Researchers show ATM theft by thermal imaging

Sep 01, 2011 by Nancy Owano report
Image credit: Keaton Mowery

(PhysOrg.com) -- A paper presented at the August USENIX Security Symposium (USENIX Security '11) in San Francisco explains how PINs can be stolen using digital cameras capable of thermal imaging. The paper, "Heat of the Moment: Characterizing the Efficacy of Thermal Camera-Based Attacks," showed how an ATM customer’s pressing down keys of a personal code number gives these cameras the ability to catch the numbers from residual heat left behind from the user’s fingertips.

The research team from the University of California, San Diego, found that their cameras picked up a PIN entered on a keypad more than 80 percent of the time if used immediately. If used a minute later, it picked up the digits about half the time. After 90 seconds, the chance of extracting the digits dropped to about 20 percent. They tested the frequency using custom software that they wrote to automate their analysis.

The noteworthy feature of thermal cameras is that the usual protective measure of shielding the keypad with the hand is ineffective. The PIN is captured regardless. Thermal cameras can bypass hand-shielding techniques.

For the study, 21 volunteers tried out 27 randomly selected PIN numbers in the form of four-digit codes on plastic pads and on brushed metal pads.

Keaton Mowery, a doctoral student in computer science at UCSD, Sarah Meiklejohn and professor Stefan Savage did the research, and they said that the surveillance ploy is possible but it is not an easy crime. Although thermal imaging can easily pick up PIN numbers when pressed, the method cannot easily determine in which order. Another hurdle for thieves would be metal keypads, nearly impossible. Because of their high conductivity, metal keys do not retain heat long enough for the ploy to work.

The study extends the conversation about keypad entry systems as a security mechanism in a range of applications, such as to access offices in buildings, secure safes, and operate ATMs. In 2005, security guru Michal Zalewski discussed the use of an infrared camera to detect codes punched into a safe with a keypad lock.

The most recent findings have elicited two viewpoints about personal ID thievery. One reaction to the findings is that while can capture the numbers, the effort is impractical and unlikely to represent a major headache for crime fighters. The numbers captured are not in order, metal keypads thwart efforts, and the high-end cameras required cost approximately $18,000. The other point of view is that thieves will in time get smarter and find ways to recover the exact code or “harvest” PIN numbers with the help of the right software.

Consumer Reports recommends using a pen, plastic stylus or other object and not your fingers to press the keypad. The study's researchers said what could work is placing the hand over the entire keypad to warm all the keys.

Explore further: Fully automated: Thousands of blood samples every hour

More information: K. Mowery, S. Meiklejohn, and S. Savage "Heat of the Moment: Characterizing the Efficacy of Thermal-Camera Based Attacks" Proceedings of WOOT 2011. August 2011. www.usenix.org/events/woot11/t… nal_files/Mowery.pdf

Related Stories

The first molecular keypad lock

Jan 08, 2007

How can defense or intelligence agencies safeguard the security of top-secret data protected by a computation device the size of a single molecule?

How thermal-imaging cameras can spot flu fevers

May 01, 2009

(AP) -- To screen passengers for swine flu and other contagious diseases, some airports use thermal imaging cameras to see whether travelers have fevers, without having to stick thermometers in their mouths. ...

A chemical 'keypad lock' for biomolecular computers

Mar 24, 2008

Researchers in New York are reporting an advance toward a new generation of ultra-powerful computers built from DNA and enzymes, rather than transistors, silicon chips, and plastic. Their report on development of a key component ...

Chemical 'Keypad Lock' for Biomolecular Computers

Mar 19, 2008

Chemists are reporting development of a "keypad lock" for accessing data from biomolecular computers, which promise to be powerful tools in many fields, including medicine and personal security.

Microstamping Guns Feasible but Flawed, Study Finds

May 03, 2007

New technology to link cartridge cases to guns by engraving microscopic codes on the firing pin is feasible, but does not work well for all guns and ammunition tested in a pilot study by researchers from the forensic science ...

Recommended for you

First drone in Nevada test program crashes in demo

8 hours ago

A drone testing program in Nevada is off to a bumpy start after the first unmanned aircraft authorized to fly without Federal Aviation Administration supervision crashed during a ceremony in Boulder City.

Fully automated: Thousands of blood samples every hour

16 hours ago

Siemens is supplying automation technology for the longest and one of the most cutting-edge sample processing lines in any clinical laboratory. The line, or automation track, 200 meters long, in Marlborough, ...

Explainer: What is 4-D printing?

16 hours ago

Additive manufacturing – or 3D printing – is 30 years old this year. Today, it's found not just in industry but in households, as the price of 3D printers has fallen below US$1,000. Knowing you can p ...

First series production vehicle with software control

17 hours ago

Siemens has unveiled the first electric series production vehicle with the central electronics and software architecture RACE. This technology, developed in the research project of the same name, replaces ...

Amputee puts limb system through its paces

19 hours ago

"Amputee Makes History with APL's Modular Prosthetic Limb" is the headline from Johns Hopkins Applied Physics Laboratory, where a team working on prosthetics observed a milestone when a double amputee showed ...

