Bruce Schneier
Schneier on Security
A blog covering security and security technology.
« Smartphone Keystroke Logging Using the Motion Sensor | Main | The Security Risks of Not Teaching Malware »
August 24, 2011
Stealing ATM PINs with a Thermal Camera
It's easy:
Researchers from UCSD pointed thermal cameras towards plastic ATM PIN pads and metal ATM PIN pads to test how effective they were at stealing PIN numbers. The thermal cams didn't work against metal pads but on plastic pads the success rate of detecting all the digits was 80% after 10 seconds and 60% after 45 seconds. If you think about your average ATM trip, that's a pretty wide window and an embarrassingly high success rate for thieves to take advantage of.
Posted on August 24, 2011 at 7:13 AM • 45 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Sadly with Chip & PIN there are better and more practical ways to systematically harvest the PIN (along with other data) using a smartcard skimmer.
Posted by: Andrea at August 24, 2011 8:05 AM
If you can afford a thermal camera, you're not gonna be real impressed with my bank account, I can tell you that.
Posted by: dagny at August 24, 2011 8:18 AM
So the new rule of thumb is to press every single key after you complete your transaction.
Posted by: Chris Miller at August 24, 2011 8:20 AM
So, learn to rest your off-hand on the keypad while you perform the rest of the transaction? Would that work?
Posted by: Rj at August 24, 2011 8:35 AM
@Rj - my off-hand is usually holding my wallet. But I rest my on-hand on the keypad, rubbing all the keys while waiting for the ATM to authorize.
Posted by: shmuelp at August 24, 2011 8:38 AM
> So the new rule of thumb
That's a pun, right?
I happen to always do that: I rest my hand palm on the entire pad and then fumble the numbers. I didn't do that because of the thermal printing, but because cams won't be able to accurately register what keys I'm typing (I'm a pianist, and I was unconciously applying the 'soft touch' technique there :)
Too many people seem to be making an effort to dramatically exaggerate the 'hunt & peck' method of typing (indeed, keying) in the PIN. I bet, if you'd just install a face-camera yould be able to just _lip-read_ the numbers; a fair number of people are so busy concentrating on entering their PIN correctly, they are subconciously _mouthing_ the PIN along.
Nevertheless, I'm gonna press a fixed number of keys after closing the transaction in the future.
Posted by: Seth at August 24, 2011 8:41 AM
They used this in the video game Splinter Cell 5 years ago when you wanted to follow someone into a secure area. I'm surprised it took this long for someone to investigate the method.
Posted by: bdc at August 24, 2011 9:00 AM
@Seth- I think you're right - while I probably don't always mouth/partially mouth the words, I know I at least sometimes do - if I'm tired, or distracted in particular.
Posted by: Fred P at August 24, 2011 9:09 AM
For those of you playing at home with web cams; pop off the lens and remove the infrared filter to allow the camera to capture those sluggard photons.
I don't think a de-filtered web cam is sensitive enough to do this hack, unfortunately. Or... fortunately???
Posted by: Poster of Brucedom Currently Being Tracked by the FBI at August 24, 2011 9:39 AM
Judging from the standard ATM user, it takes them 5 minutes to draw money from the ATM, and then another 5 minutes to put said cash into their wallets/purses. By that time, the keypad will be long cold.
Posted by: TS at August 24, 2011 10:08 AM
I always pour liquid nitrogen over the ATM when I'm done just incase. Although for some reason the ATM's are always faulty in my area so I don't get to use them very often.
Posted by: CH at August 24, 2011 10:13 AM
@bdc
I was thinking the exact same thing. The first splinter cell videogame came out 9 years ago. Operating on the same principle, you had to be fast enough to see the fading of the heat signature.
Still, there probably are alot of cheaper ways to skim.
@Harmy G
Yup, next time bring along some disinfectant ;)
Posted by: Chris at August 24, 2011 10:33 AM
I suppose one could use a can of hairspray and a bic lighter to heat all the keys to the same temperature after your transaction. If you're feeling helpful it can also be used to tidy up all the receipts left behind by earlier patrons. In addition to ensuring your information security this simple system serves as illumination (flame), a defensive implement (with or without flame), and keeps your hairdo in place all day (without flame).
Posted by: mcb at August 24, 2011 10:36 AM
Egads, people are diabolical! My suggestions for enhanced ATM security:
Cover the keypad with one hand whilst typing the pin with the other.
