Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

How To Steal ATM PINs With a Thermal Camera

CmdrTaco posted more than 3 years ago | from the i-see-what-you-did-there dept.

Security 157

An anonymous reader writes "Researchers from UCSD have demonstrated how thermal imagery cameras can be used to steal customers' PINs (PDF) when you withdraw cash from ATMs. Their paper, entitled 'Heat of the Moment: Characterizing the Efficacy of Thermal Camera-Based Attacks', (PDF) discovered that plastic PIN pads were the best for retaining heat signatures showing which numbers (and in which order) were used by bank customers. Fortunately the methodology does not appear to have been used by criminals yet, but a third of people surveyed admit that they do not check ATMs for tampering before withdrawing cash."

Sorry! There are no comments related to the filter you selected.

Oh Sure, Academia Accepts THAT Paper (0, Offtopic)

eldavojohn (898314) | more than 3 years ago | (#37119508)

Their paper, entitled 'Heat of the Moment: Characterizing the Efcacy of Thermal Camera-Based Attacks' ...

Oh sure everybody wants to show how easy it is to steal everyone else's PIN but when you release a paper detailing how to do it with X-rays and guarantee the target develops cancer and dies within a month leaving their account ripe for unnoticed pilfering then you've "gone too far"!

Re:Oh Sure, Academia Accepts THAT Paper (4, Funny)

Anonymous Coward | more than 3 years ago | (#37119620)

And don't ever use Gamma Rays, you don't want the Hulk chasing you after you've pilfered his bank account.

Re:Oh Sure, Academia Accepts THAT Paper (2)

sycodon (149926) | more than 3 years ago | (#37119750)

Fortunately the methodology does not appear to have been used by criminals ye

But they'll be sure to get on it right away now that they have been clued in.

Re:Oh Sure, Academia Accepts THAT Paper (1)

fuzzyfuzzyfungus (1223518) | more than 3 years ago | (#37119854)

Based on the relative costs(and sizes) of the existing visible-spectrum-camera-hidden-on-the-ATM technology and the available thermal imaging gear, I'm somewhat inclined to doubt any significant uptake.

Even if you go fleabaying, a thermal imaging system up to the task will easily be north of $1,000, and the cheap seats are often rather bulky and don't exactly sip power. If you go with something handheld, the fact that many of them look very much unlike normal digital cameras will make you stand out a good deal.

Your dinky little pinhole spycam, either from a skimmer-vendor or modified from a cheap cellphone or some chintzy perv-market 'security' camera is going to be at least a factor of ten cheaper, able to run much longer on batteries, and substantially smaller.

Re:Oh Sure, Academia Accepts THAT Paper (1)

Eponymous Hero (2090636) | more than 3 years ago | (#37120848)

no, there will be a smartphone app for it soon.

Re:Oh Sure, Academia Accepts THAT Paper (0)

Anonymous Coward | more than 3 years ago | (#37120360)

Good news, everyone! I've invented a device that will speak your PIN aloud in my voice!

Re:Oh Sure, Academia Accepts THAT Paper (1)

hairyfeet (841228) | more than 3 years ago | (#37120884)

Not to mention anybody who has watched the news lately has seen that the threat at ATMs isn't some hacker nerd but a "Thug Life!"er sticking a gun in your ribs or bashing your head in with a rock and just taking the money after you have put in the pin.

And has anyone else noticed that for the "Thug Life!"ers there is no such thing as robbery? There is murder with a cash bonus. We had a typical "Thug life!"er robbery in the next town over a couple of months ago, the "Thug Life!"er walks into a nail salon, blows away everyone in the place THEN goes for the til. Got something like $363 for 3 dead and 1 wounded.

Frankly having a geek go to all that trouble to rob you with infrared would probably be refreshing since all I see anymore is someone blowing you away and then rifling through your pockets.

Touch typing defense (4, Funny)

rwa2 (4391) | more than 3 years ago | (#37119518)

Hmm, I knew there was a reason that I rested all of my fingers uniformly across the keypad, gently caressing their every ridge and facet as I discreetly pumped out my digits into their PIN pad. Well, another reason, at least.

Also I try to think about a completely different song than the one that corresponds to the letters that correspond to the numbers of my PIN, just to thwart any brainwave phreaking attacks as well.

But still hoping we score some decent security measures out of this, like maybe a bank-issued gold card or something.

