ATM Fraud: Thermal Camera an PIN code Retrieval
- During the USENIX Security Symposium from 8 to 12 August 2011, researchers of the University of California presented their recent study Heat of the Moment: Characterizing the Ef?cacy of Thermal Camera-Based Attacks and demonstrated the possible use of a thermal camera to retrieve customers’ PIN codes at the ATM .
- This technique is based on the series of data collected by an infrared camera after the user enters his code. This camera spots the keys he actually pressed.
- The tests have been conducted with the help of 21 volunteers in charge of dialling 27 random combinations on plastic and brushed metal keypads. Keystroke pressure and the body temperature of the participants have been taken into account and hardly even affect the results.
- Researchers have come to the conclusion that metal PIN pads are fairly resistant to this attack whereas plastic keypads can let them know “not only [of] the numbers pressed but also [of] the number order” (80% success rate at detecting all digits 10 seconds after the user enters his PIN and over 60% 45 seconds after the PIN has been entered).
Read this study (PDF): Heat of the Moment: Characterizing the Ef?cacy of Thermal Camera-Based Attacks
- This retrieval technique is then added to the other more casual ones used by fraudsters (skimming, shoulder surfing, usual cameras, etc.).
- Researchers recommend exclusive use of metal PIN pads and increased caution on the part of the cardholders as they often pay little attention to their environment (angle of the cameras, shifts in the appearance of the ATM, etc.).
- Yet another example of transaction security initiative can be mentioned. In Australia, fraud prevention solutions provider Alaric International announces a new partnership with B2B transactions specialist and financial services provider Cuscal. This agreement concerns the adoption by over 150 financial institutions of Alaric payment processing and fraud detection solutions: Authentic and Fractals. Authentic will for instance be used to integrate Cuscal’s ATMs in one of the largest national networks, RediATM (3,800 machines). Fractal will contribute to detect and avoid all fraud attempts in real time.