Maybe type a few extra digits into the keypad after the pin has been accepted.
Loiter at the ATM for at least 2 minutes after using the keypad.
Record all transactions in a spreadsheet the same day you make them, and monitor your bank account daily for suspicious activity. Keep most of your liquid money in a savings account and limit the amount of money available at an ATM.
Limit your visits to the ATM to once a month or less.
Posted by: Terry Traub at August 24, 2011 11:01 AM
Wild guesses and a little math:
thermal camera: $2500
card skimmer: $500
total: $3000
Average take per card: $400
takes to break even: 7.5
attempts at 60% success rate: 12.5
sounds like a day's work would pay off the capital investment.
Posted by: bcs at August 24, 2011 11:07 AM
This attack was used in the first episode of Max Headroom. Not exactly new.
Posted by: alan at August 24, 2011 12:19 PM
"They used this in the video game Splinter Cell 5 years ago when you wanted to follow someone into a secure area. I'm surprised it took this long for someone to investigate the method."
Yeah, that was fun. ;)
"This attack was used in the first episode of Max Headroom. Not exactly new."
Didn't know it was that old. It does prove my mantra that security people keep reinventing the past instead of learning from it and applying it to present and future actions.
Posted by: Nick P at August 24, 2011 1:39 PM
I really not impressed by this type of work. Intellectually, it's kind of nifty but the reality is that there are at least a dozen different ways one can get at someone's pin. PINs are really the easy part. The more difficult part is getting the account number because that is usually limited to just one way: a card skimmer. Card skimmers are easy to spot, if you are looking for one.
Two factor identification only fails when both factors are compromised. IMO rather than fiddling with different keystrokes the better answer is to familiarize yourself with a card skimmer.
Posted by: Daniel at August 24, 2011 2:24 PM
I have a thermal camera (rather a nice one). Contact body heat fades quite quickly from pretty much any surface.
Practically, this is an un-usable attack in my opinion. The PIN is entered early in the transaction, and the customer is most likely still blocking much of the pad from view for a while. Also, if conducting a transaction where the pinpad is used for additional entry (such as withdrawl amount) then this will at least mess up the reading, and the newer heat signature is likely to overload the sensor.
Oh, and a thermal camera might look like a small video camera, so can be used in an airport (for example) without attracting attention. But who will not wonder why the guy behind you in line at the ATM is apparently filming you?
Cute, fun, visually-engaging, but movie-plot (and, video game) impractical.
Posted by: Steven Hoober at August 24, 2011 2:27 PM
I usually curl my index finger into my palm, and use the first "knuckle" (joint) to press the ATM buttons. Assuming that knuckles have fewer blood vessels than fingertips, this will leave a lower amount of "heat residue" on the buttons, in addition to not leaving fingerprints.
I suppose you could also use the tip of a plastic pen to press the buttons, since this would leave little heat residue behind.
Posted by: anon at August 24, 2011 2:53 PM
Terry: "Loiter at the ATM for at least 2 minutes after using the keypad."
Yeah, and I'll cuss you out... :-)
Seriously, this attack is probably not "practical" for the reasons everyone has cited. BUT it's another example of antisec ingenuity which should be noted. And also it's an attack which MIGHT work SOMETIMES depending on specific conditions (no fumbling, right temperature conditions, no one behind the user to block it, etc.)
But given the impracticality, I wouldn't bother using any of the obfuscation techniques cited above. Just play the odds.
Posted by: Richard Steven Hack at August 24, 2011 3:07 PM
@ Daniel,
"Card skimmers are easy to spot, if you are looking for one."
That statement is only true for externaly mounted mag stripe readers.
You can but at quite small cost devices that sit inside of EPos terminals and some shop based ATM's that will read the mag stripe or chip on the card.
In the case of some portable EPos terminals (that you see in restaurants) for mag stripe they connect to the back of the keypad. For chip they don't need to as the EPos reader sends it down to the chip as part of an easily recognised message block.
There has been quite a bit of research done on MiTM attacks on EVM "Chip&Spin", done by Cambridge Labs and others.
I don't need to post a link as if you look further up the thread you will see at 8:05AM Andrea has already put one in.
Posted by: Clive Robinson at August 24, 2011 3:31 PM
I would agree with Steven Huber that this is an impractical way to steal ATM PINs... and I'm a co-author on this paper.
