Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Security The Almighty Buck

Credit Card PINs Can Be Guessed Even When Covering the ATM Pad (bleepingcomputer.com) 58

An anonymous reader quotes a report from BleepingComputer: Researchers have proven it's possible to train a special-purpose deep-learning algorithm that can guess 4-digit card PINs 41% of the time, even if the victim is covering the pad with their hands. The attack requires the setting up of a replica of the target ATM because training the algorithm for the specific dimensions and key spacing of the different PIN pads is crucially important. Next, the machine-learning model is trained to recognize pad presses and assign specific probabilities on a set of guesses, using video of people typing PINs on the ATM pad.

For the experiment, the researchers collected 5,800 videos of 58 different people of diverse demographics, entering 4-digit and 5-digit PINs. The machine that ran the prediction model was a Xeon E5-2670 with 128 GB of RAM and three Tesla K20m with 5GB of RAM each. By using three tries, which is typically the maximum allowed number of attempts before the card is withheld, the researchers reconstructed the correct sequence for 5-digit PINs 30% of the time, and reached 41% for 4-digit PINs. The model can exclude keys based on the non-typing hand coverage, and deduces the pressed digits from the movements of the other hand by evaluating the topological distance between two keys. The placement of the camera which captures the tries plays a key role, especially if recording left or right-handed individuals. Concealing a pinhole camera at the top of the ATM was determined to be the best approach for the attacker. If the camera is capable of capturing audio too, the model could also use pressing sound feedback which is slightly different for each digit, thus making the predictions a lot more accurate.

This discussion has been archived. No new comments can be posted.

Credit Card PINs Can Be Guessed Even When Covering the ATM Pad

Comments Filter:
  • ...has come to be.
  • ...at least for the US: Change to 6-digit PINs, and the probability of success will go down.

    • by dohzer ( 867770 )

      Not if people still use 111 111 or 123 456 for their pins.

      • by gweihir ( 88907 )

        Not if people still use 111 111 or 123 456 for their pins.

        You have user-selected pin codes? Incredible.

        • "You have user-selected pin codes?"

          I have 2 bank accounts and both allowed me to select my code. I believe there are rules where they don't let it be 1111, 1234, or similar. If they didn't let people do this, many would write the "random" code on the back with a sharpie causing it to be less secure.

      • by syn3rg ( 530741 )
        That's amazing. I've got the same combination on my luggage.
    • It doesn't matter, if they're getting sound and video they can have a 100% success rate with any length of password [newscientist.com].

      The only thing of interest here is that they've used a neural network to do some kind of gesture recognition. Maybe that will lead to some other discovery. It's not practical in any way.

      • by gweihir ( 88907 )

        It doesn't matter, if they're getting sound and video they can have a 100% success rate with any length of password [newscientist.com].

        The only thing of interest here is that they've used a neural network to do some kind of gesture recognition. Maybe that will lead to some other discovery. It's not practical in any way.

        No. The rate of recognizing keyboard keystrokes for ordinary keyboards is not that good. Something like 50% on average was the last I heard. For non-random input, that can usually be gotten up to 100%, but for random input it cannot. And an ATM keyboard will have far less distinctive sounds and no typing rhythm to latch on either.

        • I believe that I recall a paper claiming that considerable information could be gained with a thermal imaging camera looking at the PIN pad after the user walked away.
          • by gweihir ( 88907 )

            I believe that I recall a paper claiming that considerable information could be gained with a thermal imaging camera looking at the PIN pad after the user walked away.

            That was a blog-posting, as far as I remember. And yes, that approach seems to work pretty well.

    • by Shaeun ( 1867894 )
      We used to have the ability to have pin codes of any length. then "for our own protection" it was reduced to 4... Seems utterly brilliant at this point.
    • by gweihir ( 88907 )

      You do not have 6 digit pin codes? The mind boggles.

    • Even better would be moving to NFC style payment systems. For example, for an attacker to get a transaction done via GPay/Samsung Pay/Apple Pay, as well as the PIN, it a lot harder than just skimming a card.

