This article makes it clear that the reduced cost of thermal imaging cameras puts PINs at risk because your thermal signature on the PIN pad remains for up to a minutes after you key in your PIN, which is not new news to many of us:
“Researchers have discovered that covering your hand while typing in your PIN code isn’t a secure enough procedure. That’s because some high-tech thieves are using thermal cameras to steal your PIN.
How this works is, once you type in your PIN code, a thief can take a picture of the heat marks left behind on the screen with a thermal camera. They are then able to figure out the order that you typed the numbers in by the strength of the heat marks. The last number you enter will show up stronger and the first number will be lighter.
This doesn’t only expose the PIN code to unlock your phone either. Thieves can use this technique anywhere you type your credit or debit card PIN, such as a grocery store, gas station or ATM.
Researchers at the University of Stuttgart studied this technique of stealing PIN codes. They found that they were able to successfully decipher a users’ PIN 90 percent of the time if the thermal image was captured in 15 seconds or less from the time the PIN was entered.
It’s even worse for Android users. The researchers were able to figure out the correct pattern 100 percent of the time for those who use a finger-drawn pattern code. They even had more time to take the thermal image, up to 30 seconds after the pattern was drawn.”
Of course in payments the PIN without the magstripe is not particularly useful, but perhaps perfect for PIN entry into buildings and other implementations. Note that the scam can be easily prevented; just push a bunch of random keys once you are done entering the PIN because this obfuscates the pattern.
Two examples of this being old news is that the YouTube video, which is well done and interesting, was released in August of 2014 and can be seen here: https://youtu.be/8Vc-69M-UWk while the research paper was published in June 2011 and is located here: https://cseweb.ucsd.edu/~kmowery/papers/thermal.pdf.
Overview by Tim Sloane, VP, Payments Innovation at Mercator Advisory Group
Read the full story here
