A team of researchers from the University of California at San Diego have found that thermal imaging cameras can be used to steal PIN numbers when people make a cash withdrawal from an ATM. Residual heat from a person’s finger when it touches the keypad to punch in their PIN can be viewed with an infrared camera to give away your combination without anyone having to actually see your finger on the button.
For criminals, thermal imaging has some advantages. Whether or not the user visually blocks the keypad while they type their number will make no difference, and PIN harvesting can still be automated to provide crooks with a leg up. Researchers Keaton Mowery, Sarah Meiklejohn and Stefan Savage of UCSD studied 21 volunteers punching in 27 randomly selected PIN numbers on plastic and brushed metal keys. The study showed that plastic PIN pads retain the heat signature from the finger the longest showing which numbers and which order they were pressed.
According to the researchers, how hard a person presses the buttons and their body temperature do affect the results. The metal PIN pads surprisingly didn’t hold the heat long enough to show what keys were pressed. However, on the plastic PIN pad the researchers’ software was able to determine the PIN number 80% of the time within 10 seconds. After 45 seconds, the success rate was still high at 60%.
So far, the researchers say thermal imaging hasn’t become widely adopted by criminals for PIN theft, particularly because this type of camera is expensive. However, it is possible that this threat could become more serious in the future.