PIN Theft Using Thermal Imaging: Public Service Announcement or Panic Mongering?

A new threat to PIN security has been found: By using a thermal camera, scientists at the University of California in San Diego were able to record PIN codes from the heat signatures retained on keypads minutes after the PIN had been entered. But are Thermal Camera Attacks really a threat, or is the reporting skewed for sensationalism?

After reading the scientific article in question, Heat of the Moment: Characterizing the Efficacy of Thermal Camera-Based Attacks by Keaton Mowery, Sarah Meiklejohn, and Stefan Savage of UC San Diego—cited in the fear-mongering articles spreading like wildfire—I’ve come to the following conclusions:

As described, the test hardly worked on metal keypads:

“The material of the keypad also made a huge difference: against metal keypads, the few runs that we did perform were almost completely abortive. Much of this can be attributed to the high conductivity of the metal, which meant that the heat residue remained localized to the key that had been pressed for only a few seconds; we also observed, however, that either the keypad itself or a paint put on the keypad caused it to act as a thermal mirror, meaning it was hard to even get a clear reading on the keypad at all. Therefore, at least based on our current results, the obvious approach to prevent our (and essentially any thermal-camera-based) attack would be to use metal keypads exclusively.”

The camera used for the test is extremely expensive:

“We used an A320 FLIR camera running at 9Hz with the built-in lens and the standard ExaminIR software for the camera. The monthly rental rate for this camera is $1950 and the cost to buy is about $17,950.”

Although the rental rate is only a mere two thousand dollars per month, the return rate has to be quite high for this method to be economically feasible.

The individual touch can skew results:

“Similarly, individual differences of the keypad operators plays a determining role as well. Some people were quite a bit more warm-blooded than others, and some were more forceful in pressing the keypad; for the people with colder hands or a lighter touch, the thermal results faded significantly more quickly.”

In other words, cold hands and a light touch severely influence the success rate. Not to mention using gloves…

Typical time frame for success:

While the results were pretty good for the first 45 seconds, the thermal imaging had to be rendered within 90 seconds after the PIN code had been entered on a plastic pad.

Most of the time, after entering the PIN on an ATM, the time elapsing before the client has received the money (and puts it away in their wallet/purse) is often more than one minute.

What About Counter Measures?

The article mentions some simple countermeasures ignored in most articles on this ‘new threat’:

“There are of course prevention methods that a user might in turn take against thermal camera-based attacks (for example, continuing to press the keypad even after he has entered the code, or simply resting his whole hand on the keypad); nevertheless, we expect that all but the most paranoid of users do not take them (at least not at present), and so the advantage over conventional cameras is still meaningful.”

How High Is The Risk?
While much has been made of the possibility of theft of individual PIN codes at ATMs, I think that risk is negligible and easily countered. With people becoming more security conscious in recent years, many users already screen their PIN by using their free hand to block the view of the keypad. If that action is followed by these countermeasures, the risk drops down to nihil:

  • Keep touching different keys on the pad or simply rest your warm palm on the key to give all of them a heat signature.
  • Never take a preset amount of money, but select ‘Other’ so you have use the keypad to insert a different amount. The keys of the amount will mess up the heat signatures of the pads used to typing your PIN.
  • Use gloves or an object (pen, keys, et cetera) to press the keys. If none of those options are available, press the keys with your knuckle instead of your fingertip. Especially the knuckle of your little finger will transmit less heat to the keys than a fingertip.
  • Whenever you can, only use ATMs with a metal keypad.

So, Nothing To Worry About?

Well, not for ATM users. However, the article is interesting for security professionals with regards to the use of keypads to limit access to secure locations, for a variety of reasons not encountered with ATMs:

  • Unlike the keypads of ATMs, access keypads are often mounted vertically on the door or the wall next to the door.
  • Door keypads are often made of plastic, which retains the transferred heat longer than metal pads.
  • Users often vacate the area immediately, i.e. the individual arrives at the door, enters the code, opens the door, and goes inside, allowing for a far shorter time elapsing between the entering of the code and taking the thermal image.
  • And, most important, all users use the same code, so if one takes thermal imaging of several users, the code pattern will emerge much swifter than with the use of individual codes (like PIN codes at an ATM).

A lot of this also goes for safes with electronic keypads: plastic keypads, single code. Except that most safes are vacated seconds after the code has been entered. So with safes the risk is less high than with door keypads.

The scientific article, complete with graphs and source material, can be found here: https://cseweb.ucsd.edu/~kmowery/papers/thermal.pdf

If you think other people could benefit from this information, please share this post using the social media buttons below.

Advertisements

OPINION: The Need for Champions

If you ask authors to list what they dread the most it’s having to sell themselves and their books. Apparently, self-promotion remains one of the most daunting tasks of the whole process, especially for self-publishing authors and trade-published midlist authors.

Even though most people understand the creative accomplishment of writing a book, authors who toil for months and sometimes years to craft a novel are often reticent about spreading the word that their work is available. Not because they don’t want to, but because they are afraid of the backlash of self-promotion.

When we were children, we’d stand up and proudly show the drawing we made or the castle we built and bask unselfconsciously in the admiration and adulation of our parents and teachers.

But when we grow older, many of us are discouraged to speak of our accomplishments. There’s an element of crassness and arrogance associated with self-promotion. We are expected to be humble and wait for people to ask what we do, and when we speak about our novels, we are encouraged to do so with humility and self-deprecation, so people know that we’re not arrogantly thumping our chests over our accomplishments.

How can you tell people that you’ve written and published a novel or even a series without embarrassment?

With the proliferation of self-publishing through Amazon the current offering in reading material is astoundingly high in volume and ironically low in quality. A recent census revealed that 80% of the people living in the U.S. want to write a book. Sadly, not everyone who wants to do something truly excels at their endeavours, so there are a lot of books flooding the market that are not really worth a reader’s attention.

Many readers are turned off by the glut of badly written self-published books that beg their attention. As a result, readers will not listen to authors promoting their books, but they will turn to other ways of deciding what books to read.

One of the most influential factors in choosing a novel to read is when books come recommended. Preferably by friends, because recommendations carry more weight if delivered by someone trusted for their good judgment.

Many readers are unaware of how important recommendations are, especially for beginning authors who rely on the word-to-mouth to build their readership.

Although this counts doubly for self-published authors–who don’t have a publicist or a publisher to coordinate their marketing efforts–even trade-published midlist authors are pretty much left to their own devices.

So how can readers help their favourite authors?

Be their Champion.

If you meet someone who might enjoy the same books you enjoy, tell them about your favourite authors. Write about the books you read on GoodReads. Leave reviews on retailer websites. Like your favourite author on Facebook. Pin their covers on Pinterest. Follow their blogs. Apply for Advanced Reader Copies of their books. Start or join a fan club.

What do you think? Please comment, and let me know I’m not just talking to the void. If you have ideas to increase word-of-mouth, don’t hesitate to share!