Re:Touch typing defense (4, Funny)

Herkum01 (592704) | more than 3 years ago | (#37119564)

I rested all of my fingers uniformly across the keypad, gently caressing their every ridge and facet as I discreetly pumped out my digits

Have you considered a career writing Harlequin novels?

Re:Touch typing defense (2)

cyberchondriac (456626) | more than 3 years ago | (#37119566)

or, after you've put in your PIN and gotten your money or whatever, press a few more random keys.

Re:Touch typing defense (4, Funny)

nedlohs (1335013) | more than 3 years ago | (#37119584)

Just set the keypad on fire.

Re:Touch typing defense (2)

franoreilly (109719) | more than 3 years ago | (#37119648)

Makes sense. Even though I cover my typing hand with my other hand, I always add a few more fake keypresses so that any camera can't make a rough guess, judging by the quadrant of the image showing slight movement, which key was actually pressed. So now I have to do this for infra red coverage also. Great.

Re:Touch typing defense (0)

Anonymous Coward | more than 3 years ago | (#37119994)

This works for elevator buttons too!

Re:Touch typing defense (2)

sconeu (64226) | more than 3 years ago | (#37120502)

I picked up this habit after working in a classified area with a cipher lock.
After I'd enter the cipher, I'd swipe my fingers over all the buttons to make it harder for a potential bad guy to analyze the wear/fingerprint patterns on the lock.

Re:Touch typing defense (2)

MightyMartian (840721) | more than 3 years ago | (#37119606)

I'm not sure whether I just read a method to obscure your PIN number from thermal cameras, or a description of one of your sexual exploits.

Re:Touch typing defense (1)

Bob the Super Hamste (1152367) | more than 3 years ago | (#37119732)

Sounds like both. He has a thing for ATMs especially when they vibrate when discharging money.

Re:Touch typing defense (3, Insightful)

Not_Wiggins (686627) | more than 3 years ago | (#37119720)

It looks likely you were mostly joking (so, that makes me feel equally bad about admitting this).
But, when putting in my PIN, I typically rest several fingers on different numbers, move my hand around, and punch my PIN in that way, obscuring what I'm doing (not the typical one finger, one press approach).

For me, it was about making it tough for someone with a video camera set up to watch the ATM to figure out what my PIN is based on finger movement alone.

I suppose to that end, would getting the heat signature really be that superior to having a video camera set up with a telephoto lens?
And if we were ever worried about heat signature, wouldn't simply wearing gloves defeat this "potential attack?"

Seems someone has figured out a complex way of collecting PINs.

Why not set up a loop of wire and, based on the different lengths of connection between electricity that flows from pressed keys to the processor, infer which key is pressed?

Right... it would cost more in time, money, and effort than one could make simply waiting for someone to walk up and rob with a gun.

Re:Touch typing defense (1)

Jah-Wren Ryel (80510) | more than 3 years ago | (#37120208)

But, when putting in my PIN, I typically rest several fingers on different numbers, move my hand around, and punch my PIN in that way, obscuring what I'm doing (not the typical one finger, one press approach).

I do it too -- I start at the top row, one finger per button, and then slide my hand down the keypad making contact with every button but only putting pressure on the one button that needs pushing. I repeat the process for each digit but make sure to slide my hand across the entire keypad each time. It didn't take much practice to get good at it, it still takes a little bit longer than just punching the numbers in directly, but not enough to matter.

Re:Touch typing defense (2)

cdrguru (88047) | more than 3 years ago | (#37120582)

Right... it would cost more in time, money, and effort than one could make simply waiting for someone to walk up and rob with a gun.

Never forget that any sort of ATM attack is anonymous and impersonal, whereas holding up someone with a gun means you personally are standing there in front of someone with a gun in your hand.

What the Internet has proven beyond a shadow of a doubt is that ordinary people who wouldn't think of shoplifting will go to incredible lengths to steal stuff on the Internet where they are anonymous and the action is impersonal. Someone who would never break into a house in person will break into a computer with impunity, even to the point of advertising their exploits.

I would say that there are plenty of people that if they could engage in ATM skimming and know they don't have to ever confront a human throughout the whole process they would do it, even to the point of spending more money than they are likely to get in return. ATM skimming kits are pretty good sellers on the Internet, if you know where to shop, because they are a gateway to anonymous, impersonal money.

Re:Touch typing defense (1)

need4mospd (1146215) | more than 3 years ago | (#37120110)

Hmm, I knew there was a reason that I rested all of my fingers uniformly across the keypad, gently caressing their every ridge and facet as I discreetly pumped out my digits into their PIN pad.

