They won't steal my PIN
Not if I torch the ATM keypad when I've finished with it.
Try recovering my heat signature from that, matey!
A device which can be attached to smartphones is capable of stealing customers' PINs using thermal imaging, UK security consultancy Sec-Tec warns. Thermal imaging equipment – once the sole preserve of only the best-equipped attacker – is now available as a readily available iPhone accessory costing less than £200. The kit …
I'm with you on this one.
It seems to rely on the fact that it can recover the information for up to a minute after I've touched the keypad. Fair enough, but I don't touch the numeric keys just to enter my pin. I also touch them to enter the amount I want to withdraw, so in addition to the PIN there will also be the keys corresponding to the withdrawal amount.
Even if somebody photographed the keys over my shoulder (which I might notice!) immediately after I'd entered my PIN then they only have the four digits - they've still got to get them in the right order within three tries!
FAIL on all counts.
Ah, you're someone who doesn't like fivers? Those of us who do, key in a number ending in 5 to, typically get 3 fivers among the notes. (This doesn't work with all machines, but it certainly works with Tesco, Post Office and many other high street "holes in the wall".) So there are quite a lot of us who routinely key in 6 or 7 numbers.
This threat was revealed as early as 2011, if not before (an example: http://www.dailymail.co.uk/news/article-2027699/Thieves-use-thermal-cameras-steal-ATM-pin-numbers.html), and isn't restricted to ATMs but also chip-n-pin machines.
Since reading about it I've always ensured that I touch all the buttons before and after entering my PIN. OK, yeah, paranoid. OK, yeah, not really enough money at risk either. I'm probably just OCD.
This article seems like just a free way to advertise the availability of a new iThing strap-on.
So the article says that this technique doesn't work on keypads with metal keys. Well fair enough, but I've used a far lower-tech solution to bypass keypads (er, obviously, only to get in to areas where I *should* have had access but didn't have the code to hand...). Just look for the keys that have the slightly greasy residue from people's fingers - far easier, cheaper and lower-tech than thermal imaging cameras!
Slightly OT, but this got me thinking about the PIN that I can set to secure my smartphone. There are a few different security mechanisms (pattern, fingerprint, etc.) as well, but I'm just thinking about the PIN option here.
The phone allows me to select a PIN of my choice, of 4 (no more, no fewer*) digits. A couple of decades ago I had a Nokia brick-ette which allowed me to set a PIN of more than 4 digits (for whatever reason, I settled on a 5-digit PIN which by reckoning is 10 times more secure than what my modern smartphone supports. Even if you know the digits involved, it's a case of 24 versus 120 different combinations.
* I know that wording jars, but it's grammatically correct
Just do what I do : touch all the keys and only press the relevant ones.
It confuses anyone attempting to see your pin and leaves heat traces all over the keypad.
I just wish they would get rid of those ImpossiPush(tm) rubberised keypads that cause people to have to hammer the pad and makes their pin really easy to see.
They're common in supermarkets.
Anyone know which thermal imaging camera they used to do this?
Probably not one of the $200 FLIR iPhone dongles, as the thernal sensor in that has a 64x64 resolution. You'd have to be practically touching the keypad to get an image showing which keys were warm, and I doubt it has the thermal resolution to show such subtle temperature differences.
If, as suggested, the sensor is a FLIR camera, its sensitivity is in the range 8 μm to 14 μm.
Flooding the keypad with IR illumination from an infra-red emitting diode wouldn't really help - they tend to have wavelengths around 880 - 950 nm. Even an incandescent lamp's IR only peaks around 1.2 μm, although it tails off fairly slowly to longer wavelengths - there's still some radiant energy at 3 μm.
You might want to consider a nice little infra-red grill above the keypad - at least then, not only could you securely withdraw money from the machine (although asbestos gloves may be required), but you could also cook bacon while doing so.
More of a problem when limited to 4 digits. Once you're beyond that you can start duplicating numbers. Say, for instance, you have a 7-digit PIN. Make sure you've duplicated two of them. So you could have a number like 1233455 (no, I don't have that number on my luggage, or anyplace else for that matter). Even if someone sees you've used the numbers 12345, they (probably) won't be able to see you used "3" and "5" twice. More useful on "smart"phones and tablets where you have smudgy fingerprints.
Would a 4 digit PIN with two repeating digits yield more possible combinations for the cracker to test in this situation than one with four numbers as there's more uncertainty (you wouldn't know which of the three was repeated)?
It would suddenly get a lot easier with two repeated digits (like, as it happens, my wife's PIN) though.
Clean the keypad. Wait for next person to enter the pin. Whip out your Sherlock Holmes equipment consisting of fingerprint powder and fingerprint brush. You are not only going to learn which keys were pressed, you can retrieve his fingerprints too. Additionally you can also retrieve his DNA.
Endless hours of fun follow. Create a fingerprint replica to lock/unlock your own iPhone. Have the DNA analysed for medical conditions etc.
You know - I have a Seek thermal camera for my Android phone and I actually tried this a while ago and it was a flop. The heat differences for normal keypad use just wasn't big enough to register. In the video the user presses hard for a prolonged time to get the pad key to heat up. I don't think that's normal use.
Biting the hand that feeds IT © 1998–2021