Heat Hacking: Criminals Can Steal Your ATM PIN Code Via the Heat Your Fingers Leave Behind

The PIN digits you punch into an ATM’s keypad to authenticate your transactions are leaving traces of themselves behind in the form of heat, says a paper recently presented by a team of UC San Diego security researchers. Someone following immediately behind an ATM user can use a digital infrared camera to determine what keys were pushed with about 80 percent accuracy, their study shows. Even a full minute later the camera can pick up the correct digits about half the time.

But while its easy enough for a criminal type to determine the digits in your pin with an IR camera, it’s fairly difficult to determine the order. And the hack only seems to work on plastic keypads–metal returns too much heat noise for the IR camera to reliably discern with keys were just pressed.

Then there’s the fact that an IR camera isn’t exactly an implement of petty crime. By the time one amassed the princely sum (around $18,000 to buy a good rig–the $150 Midnight/Shot won’t cut it) necessary to acquire one, he or she probably wouldn’t need to steal ATM PINs anymore.

But none of that changes the fact that a security scheme on which most people regularly rely has a fairly exploitable hole. And it doesn’t just go for ATM machines–keypad safes, security doors, keypad activated garage doors, even the keypads that open up some car doors are susceptible to the IR hack, particularly where plastic keypads are involved.

Of course, to thwart the scheme you could simply place your hand over the entire keypad to impart heat to every key after you punch in your PIN. And if that doesn’t jive with you germophobic readers, you can always just preemptively Mace the person behind you in line each time you visit the ATM. Better safe than sorry.

Technology Review