Do you do so while wearing a robe and wizard hat?

Re:Touch typing defense (0)

Anonymous Coward | more than 3 years ago | (#37120554)

Song, eh. 8675(309)?

Re:Touch typing defense (1)

tom17 (659054) | more than 3 years ago | (#37120704)

Naaah,
1,2,3,4(5,6,7,8,9,10,11,Twe-ee-e-ee-e-elve!)

Now get back in line. (3, Insightful)

suso (153703) | more than 3 years ago | (#37119534)

but a third of people surveyed admit that they do not check ATMs for tampering before withdrawing cash.

A person checking an ATM for tampering may look like they are tampering with an ATM. Now get back in line.

Re:Now get back in line. (2)

rwa2 (4391) | more than 3 years ago | (#37119612)

Word. Not to mention that most ATM skimmers are very difficult to detect, and are often indistinguishable from some of the regular "bling" that an ATM might have adorning their card slot.

But I guess it's worthwhile to attempt to rip it out anyway and see what happens :-P

http://images.google.com/search?q=ATM+skimmer&hl=en&prmd=ivns&tbm=isch&tbo=u&source=univ&sa=X&biw=1270&bih=810 [google.com]

Re:Now get back in line. (5, Insightful)

The Moof (859402) | more than 3 years ago | (#37119616)

Not to mention that the average person likely has no idea what a card skimmer looks like when compared to the card reader on an ATM.

Re:Now get back in line. (2, Insightful)

Anonymous Coward | more than 3 years ago | (#37120560)

This is what I was thinking. I actually *do* look for tampering, but even after seeing examples of card skimmers, I have doubts of my own ability to actually detect one.

Re:Now get back in line. (1)

GTRacer (234395) | more than 3 years ago | (#37121300)

Am I alone in not using ATMs? I prolly wouldn't know if a skimmer had been installed because I almost never visit ATMs. I mean, in any given year I can count on one hand the number of ATM withfrawals and checks written on one, maybe two hands. I stopped carrying cash years ago and if I truly need some, most of the time a POS cashout is closer than the bank, and doesn't charge a fee.

To be fair, I *do* use the ATM whenever I need to deposit checks, which is rarely enough. All that said, if I saw mysterious ATM usage on the bank website, I could almost certainly refute it with my non-history.

Nothing is safe (1)

mfh (56) | more than 3 years ago | (#37119548)

There is no level of applied security that can thwart applied freedom.

Wallet corner defense (3, Insightful)

Anonymous Coward | more than 3 years ago | (#37119580)

I use the corner of my wallet to to press the keys, let's see them work with that.

Re:Wallet corner defense (1)

mapkinase (958129) | more than 3 years ago | (#37119906)

Good idea. Also, stylo of your mobile. Mod the coward up.

Re:Wallet corner defense (1)

Heed00 (1473203) | more than 3 years ago | (#37120210)

*snatch* Got your wallet! *runs away*

Slashdot is advertising thermal imaging cameras... (2)

kotku (249450) | more than 3 years ago | (#37119590)

when I viewed this story. Conflict of interest here?

Re:Slashdot is advertising thermal imaging cameras (1)

Nadaka (224565) | more than 3 years ago | (#37119722)

Google context sensitive advertising at work.

They probably also advertise ski masks on stories about bank robbery.

Re:Slashdot is advertising thermal imaging cameras (0)

Anonymous Coward | more than 3 years ago | (#37119760)

Targeted advertising!

Re:Slashdot is advertising thermal imaging cameras (0)

Anonymous Coward | more than 3 years ago | (#37119816)

Slashdot has ads?

Splinter Cell... (2)

neokushan (932374) | more than 3 years ago | (#37119594)

They did this in Splinter Cell YEARS ago.

Re:Splinter Cell... (1)

wildstoo (835450) | more than 3 years ago | (#37120046)

That's the first thing I thought of too. I remember using my Thermal Imaging goggles in Splinter Cell to steal door codes after watching someone else use the keypad.

Did the guys at UCSD play Splinter Cell? Did they thank Ubisoft in their paper? ;)

Re:Splinter Cell... (1)

ironjaw33 (1645357) | more than 3 years ago | (#37120388)

They did this in Splinter Cell YEARS ago.

After doing that in game, I remember thinking that there was no way this would really work. I was hoping that Mythbusters would tackle it but it looks like academia beat them to it.