User comments : 23

Adjust slider to filter visible comments by rank

Display comments: newest first

xamien
5 / 5 (2) Sep 01, 2011
"Irregardless" is not a word! Just "regardless" works perfectly fine!
electric
5 / 5 (2) Sep 01, 2011
"The PIN is captured irregardless."

Irregardless isn't a word.

Is it just me, or is grammar and spelling in general really declining?
antialias_physorg
5 / 5 (2) Sep 01, 2011
ATM theft by thermal imaging

Now that is clever. And here's an idea how to make it a lot cheaper and less obvious than with a thermal imaging camera:

After the person has left walk over and place a pad with 9 electric thermometer units over the keypad. Something like this could probably be built for under 20 dollars and be sensitive enough to get a good reading in a few seconds.

Yes, you'll still not have the exact number sequence but you'll have the numbers. And from then on there are only 24 combinations left to try (since you can try 2 per day that should give you a correct hit, on average, after 6 days. Or if you like to have your cash immediately that would, at 3 tries until your card gets revoked, give you a successfull hit for every 8th PIN you swipe. More often if any of the numbers repeat)
antialias_physorg
5 / 5 (2) Sep 01, 2011
With a bit of finesse for the algorithm you can probably reduce the number of tries even further, since the first number you press should cool down faster than the last number. In the picture above that doesn't give you the exact sequence but in both examples the 'later' numbers are, on average, 'hotter' than the numbers at the beginning of the sequence.

Listing the sequence of 4 digit numbers in order of probability (coldest to hottest) with subsequent sequences substituting digits based on magnitude of temperature differential between them this should be able to cut down the number of average tries needed by half if not more.
Nikola
not rated yet Sep 01, 2011
I think I saw something similar on MacGyver in the 1980s.
DrEvilBetty
1.5 / 5 (2) Sep 01, 2011
This would be great for finding the pin for a door or other entry secured with a key pad but there is still a major problem with this at an ATM... you have to have the CARD that the last person used. You can punch in pin numbers all day on an ATM but with out the card it goes with you're SOL.

And, if you are criminal enough to steal the card from someone I would imagine you are bad enough to make them just tell you the number.
antialias_physorg
5 / 5 (1) Sep 01, 2011
you have to have the CARD that the last person used.

Nope. All you have to have is the magnetic code on the card and then make a copy on a blank card.

There are very simple ways to swipe the code. The cheapest way I've seen uses the head of an old casette recorder mounted inside the slit and transmitting the generated 'sounds' to a receiver which can be on the other side of the road.

The whole setup is as flat as a postage stamp and completely unobtrusive (you don't even need to mount a fake front to the ATM - just stick it to the inside of the card slot)

This is why some ATMs have started to
a) have transparent plastic covers in unsusal shapes (so that you see any extra devices and can't easily manufacture a fake front)
b) Erratically draw your card in so that you don't get a linear reading on the magnetic strip (this, however, can be overcome with a bit of programming)
c) incorporate additional chips on the card (but I think these have already been broken, too)
210
1 / 5 (2) Sep 01, 2011
"The PIN is captured irregardless."

Irregardless isn't a word.

Is it just me, or is grammar and spelling in general really declining?

OH MY! HOW TERRIBLE!!!!!!
......did you get the point of the article, by chance....maybe...hummmm?
(just doing some scientific research on the advancing boiling point of our elite grammar and syntax posting monitors and their genetics in the internet age...!)
word-to-ya-muthas
210
1 / 5 (4) Sep 01, 2011
ATM theft by thermal imaging

Now that is clever. And here's an idea how to make it a lot cheaper and less obvious than with a thermal imaging camera:
After the person has left walk over and place a pad with 9 electric thermometer units over the keypad. Something like this could probably be built for under 20 dollars and be sensitive enough to get a good reading in a few seconds.
Yes, you'll still not have the exact number sequence but you'll have the numbers. And from then on

How criminally ingenious you are...now, this thermal thing is only 20% effective after 90 seconds. I can't do my transaction that fast! SO once I am finished, I have entered my pin AND MADE SEVERAL SUPERFLUOUS SELECTIONS...I will be certain, just for u..to LEAN ON THE KEY PAD with my butt so that you can get a thermal image of what I want u 2 kiss...as D cops haul u off 2 jail..where u become some man's boyfriend. I can see the headlines, BUTT GLOW CATCHES BAD ASS!

word-to-ya-muthas

antialias_physorg
not rated yet Sep 01, 2011
90 seconds is longer than you might think (if you just do a withdrawal you're gone from an ATM about 30 seconds after you enter the PIN).

But the current trick seems to be to attach a small camera unobtrusively above the keypad or on the ceiling/wall close to the ATM. This is why you are instructed to shield you hand when you enter your PIN. But since you don't shield it after you've enterd your pin a thermal camera could (if placed correctly) read your pin even while you are still busy conducting your withdrawal.