I always find it fascinating to see what the press picks up on of our work. I think it boils down to "is it cute and can you explain it in a sentence?"
This particular paper was based on a project Sarah and Keaton came up with in my grad security class. They had quite a bit of fun doing it, I thought it was cool (since it can work in spite of visual shrouds), so they write it up for WOOT. I viewed it as much a negative result as anything since there had been some received wisdom that the heat signature could last for minutes (it doesn't, even on plastic keypads).
In certain settings (e.g. keypad entry to a secure door) I can imagine a potential threat, but I also suspect that the potential has already been considered in such environments.
This is undoubtedly the most expensive and difficult way to gather PIN data around.... not something I worry about.
Posted by: Stefan Savage at August 24, 2011 3:52 PM
Pushing all of the numbers when the transaction is complete should suffice to foil this attack. Then all of the numbers will be warm.
Posted by: Joe Buck at August 24, 2011 4:27 PM
@ Steve Savage.
What is wrong with you. How dare you let graduate students have FUN. That is against Rule 1A-Section C of the College Professor's Manual. The first rule of Grad School is that thou shall have no life. The second rule is that thou shall have no fun. I think you are letting down the side, Steve. You can borrow my whip, if you'd like.
:-)
Posted by: Daniel at August 24, 2011 7:06 PM
@Joe Buck et al
IIRC past attacks against ATMs have included hiding a miniature camera on or at least very close the ATM to read PINs as they are typed.
Presumably a hidden camera could read the heat signature on the keys as soon as you finished entering it and uncovered the keyboard.
For your defence to work you would need to press all keys before uncovering them.
Posted by: Bruce Clement at August 24, 2011 7:08 PM
@poster with long name and DIY ir camera: dammit you've now got me thinking ideas in my head when I see any camera with a ccd sensor, such as cheap DIY nightvision goggles. I wonder, do CMOS sensors also pick up ir
Posted by: Gabriel at August 24, 2011 7:40 PM
I'll admit I only skimmed the paper, but I do note it uses the separate terms "thermal camera" and "conventional camera..."
If I recall correctly, the cheap/common CMOS sensors in webcams can see near infrared frequencies around 850 nanometres, while thermal imaging cameras are looking for much longer wavelengths of 7-14 micrometres according to Wikipedia. Something to consider before ripping your webcam apart.
The cost bcs gives on the camera's not too far off what I've seen, a QVGA microbolometer-based thermal camera at about $2700, part of kit for retrofitting thermal night vision to vehicles.
Posted by: kyhm at August 24, 2011 8:20 PM
@ Gabriel
"@poster with long name and DIY ir camera"
I think they used to be "Anonymous Bruce poster" but then again...
However the answer to your question is that nearly all of the semiconductor light sensors used in cameras are more sensitive to IR than the human eye.
However that does not of necesity mean they are sensitive to the parts of the IR spectrum to do with room tempreture range heat.
Also even if they were you need to remember many lenses would not pass that part of the spectrum without significant loss.
So you might want to experiment with "a pin hole lense" to start with.
Posted by: Clive Robinson at August 24, 2011 8:30 PM
> People actually use their
> fingers on an ATM keypad?
Yes. Typing your PIN with your nose or toes is inconvenient (and the latter requires more coordination than many of us possess), and using your tongue is rude (because then the next person who comes along has to touch your slobber, and you never know when the person after you is going to be a neat freak or mysophobe). Fingers are thus the logical choice. Most people have pretty good dexterity with their fingers.
Posted by: Jonadab at August 24, 2011 9:19 PM
It won't work if you want to get a nonpredefined amount (80% of my cases) and use keypad to enter the desired amount. How often do you enter your PIN and walk away without doing anything else on the keypad?
Posted by: Szponek at August 25, 2011 1:08 AM
How about using a touchscreen keyboard that changes the arrangement of the numbers randomly for every transaction - of course you would need to remember the PIN and not just the "gesture" on the keypad
Posted by: Frank at August 25, 2011 3:35 AM
@Frank: "How about using a touchscreen keyboard that changes the arrangement of the numbers randomly for every transaction"
Since this would require a much more "elaborate" typing of your PIN (e.g., you cannot cover the pad with your other hand and type blindy), I assume that such a measure would cause more harm than good.