Re:Splinter Cell... (1)

Kunedog (1033226) | more than 3 years ago | (#37120904)

And in Cyberia years before that.

This was done on (2)

geeza81 (912658) | more than 3 years ago | (#37119596)

The Real Hustle on BBC3 to open a safe in a jewellery shop. How they got into the jewellery shop was pretty genius too.

Re:This was done on (1)

StillNeedMoreCoffee (123989) | more than 3 years ago | (#37120874)

I don't know if that is where I saw that, but yes the technique has appeared in movies (years ago) This is life imitating art.

Easy to Avoid (5, Funny)

tucara (812321) | more than 3 years ago | (#37119638)

Just make sure you add a bunch of heat on all the number keys before you leave to mess up their analysis. I recommend urinating on the keypad to get a good even distribution.

Re:Easy to Avoid (0, Funny)

Anonymous Coward | more than 3 years ago | (#37119686)

this is why the keypad is always fucked up and smells when I go get cash for my weed.

Re:Easy to Avoid (2)

GameboyRMH (1153867) | more than 3 years ago | (#37119698)

When I'm typing in my PIN I do a fancy jig with my fingers, and I use my fingernails - admittedly to avoid getting the ick from the ATM on my fingers - but that should help keep the thermal signatures down as well.

Re:Easy to Avoid (3, Insightful)

S.O.B. (136083) | more than 3 years ago | (#37120142)

Urine is likely cleaner than what you normally find on ATMs. So you're doing a public service by "rinsing off" the keypad.

Re:Easy to Avoid (1)

scorp1us (235526) | more than 3 years ago | (#37120528)

You joke, but there is a scene in American Treasure II where they fingerprint a keyboard and deduce the password using letters hit and a dictionary attack. One shift or caps-lock key use and it blows the solution space exponentially high.

I am waiting for ATMs to have NFC support. That way, my card and/or phone is needed so that I don't have to even touch that machine.

Re:Easy to Avoid (0)

Anonymous Coward | more than 3 years ago | (#37121338)

It was National Treasure I.

Re:Easy to Avoid (1)

bughunter (10093) | more than 3 years ago | (#37120972)

Reminds me of the apocryphal story of the D&D munchkin running a dwarven thief whose dungeon lockpicking strategy is to piss in the lock and then come back in a year or two after the mechanism had corroded...

Re:Easy to Avoid (0)

Anonymous Coward | more than 3 years ago | (#37121016)

a dwarven thief whose dungeon lockpicking strategy is to piss in the lock and then come back in a year or two after the mechanism had corroded

His short legs would be a rather distinct disadvantage though.

Re:Easy to Avoid (1)

rubycodez (864176) | more than 3 years ago | (#37121060)

if you find you can't urinate, rub one out on the keypad

Thermal imaging? That stuff is fun and expensive.. (4, Funny)

Lonewolf666 (259450) | more than 3 years ago | (#37119642)

Even as a usually law-abiding citizen, I might be tempted to steal that camera thingy if i find it. The fact that it was put there by criminals would greatly reduce my pangs of conscience ;-)

Re:Thermal imaging? That stuff is fun and expensiv (1)

Arlet (29997) | more than 3 years ago | (#37120172)

The camera wouldn't be near the ATM. Someone behind you in line would take the camera out of their pocket, and take a picture of the keypad you just touched.

So as far as i understood. (1)

drolli (522659) | more than 3 years ago | (#37119652)

Tampering is not needed for taking a thermal photo as the next in line.

secure NFC transactions NOW! (2)

markhahn (122033) | more than 3 years ago | (#37119666)

this is an even better reason we need secure NFC transactions (with your mobile) asap. it's absurd to be typing a by-definition-weak password into an unauditable terminal. why hasn't some bank hasn't noticed that at least early adopters would pay for the privilege of paying securely?

then again, if banks simply secured their terminals, much of the hacked-ATM problem would disappear. yes, toilet-like stalls for each ATM...

Re:secure NFC transactions NOW! (2)

TubeSteak (669689) | more than 3 years ago | (#37119872)

this is an even better reason we need secure NFC transactions (with your mobile) asap.

Near field communication is only as secure as the size and sensitivity of the nearest antenna.
Just because your mobile phone has a weak antenna doesn't mean a malicious actor has to limit himself.