Best one I've seen was reported from a black hat conference. Someone just set up a complete fake ATM in the lobby of the conference hotel. Nabbed quite a few number of PINs and bar codes before it was discovered that it wasn't legit.

How criminally ingenious you are...
If I can think of this stuff in 5 minutes then others can, too. This is why I deal in cash. Only. Cards aren't safe.
Roj
not rated yet Sep 01, 2011
This is why I deal in cash. Only. Cards aren't safe.
Wonder if "Cash Back" purchases are any safer at local retailers?
Husky
not rated yet Sep 01, 2011
clever, but i dont think you even need an industrial strength IR camera, one could put very tiny drops of a gel like substance on the keys (tiny enough to go unnoticed for the unsuspicious eye/touch) and as the next in line you just check with a cheap magnifying glass wich keys are still sprinkled/undisturbed), would also work with fluorescent powder and you have these pocket blacklights to see what powder got disturbed.
TheGhostofOtto1923
1 / 5 (1) Sep 01, 2011
I have entered my pin AND MADE SEVERAL SUPERFLUOUS SELECTIONS
This is a good idea anyways - I do this under my hand in case I am being surveilled.

Oh and 'u' is not a word.
If I can think of this stuff in 5 minutes then others can, too. This is why I deal in cash. Only. Cards aren't safe.
I had a few 100 dollars charged to my visa last spring. The only thing I was charged was $20 for a new #.

However a few years ago I found $135 in cash on the floor at the mall. Cash is not safe.
Msean1941
not rated yet Sep 01, 2011
Are we now refudiating irregardless? Oh gawd! My spell checker took "irregardless". I'm glad I'm on my way out.
dmia5
not rated yet Sep 01, 2011
To thwart such an attempt, touch two or three extra numbers.
LightI3ulb
not rated yet Sep 01, 2011
I suppose if banks wanted a comical fix for this, they could just heat the entire keypad.
macsglen
not rated yet Sep 02, 2011
1) push the buttons with something other than your fingers (key, pen, etc.)

2) rest your hand on ALL the keys (either before or after entering the number)

3) loiter for a moment (and a half)

4) pretend you're OCD and wipe the keys all off with an alcohol pad, both before and after use (may not be a bad idea, actually)

5) wear gloves
antialias_physorg
not rated yet Sep 02, 2011
clever, but i dont think you even need an industrial strength IR camera, one could put very tiny drops of a gel like substance on the keys (tiny enough to go unnoticed for the unsuspicious eye/touch) and as the next in line you just check

The problem with this (and my idea of using thermo-sensors) is that you actually need to be at the machine to record the PIN. Most all ATMs are fitted with cameras (notice the green LEDs that are mostly mounted at the head of the machine. They light your face up. In the middle is a pin camera. ATMs at a bank will pobably be surveilled by additional cameras) so it will be easy to trace back who was next in line.

The bank just has to check all the pictures of transactions before the card is used fraudulently. This will give them a number of mugshots of people next in line. Now they check if these shots match those of people next in line of others whose card details have been stolen.

Hand found matches over to the police. Game over.
iiibogdan
not rated yet Sep 03, 2011
lol...this was used in the video game "splinter cell"
http://www.visual...a/36.jpg
Isaacsname
not rated yet Sep 03, 2011
ATM theft by thermal imaging

Now that is clever. And here's an idea how to make it a lot cheaper and less obvious than with a thermal imaging camera:

After the person has left walk over and place a pad with 9 electric thermometer units over the keypad. Something like this could probably be built for under 20 dollars and be sensitive enough to get a good reading in a few seconds.

Yes, you'll still not have the exact number sequence but you'll have the numbers. And from then on there are only 24 combinations left to try (since you can try 2 per day that should give you a correct hit, on average, after 6 days. Or if you like to have your cash immediately that would, at 3 tries until your card gets revoked, give you a successfull hit for every 8th PIN you swipe. More often if any of the numbers repeat)

Pin pad overlays are already much simpler, and wireless to boot.
TheGhostofOtto1923
1 / 5 (1) Sep 04, 2011
The bank just has to check all the pictures of transactions before the card is used fraudulently. This will give them a number of mugshots of people next in line. Now they check if these shots match those of people next in line of others whose card details have been stolen.
That's why people who steal out of ATMs typically wear disguises. Game back on.
bugmenot23
not rated yet Sep 04, 2011
"The PIN is captured irregardless."

Irregardless isn't a word.

Is it just me, or is grammar and spelling in general really declining?

It's just you.
bugmenot23
not rated yet Sep 05, 2011
I have entered my pin AND MADE SEVERAL SUPERFLUOUS SELECTIONS
This is a good idea anyways - I do this under my hand in case I am being surveilled.

Oh and 'u' is not a word.
If I can think of this stuff in 5 minutes then others can, too. This is why I deal in cash. Only. Cards aren't safe.
I had a few 100 dollars charged to my visa last spring. The only thing I was charged was $20 for a new #.

However a few years ago I found $135 in cash on the floor at the mall. Cash is not safe.


It's safe if you're not an idiot and lose it.

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.