The industry is already aware that covering a PIN when entering it may not be 100% effective as, if the criminals use a PIN pad overlay, the PIN will be compromised regardless. It is still recommended as cardholder 'best practice', however, as the risk of visual compromise is significantly mitigated. For cardholder security tips, and a criminal video showing actual PIN compromise, visit the website of the European ATM Security Team.
Now, according to Security News on msnbc.com, new research in the U.S. has indicated that thermal cameras can be used for PIN compromise, even if the cardholder covers their hand when the PIN is entered. How? Apparently the keys touched by a human hand still retain some residual heat and this can be detected be a thermal camera once the hand has been removed. Researchers from the University of California have carried out a series of proof-of-concept attacks using a thermal camera mounted above a traditional ATM pinpad.
These tests, using 27 randomly selected four-digit codes on both plastic and brushed metal PIN pads, revealed that, although the metal PIN pad made thermal detection attacks almost impossible, thermal cameras can detect a cardholder's keystrokes after after the person has left the ATM. Unlike metal keys, which retain heat for only a few seconds due to their high conductivity, rubber keys retain heat much longer: The researchers detected PINs with approximately 80 percent accuracy 10 seconds after the person entered their PIN. 45 seconds after being pressed, the thermal cameras were still able to determine PINs with 60 percent accuracy.
According to the researchers ""Using a thermal camera........provides an attacker the ability to recover the code even in the cases where, for example, a user's body is blocking the keypad throughout the transaction, or he just covers the keypad with his hand as he types in the PIN..."
Is this a threat that the industry should take seriously? Perhaps not right now due to cost: the researchers' camera costs US$1,950 per month to rent, and US$17,950 to buy. But its a worry nonetheless and, after cost-benefit analysis, some crimninals may decide that the technology is worth a punt. Read the whole msnbc.com article here.