Since my last post I have come across more information on the thermal camera threat relating to PIN compromise. Having read the research paper it seems that most ATMs are not at risk from this threat as, at the moment, the possibility of PIN compromise from thermal imaging technology really only exists for PIN entry at plastic PIN pads, and even then the success rate is not high - although the researchers claim that it is economically viable. As most ATMs seem to have metal key pads, this is a relief for the industry. The possibility of using thermal imaging for PIN compromise was first demonstrated by Michael Zalewski in 2005.
At the Woot '11 5th USENIX Workshop on Offensive Technologies held on 8th August 2011 in San Francisco, a presentation entitled Heat of the Moment: Characterizing the Efficacy of Thermal Camera-Based Attacks was delivered. This was based on research and analysis carried out by Keaton Mowery, Sarah Meiklejohn, and Stefan Savage from the University of California, San Diego. If you want to read more you can visit the website of the USENIX Workshop and download the slide presentation made by Mowery et al and/or the full research paper.
Tuesday, 30 August 2011
Thursday, 25 August 2011
Covering your PIN may not protect it from cameras?
The industry is already aware that covering a PIN when entering it may not be 100% effective as, if the criminals use a PIN pad overlay, the PIN will be compromised regardless. It is still recommended as cardholder 'best practice', however, as the risk of visual compromise is significantly mitigated. For cardholder security tips, and a criminal video showing actual PIN compromise, visit the website of the European ATM Security Team.
Now, according to Security News on msnbc.com, new research in the U.S. has indicated that thermal cameras can be used for PIN compromise, even if the cardholder covers their hand when the PIN is entered. How? Apparently the keys touched by a human hand still retain some residual heat and this can be detected be a thermal camera once the hand has been removed. Researchers from the University of California have carried out a series of proof-of-concept attacks using a thermal camera mounted above a traditional ATM pinpad.
Now, according to Security News on msnbc.com, new research in the U.S. has indicated that thermal cameras can be used for PIN compromise, even if the cardholder covers their hand when the PIN is entered. How? Apparently the keys touched by a human hand still retain some residual heat and this can be detected be a thermal camera once the hand has been removed. Researchers from the University of California have carried out a series of proof-of-concept attacks using a thermal camera mounted above a traditional ATM pinpad.
Thursday, 18 August 2011
Have you registered for SMS alerts when your debit card is used?
I am used to getting texts from my bank whenever one of my debit cards is used. There is something reassuring about the 'beep beep' of an incoming text shortly after I have made a transaction, and especially when I am travelling. If that debit card was fraudulently used, I would quickly know about it.............With my bank this is an 'opt-in' service for cardholders, and not every bank that I use provides it.
I have just noticed that, according to an article in the Times of India, with effect from July 2011, the Reserve Bank of India (RBI) has made it mandatory for ALL Indian banks to provide this service to debit card holders, and all debit card holders are required to register their mobile phone numbers with their bank for this purpose. Clearly card fraud is on the rise in India and this is a sensible step for the market to be taking to help counter it. As a card holder it always feel good to be pro-active in the fight against card fraud, and registering for SMS alerts is within my power, as is covering my PIN when making a transaction at ATM or a payment terminal.
Does your bank over an SMS alert service for debit card transactions? It might be worth asking the question........
I have just noticed that, according to an article in the Times of India, with effect from July 2011, the Reserve Bank of India (RBI) has made it mandatory for ALL Indian banks to provide this service to debit card holders, and all debit card holders are required to register their mobile phone numbers with their bank for this purpose. Clearly card fraud is on the rise in India and this is a sensible step for the market to be taking to help counter it. As a card holder it always feel good to be pro-active in the fight against card fraud, and registering for SMS alerts is within my power, as is covering my PIN when making a transaction at ATM or a payment terminal.
Does your bank over an SMS alert service for debit card transactions? It might be worth asking the question........
Friday, 12 August 2011
The U.S. moves towards EMV! Visa announces plans....
Visa has just announced its plans to accelerate chip migration and adoption of mobile payments. This is great news as there is now a roadmap for (partial) EMV implementation in the U.S. Visa will bring in a U.S. liability shift for domestic and cross-border counterfeit card-present POS transactions, with effect from 1st October 2015. Merchants selling fuel will have an additional two years, until 1st October 2017. Unfortunately there is no mention of ATMs - the preferred channel for fraudsters to obtain cash!
I have commented in the past about the fact that the U.S. is lagging behind the rest of the world due its reluctance to adopt EMV or Chip and PIN technology. The gap that is opening up as a result can be separated into two main parts:
I have commented in the past about the fact that the U.S. is lagging behind the rest of the world due its reluctance to adopt EMV or Chip and PIN technology. The gap that is opening up as a result can be separated into two main parts:
Subscribe to:
Posts (Atom)