Re:secure NFC transactions NOW! (2)

rhsanborn (773855) | more than 3 years ago | (#37119896)

Because it's a password, and last I checked, banks do not take responsibility for transactions that involved the PIN. They consider it the consumer's responsibility to maintain the secrecy of their PIN, regardless of it's weakness. As a result, the banks have relatively little exposure to PIN based attacks, and therefore have little incentive to spend any money making it more secure.

Re:secure NFC transactions NOW! (0)

Anonymous Coward | more than 3 years ago | (#37120130)

Right. If the banks can trick the courts into putting the responsibility on the customer, they will. Think "bank fraud" vs "identity theft" for example. Or the new chip bank cards with the flawed protocol that lets criminals do a debit transaction without any PIN.

Re:secure NFC transactions NOW! (1)

IamTheRealMike (537420) | more than 3 years ago | (#37120348)

it's absurd to be typing a by-definition-weak password into an unauditable terminal.

A hacked terminal isn't enough to break card security, obviously, the whole point is that you need both the card and the PIN. Merely having the PIN isn't enough. Modern cards can't be cloned unless you live somewhere still in the stone age, like the USA ;)

train my cold blooded pet snake (1)

schlachter (862210) | more than 3 years ago | (#37119694)

this is why i need to train my cold blooded pet snack to enter my pin for me!

Re:train my cold blooded pet snake (1)

Daetrin (576516) | more than 3 years ago | (#37119800)

this is why i need to train my cold blooded pet snack to enter my pin for me!

I would say something about the amount of time wasted by repeatedly training something that's going to be consumed in short order, but i'm more squicked out by the idea of keeping your snacks as pets.

Re:train my cold blooded pet snake (0)

Anonymous Coward | more than 3 years ago | (#37119892)

mmmm pet snack.....

The Efficient Method (3, Informative)

syntap (242090) | more than 3 years ago | (#37119700)

Isn't it cheaper to simply mug the ATM user after they are done and take cash while out of sight of the ATM machine's own camera? You'd have to do that anyway to get the card from them. Why get all technical?

Re:The Efficient Method (2)

Lonewolf666 (259450) | more than 3 years ago | (#37119772)

The common method is using an ATM skimmer to copy the card, and a camera to record typing in of the code. No mugging necessary. Sometimes the keypad is faked too.

Re:The Efficient Method (0)

Anonymous Coward | more than 3 years ago | (#37121054)

Is that to say that most cards where you are are magnetic stripe, without a chip?
Around here, the banks started putting chips in debit cards around 10 years ago, IIRC, and now I don't think you get new cards without them.
There have still been some demonstrated attacks, but mostly involving MITM, or targeting the magnetic stripe that's still there for compatibility.

Re:The Efficient Method (1)

Kell Bengal (711123) | more than 3 years ago | (#37119842)

Except with a card skimmer, you don't - just make a replica card using the captured information and use the observed PIN combination.

Re:The Efficient Method (1)

PPH (736903) | more than 3 years ago | (#37120184)

But now you can hit them over the head with the thermal camera.

Touch more than 4 digits. Probelm solved. (1)

MindCrusher (1249502) | more than 3 years ago | (#37119716)

As I cover my hand to hide the numbers I always touch more than the four digits whenever I input my PIN as I center my hand on the keypad. Most of the time I also fake pressing some digits by keeping my finger onto them. I never thought of the thermal way to recover PIN numbers but I think I am safe.

Re:Touch more than 4 digits. Probelm solved. (1)

mapkinase (958129) | more than 3 years ago | (#37119930)

Or you could have just used the tip of the pen or stylo from your mobile.

Or you can be flat broke (0)

Anonymous Coward | more than 3 years ago | (#37120088)

I don't need to worry either. I have a feeling that anyone accessing my account would feel sorry for me, and might even be inclined to make a deposit instead of a withdrawal.

What good is the pin? (1)

ThorGod (456163) | more than 3 years ago | (#37119778)

If I'm the only one with the card?

Re:What good is the pin? (0)

Anonymous Coward | more than 3 years ago | (#37119838)

they have your card because there is a skimmer installed over the card slot

Re:What good is the pin? (1)

srobert (4099) | more than 3 years ago | (#37119878)

Well now that we have your PIN we can just knock you over the head and take your card. Before we had to kidnap and torture you to get you to reveal the PIN. This is so much easier. Who says that technology isn't improving our lives?