Posted by: Paeniteo at August 25, 2011 4:04 AM
@khym
"while thermal imaging cameras are looking for much longer wavelengths of 7-14 micrometres according to Wikipedia."
If I were trying to build this cheaply I'd probably try to get an IR sensor from a cheap passive motion detector and add a mechanical scan engine say from a bar code reader. The second scan dimension could be easily done by the holder of the device.
Ideally all the lenses would need to be swapped for Ge lenses, but if you used it at close distances than probably a pin hole would work.
Should be able to build this for under $100, 1D bar code readers should be cheap, but I'm not sure where you can buy the 2D barcode scan assembly.
Another alternative would be to use the Digital Micro Mirror engine from an old document scanner, or maybe an old DLP TV, however there is not much documentation on how they work.
Posted by: RobertT at August 25, 2011 4:12 AM
So this would provide all the right numbers, but not necessarily in the right order? I'm sure I've heard something like that somewhere before, but to much greater acclaim from its audience...
Posted by: Tim#3 at August 25, 2011 4:18 AM
@ RobertT,
"Another alternative would be to use the Digita Micro Mirror engine from an old document scanner"
You forgot to mention using a "mirror galvanometer" in reverse (if anybody apart from me remembers them ;)
Posted by: Clive Robinson at August 25, 2011 7:00 AM
@Clive: some of the hacks I found didn't bother with heat ir. They instead used ir LEDs, as one might find in a remote control. Not stealthy at all in a combat situation, since it will show up like a flashlight to an adversary, but good enough for around the house and woods.
Posted by: Gabriel at August 25, 2011 7:14 AM
@Frank
"How about using a touchscreen keyboard..."
You have to have the keypad to comply with the ADA, you can't put Braille on a touchscreen.
Posted by: TS at August 25, 2011 10:17 AM
Of course, everybody is overlooking the obvious.
Require all PIN codes to be at least 10 digits, and use each digit at least once.
Or, after the PIN is entered, require that each key on the keypad be pressed at least once.
Or, use a heated keypad, or better yet, a keypad with individually heated keys, randomly sequenced.
Posted by: Bob Vaughan at August 25, 2011 11:07 AM
@RobertT
I remember Make blog running something like this, using servos and such:
http://blog.makezine.com/archive/2010/12/...
I can't imagine it'd be easy to refine it enough to be useful and unobtrusive for less than the $2700 of a real thermal camera.
On the other hand, if you're using cheap small sensors, why not skip the scanning entirely? Put enough of them in a grid, spaced to match the buttons, mount it in a frame, then pop it over the keypad immediately after the mark leaves, scan all of them simultaneously...
Still seems way more effort and risk than a tiny CMOS camera looking at the pad, but maybe useful for movie-plots.
Posted by: kyhm at August 25, 2011 2:02 PM
Bob: "Require all PIN codes to be at least 10 digits"
Right - I can see the customer uprising in my mind. Banks burning coast-to-coast...
"Or, after the PIN is entered, require that each key on the keypad be pressed at least once."
Ditto. Although it would be a minor nuisance, multiplied by everyone it wouldn't work.
"Or, use a heated keypad, or better yet, a keypad with individually heated keys, randomly sequenced."
And here the banks would complain, even though it's only replacing the keypad, not the entire ATM.
The bottom line: This is an example of how no matter how you try, someone will come up with some weird scheme to beat your security.
It's my meme in action - and my meme is inviolable and absolute.
Suck it up.
Posted by: Richard Steven Hack at August 25, 2011 2:27 PM
I doubt this would work in Phoenix where the temperature in the shade is 115 degrees F.
Posted by: JB at August 26, 2011 12:08 PM
Also: clean it, wait for someone to use it, and then look for the fingerprints.
I always press all the buttons (lightly), to thwart against this attack.
Posted by: Mark Jaquith at August 30, 2011 2:52 PM
Subscribe to comments on this entry
Post a comment
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.
|
| Blog Menu |
SearchBlog Home Page
Archives by Date2012 J F M A M
  |
| Latest Book |
more books by Bruce Schneier |
| Syndication |
|
Full Text Feed
Excerpts Feed |
| Translations |
|
German
Italian |
| Crypto-Gram Newsletter |
|
If you prefer to receive Bruce Schneier's comments on security as a monthly e-mail digest, subscribe to Schneier on Security's sister publication, Crypto-Gram.
read more |
Comments