  • by MDMurphy ( 208495 ) on Monday October 18, 2021 @06:08PM (#61904769)
    Many, many years ago I worked at a high-security location that had keypads in addition to an ID card to enter. The digits on the keypad changed location, so your movement when typing was different each time, making capture more difficult. Of course, it meant you had to think about your entry code with no muscle memory to guide you.
    • Yep. This will prevent people from forgetting their PIN by "muscle-memory knowledge" and make it less likely to recover PINs from fixed button latent fingerprints and hand motions.

    • Many, many years ago I worked at a high-security location that had keypads in addition to an ID card to enter. The digits on the keypad changed location, so your movement when typing was different each time, making capture more difficult. Of course, it meant you had to think about your entry code with no muscle memory to guide you.

      This is an old low tech way to throw off an observer, I mean you could add another row of five buttons to the design. It comes down to which one would you rather foist on umpteen million ATM customers... neither.

      It works like you're fingering the bottom of your car's cup holder.
      https://military-locks.ecrater... [ecrater.com]

    • by antdude ( 79039 )

      Oh boy, usability and experience won't be fun for users.

    • Comment removed based on user account deletion
    • Many, many years ago I worked at a high-security location that had keypads in addition to an ID card to enter. The digits on the keypad changed location, so your movement when typing was different each time, making capture more difficult. Of course, it meant you had to think about your entry code with no muscle memory to guide you.

      Came here to say the exact same thing. Had approximately 10 seconds to punch in a 6-digit PIN, as you were being weighed on a scale, while locked in a man-trap. This was tech from almost 30 years ago.

      All that said, when I can walk into a WalMart today and buy upwards of $35 - 40 worth of merchandise and the damn register doesn't even prompt me for a PIN, we have a far larger problem when it comes to preventing this kind of crime. Gain access to someone's card, and the system enables rampant fraud due to

    • I worked at a facility with the scrambling num pad too (funny how you realize how important muscle memory is when those numbers get rearranged), and I also had a panic code. If I thought I was being followed or someone was watching, I could punch in the panic code and loads of security would appear within seconds. Never had to use it, but always wanted to try and time the security response.

      Back on topic, I would be in support of a scrambling, silent, covered num pad on atms. That's all old school tech that

  • Fake some presses (Score:5, Interesting)

    by syntap ( 242090 ) on Monday October 18, 2021 @06:25PM (#61904819)

    I cover when keying a pin, but also try to throw in one or two fake presses.

    • I do that too. I also use two hands sometimes.

    • by AmiMoJo ( 196126 )

      I just don't use PINs anymore. Or at least extremely rarely. 99% of payments are made on my phone, which requires my fingerprint. Hardly ever withdraw cash either.

      The keypads are probably covered in COVID anyway, really don't want to touch them.

  • The AI learned to just always guess "1234".
  • by Fly Swatter ( 30498 ) on Monday October 18, 2021 @06:26PM (#61904827) Homepage
    Us a different finger for each number. And don't use your fingers in order either.
    • by hawk ( 1151 )

      and don't key in the numbers the same way each time, either: this not only makes it harder on the observer, but has the added benefit of reducing the amount taken from your account each month!

  • pin number length is variable with the max being 7 digits.
  • Just swap your fingers in an unpredictable way. Donâ(TM)t press same number with same finger. Etc.
  • If the elbow or wrist moves, then you are doing it wrong. Cover the key pad with left hand, rest the heel of your palm on the bottom of the keypad. No movement of wrist or any part above.
  • It's an old trick - when someone is writing with a pen or pencil, you can read what they're writing as they do so, with practice.

  • I'm not sure whether the series of photos they have is merely for illustration, but personally I wouldn't consider what they're showing to be covering the pin pad. Probably an issue for this study is that ethically people can't use their own PINs so they must be using something they don't normally enter which would be harder.
  • Places in Asia have been using 6-digit pins since, like, forever.

