

Re:

[jfuredy]

Yes, these keypads have been in use for at least 10 years. You press a button to activate the keypad, and it randomly places the digits onto the pad so they're in a different place each time. After you successfully enter your code all of the numbers disappear. It certainly makes it slower to enter your PIN, but it also makes it impossible to surreptitiously determine your PIN.

Re:

[jonbryce]

It also makes it impossible for blind people to enter the PIN, so probably violates Disability Discrimination legislation. Keypads usually have a dimple on the No 5 button, and a blind person can figure out where the other buttons are from that.

Re:

[quacking duck]

Take a page from the iPhone's touchscreen accessibility mode. When you move a finger over an element, it reads it out. Obviously you don't want it read aloud so others can hear, but this would be a good use of most of my bank's ATMs audio-out jack.

Okay yes, then the criminals hack or replace the audio jack with their own. I assume Disability Discrimination laws don't allow fully-abled people to use features disabled ones can't (translation: blind people must be able to access new, more secure features, othe

What about ambient temperature?

[chiph]

Right now in Texas, we're hitting over 104F in the afternoons, several degrees higher than body temperature. Would the buttons be cooled by people touching them?

Re:

[Em Adespoton]

You really have ATMs operating in 104F environments? More likely there's an AC unit right above the thing blasting cold air on it.

Why aren't these things obselete?

[geekmux]

Is it just me, or does anyone else tire over stories of ATM skimming/tampering? I guess my main point here is who the hell still uses an ATM anymore?

It's probably been at least 6 months since I've stepped in front of one. I can withdraw up to $100 at just about any store I go into when I use my debit card(multiple times a day too), and since there seems to be a rather large void of evidence regarding tampering of debit terminals inside stores and banks, the most obvious solution seems to be the answer her

Re:

[Asic Eng]

I think your experience is probably in the US? Being able to get cash back from the store is not unheard of in other countries, but it's a lot less common than in the US. Also card payments are less common in other countries, usually cash is preferred. (On average it's a lot quicker, plus many people prefer not to leave a record of every little purchase they make.)

As for withdrawal fees - my German bank (DKB) lets me withdraw money anywhere in the world using my visa card, and they swallow the withdrawal

Re:

[Worthless_Comments]

Because drug dealers don't take plastic.

Re:

[rubycodez]

I hit up ATMs for -large- amounts of cash at a time ($200 or more) and have anonymous spending money for a couple of weeks

you must be single. Married with children, I can pull $400 out of an ATM and have it gone in days.

Score one for moderate OCD

[Culture20]

I can't stand to touch those PIN pads. Keys or gloves (in winter).

Worse yet, the chip cards

[dontmakemethink]

These cards with 'security chips' are a much greater risk. After entering your PIN, you must wait with the card sticking halfway out of the terminal pad while the transaction proceeds, during which time nobody guards their card. Who needs a heat camera when you can just peep over at someone entering their pin in the grocery line, snag their neatly exposed card, and drain their account at the nearest ATM? You can even yank it before the transaction completes to leave more money in the account! It's one t

Max Headroom

[John Bayko]

When I saw this done on Max Headroom, I was skeptical that it could work. Not because a regular news camera had an "infra-red" mode, I expected that could happen (and some do, just not enough to be heat sensitive yet), but I thought the keys would cool down too fast. Good to know how scientifically accurate a show about a simulated human infecting the world's computer networks was.

Re:

[account_deleted]

Comment removed based on user account deletion

And two thirds of people are liars.

[Anonymous Coward]

"but a third of people surveyed admit that they do not check ATMs for tampering before withdrawing cash"

Yeah, I get it, some of you are typical Internet paranoid freaks who do this, but 99% of people don't. Why? I've never heard of anyone having their pin stolen. Ever. I've never known anyone who had money stolen from a bank account. We know the vast majority of cases of this are identity theft (which isn't pin theft). If someone did steal my PIN, they'd also need my wallet. My wallet was only stolen

If i see

[hesaigo999ca]

If i see someone hunched over the ATM i just finished using, with this thermal camera, guess what I will be doing....
smashing that camera to pieces in front of him.....

Seriously though, I think whether you dust for prints or heat or etc..... there is always a way to find the pin, which is why i subscribe to the new sms identification method gmail/facebook/hotmail uses, they should use that for banks and for credit cards

I type with the back of my nails

[ace37]

I typically type two of the four numbers with the back of my fingernails. It won't help videocameras unless I would try to obfuscate it further, but for any type of fingerprinting, thermal, oil, or other attempts to duplicate my PIN that I've seen on Hollywood movies or CSI, it's hard enough to figure out that the imaginary criminal would probably just jack the next guy instead. Plus it gives my wife something to make fun of if she ever catches it.

But honestly, if you manage to steal a card and get the PIN,

work around

[scharkalvin]

After you are finished with the ATM just press all the buttons on the keypad in random order leaving your finger on each key for a long hard press to really soak up your body heat. Kinda like scrambling the combination on a lock.