Re:What good is the pin? (1)

hellkyng (1920978) | more than 3 years ago | (#37120532)

Because shortly you will not be the only one with the card. As others mentioned there is a skimmer attached somewhere on the ATM. This reads the data contained on the magnetic stripe of your card and records. It may transmit this data via bluteooth to a local attacker, or store it locally. Skimmers usually can contain anywhere from 7-10,000 cards on them roughly.

Once this is accomplished the attacker will then either sell the data online, or begin creating his own fake credit cards. This process involves purchasing blanks, which look like plain white cards, and reloading your mag stripe onto it. They may be more sophisticated as well but that gets more expensive. Then its off to the local big box retailer to buy a few TVs courtesy of you!

ATMs are the obvious case as well, this can be easily done in gas pumps as well...

Was on The Real Hustle a few weeks ago (1)

DJRikki (646184) | more than 3 years ago | (#37119866)

On BBC iPlayer, they did a con involving a safe keypad and a FLIR thermal camera to show the heat on the keypad.

Equipment cooling (1)

PPH (736903) | more than 3 years ago | (#37119952)

I'd never heard of this method of attack until now. But it might explain why some of my bank's ATMs seem to have a high volume of cooling air blasting through any cracks and openings in the machine. Metal keys as well.

There was an article in a recent electronics magazine about building a code entry keypad that scrambles the digit positions between each entry attempt. This would make filming the keyboard difficult if one were to make the digit displays hard to see other than straight on. It would cause problems for people who enter their PIN based upon positional memory rather than looking at the numbers.

Re:Equipment cooling (2)

jfuredy (967953) | more than 3 years ago | (#37120480)

Yes, these keypads have been in use for at least 10 years. You press a button to activate the keypad, and it randomly places the digits onto the pad so they're in a different place each time. After you successfully enter your code all of the numbers disappear. It certainly makes it slower to enter your PIN, but it also makes it impossible to surreptitiously determine your PIN.

What about ambient temperature? (1)

chiph (523845) | more than 3 years ago | (#37119974)

Right now in Texas, we're hitting over 104F in the afternoons, several degrees higher than body temperature. Would the buttons be cooled by people touching them?

Re:What about ambient temperature? (1)

Em Adespoton (792954) | more than 3 years ago | (#37120190)

You really have ATMs operating in 104F environments? More likely there's an AC unit right above the thing blasting cold air on it.

Why aren't these things obselete? (1)

geekmux (1040042) | more than 3 years ago | (#37119984)

Is it just me, or does anyone else tire over stories of ATM skimming/tampering? I guess my main point here is who the hell still uses an ATM anymore?

It's probably been at least 6 months since I've stepped in front of one. I can withdraw up to $100 at just about any store I go into when I use my debit card(multiple times a day too), and since there seems to be a rather large void of evidence regarding tampering of debit terminals inside stores and banks, the most obvious solution seems to be the answer here.

And if I find myself in need of more than a few hundred dollars in cash(cash? what's that?) on any given day, then I go to the most secure place to get it; the actual bank.

In today's cashless society, I still struggle to find why ATMs haven't gone the way of the pay phone yet. Perhaps it's because a good portion of banking revenue is still generated off their ripoff fees for transactions? Chances are greed is in the answer there somewhere.

Re:Why aren't these things obselete? (0)

Anonymous Coward | more than 3 years ago | (#37120238)

There's actually quite a bit of evidence of card reader tampering in stores and fuel stations. Just go google "grocery store card reader tampering" or "gas station card reader tampering"

In a world where the "station attendant" has pretty much vanished past 10PM, the gas stations are probably the easiest targets.

Re:Why aren't these things obselete? (1)

Asic Eng (193332) | more than 3 years ago | (#37120342)

I think your experience is probably in the US? Being able to get cash back from the store is not unheard of in other countries, but it's a lot less common than in the US. Also card payments are less common in other countries, usually cash is preferred. (On average it's a lot quicker, plus many people prefer not to leave a record of every little purchase they make.)

As for withdrawal fees - my German bank (DKB) lets me withdraw money anywhere in the world using my visa card, and they swallow the withdrawal fee. (They don't charge for the account either and pay interest on my savings - it's a pretty good deal.) Very convenient when you are traveling, and I'm getting rather good exchange rates as well.

Re:Why aren't these things obselete? (0)

Anonymous Coward | more than 3 years ago | (#37120696)

What works for you doesn't work for everybody. I -detest- debit cards and actually do not have one. (Yes, this means I'm one of those 'deadbeats' that uses credit but never carries a monthly balance.)

