CONTINUE TO SITE »
or wait 15 seconds

Blog

Heat from your fingers could compromise your PIN at an ATM

Research has shown that residual heat from fingers can be used to compromise a PIN entered at an ATM with a plastic key pad using images taken by thermal cameras.

August 29, 2011 by Lachlan Gunn — Director, BenAlpin Ltd

I have been blogging for some time about the importance of covering your PIN when making an ATM or payment transaction. Doing so protects it from visual compromise, although there is still a risk of compromise if a key pad overlay is used by the bad guys. 

Now it seems that thermal cameras can be used to detect heat signatures from your fingers on the keys that you touched after you have left an ATM. The degree of heat residue can also indicate in which order you touched the keys. Thankfully, it seems that this technology will not work effectively on metal key pads, only on plastic ones, and even on those the successs window is not huge.

This technology was first highlighted by Michael Zalewski in 2005. More recently, research has been carried out at the University of San Diego by Keaton Mowery, Sarah Meiklejohn and Stefan Savage. They presented their research at the Woot '11 5th USENIX Workshop on Offensive Technologies held on Aug. 8, 2011, in San Francisco during a presentation entitled, "Heat of the Moment: Characterizing the Efficacy of Thermal Camera-Based Attacks." 

The research detected PINs on plastic key pads with approximately 80 percent accuracy 10 seconds after the person entered their PIN. Forty-five seconds after being pressed, the thermal cameras were still able to determine PINs with 60 percent accuracy. 

Is this methodology commercially viable for criminals? The researchers state that: "...In large-scale attacks involving many unique codes, such as on ATM PINs, our success rate indicates that an adversary can correctly recover enough codes to make such an attack economically viable." 

I'm not so sure. Apparently the researchers' camera costs US$1,950 per month to rent, and US$17,950 to buy. That being said, the technology exists and can only get cheaper. What can we do? It is still vitally important to cover your PIN when making an ATM or payment transaction. If an ATM with a plastic key pad is used, I wonder if touching several keys after you have completed your transaction would foil the thermal threat? Also, as the effective time window is small, shielding the PIN pad for an extra 60 seconds might mitigate the risk - but then we are all busy people.

Click to read the full research paper.

About Lachlan Gunn

None

Connect with Lachlan:

Related Media

Security
Examining biggest ATM security issues and 4 strategies to prevent them
Security
Banking privacy: 5 benefits for banks, customers
Security
Protecting an ATM's hardware, software by slowing down criminals
On-Demand Webinar
A Masterclass in ATM Security: Global Best Practices and Trends
Presented by Diebold Nixdorf
Recent Posts
Eurasian Bank selects Diebold Nixdorf's self-service software
First National Bank to open 30 branches
Romanian man arrested for alleged cash trapping ATM scheme
Replacing the ATM: Pros and cons of new vs. remanufactured
Chase partners with The Points Guy for Make-A-Wish sweepstakes


©2025 Networld Media Group, LLC. All rights reserved.
b'S1-NEW'