    Not only that, there are ATMs experimenting with alternate login approaches, such as
    - some kind of finger blood vessels scan using the middle section of your finger (not the usual fingerprint),
    - mobile phone NFC (you login to your bank app then enter how much you want, then use put your phone on the ATM NFC pad and the ATM give you the cash, you don't even need your ATM card)

    On top of that, cashless is the way to go so people have even less ne

    • Why is the US still stuck with 4 digit PIN?

      Because you're thinking of a figment of your imagination rather than a real country. I live in the real US and have six and eight digit PINs. While some people in the US may use 4 digit PINs, it is not because the US is stuck with them, it's just because specific people aren't as worried about it as you are.

      It is possible that some US banks might limit people to 4 digit ATM PINs, but people in the US are free to choose a different bank if the one they're currently using doesn't support longer PINs. There ar

  • The keypad needs to be a touch screen and the numbers have to be assigned random positions for every use. You can't re-use a one-time key pattern.

    • The keypad needs to be a touch screen and the numbers have to be assigned random positions for every use. You can't re-use a one-time key pattern.

      How will that protect against a camera recording the keypad? And PIN entry will be very slow, making it easier for shoulder surfers.

      People with poor vision will surely appreciate that solution.

    • The keypad needs to be a touch screen and the numbers have to be assigned random positions for every use. You can't re-use a one-time key pattern.

      How is that a solution? You wouldn't be able to enter your PIN without looking at the screen and therefore you couldn't cover it with your hand in the first place (I actually hide the pad with my wallet as I think it provides more cover). Also, as hankwang points out it is no use for the blind and partially sighted.

      Here in the UK, some shops have started to deploy chip and PIN terminals with a touch screen (but without moving numbers). Because you can't feel the keys they are almost impossible to use

  • A $5 wrench will get a 4 digit password out of 99% of people.
  • . . . your fingers - YOU'RE DOING IT WRONG !

    Use cash. Get your cash from a indoor bank ATM.

    Stop deluding yourself that covering your fingers helps in any way.

  • Americans in this thread are thinking of ATMs in considering this problem, but it's even more relevant for European shoppers and diners. The waitperson brings a credit card reader to your table, where you insert your card and, if you bank in Europe, type in a PIN. Because your PIN entry takes place in front of everybody, it is much easier to surreptitiously capture on video than at a professionally secured and serviced ATM.

    Suddenly that widely snickered at American convention of chip and sign doesn't look a

  • Maybe two dumb question:

    1) if you mount a camera right above, what's keeping you from putting a camera in a position that can see under the hand? Like just over the shoulder?

    2) what fraction of people use their other hand to cover the pad? Maybe half at most? Why not just put that camera in and wait for the unsuspecting atm user that doesn't cover the pad? Relatedly, most atms I go to these days have a shroud around the numpad. How well does this work with those fixed shrouds?

  • I was most surprised by this line:

    If the camera is capable of capturing audio too, the model could also use pressing sound feedback which is slightly different for each digit, thus making the predictions a lot more accurate.

    Okay, I'm bad at recognizing pitch, so all of the keys sound the same to me. However, this is basic stuff. Each key having a different sound is obviously a massive security flaw. I would think that would be a major requirement for ATM manufacturers.

  • Way back in the mid 90s, there was an office building in Irvine, CA that had keypad access to the parking garage. The keys were individual displays and the numbers on them changed each time it was used so no pattern or fingerprint residue could be used to hack it.

  • Many commenters here go to extraordinary efforts to minimize the opportunity for a thief to steal a few hundred dollars (which the bank will refund). I've had a few illegal transactions on my accounts over the last 20 years. Once noticed, I notified my bank and had the money back in my account in days.

    I don't want to get ripped off either, but it seems many people here have a paranoia level set to 11 and spend an inordinate amount of time and effort to prevent a temporary inconvenience.

A committee takes root and grows, it flowers, wilts and dies, scattering the seed from which other committees will bloom. -- Parkinson

Working...