I'd rather not have every minor transaction in life down to the last can of Pepsi tracked in a database somewhere (whether there is any real incentive for somebody to abuse this or not). I hit up ATMs for -large- amounts of cash at a time ($200 or more) and have anonymous spending money for a couple of weeks. I prefer handling certain transactions in cash (the best example is dining out) because I can drop the cash and go as soon as the check arrives (instead of waiting for a couple more cycles of the waitress coming around to take my credit card and then return it after processing).

Cash is by no means dead.

Re:Why aren't these things obselete? (1)

rubycodez (864176) | more than 3 years ago | (#37121106)

I hit up ATMs for -large- amounts of cash at a time ($200 or more) and have anonymous spending money for a couple of weeks

you must be single. Married with children, I can pull $400 out of an ATM and have it gone in days.

Fingers (0)

Anonymous Coward | more than 3 years ago | (#37119988)

Good thing I do have cold dead fingers so they can't actually pry my money out of them.

Easily solved by banks, ATM makers (0)

Anonymous Coward | more than 3 years ago | (#37120124)

Making a touchscreen keypad mandatory should prevent this, and for added bonus present a random order of the numbers on the touch screen each time.

THANK YOU THANK YOU THANK YOU (0)

Anonymous Coward | more than 3 years ago | (#37120192)

For letting the criminal know that they have another option to steal our money. Now We have to carry a Dust can that we have to turn upside down and spray it cold air to wipe it down.

Score one for moderate OCD (1)

Culture20 (968837) | more than 3 years ago | (#37120258)

I can't stand to touch those PIN pads. Keys or gloves (in winter).

Worse yet, the chip cards (1)

dontmakemethink (1186169) | more than 3 years ago | (#37120338)

These cards with 'security chips' are a much greater risk. After entering your PIN, you must wait with the card sticking halfway out of the terminal pad while the transaction proceeds, during which time nobody guards their card. Who needs a heat camera when you can just peep over at someone entering their pin in the grocery line, snag their neatly exposed card, and drain their account at the nearest ATM? You can even yank it before the transaction completes to leave more money in the account! It's one thing that the pin pads are highly exposed, but to make the card itself vulnerable to easy theft is really ridiculous, especially in the name of security.

Max Headroom (1)

John Bayko (632961) | more than 3 years ago | (#37120358)

When I saw this done on Max Headroom, I was skeptical that it could work. Not because a regular news camera had an "infra-red" mode, I expected that could happen (and some do, just not enough to be heat sensitive yet), but I thought the keys would cool down too fast. Good to know how scientifically accurate a show about a simulated human infecting the world's computer networks was.

Scramble the numbers on the buttons (0)

Anonymous Coward | more than 3 years ago | (#37120500)

Back in the 80's I worked at a place where you needed to enter a PIN to open a side door. The keypad had a shield around the top and sides, the keys were back lit with nixie tubes that were below the surface about 0.5" -> 1" such that you had to be looking pretty much directly into them to see the numbers. You walked up, hit a button, the digits lit up and which button was which number was scrambled so that even if somebody saw the pattern of buttons you pressed, they still could not use it to gain access. It made it a PITA as you had to actually remember your code and not rely on muscle memory after a while. This was 80's technology, why can't ATMs use something like that? Ah yes, the customers would complain it's too hard to remember 4 digits. Must make it easier for the customers and thief's.

Extend your PIN at CapitalOne (0)

Anonymous Coward | more than 3 years ago | (#37120578)

I accidentally typed some extra characters at a CapitalOne ATM once while taking money from my CapitalOne account and the ATM took it. I tried at a couple other CapitalOne ATMs and they took extra trailing characters as well.

I didn't complain because I didn't think it was a security flaw but now I am happy because those few times I did that, the thermal imaging attack would have returned an invalid PIN (that would have worked just as well as my valid one).

Thermal camera? (1)

houghi (78078) | more than 3 years ago | (#37120612)

You can have my PIN
if you pry it from my dead COLD fingers.

And two thirds of people are liars. (1)

Anonymous Coward | more than 3 years ago | (#37120796)

"but a third of people surveyed admit that they do not check ATMs for tampering before withdrawing cash"

Yeah, I get it, some of you are typical Internet paranoid freaks who do this, but 99% of people don't. Why? I've never heard of anyone having their pin stolen. Ever. I've never known anyone who had money stolen from a bank account. We know the vast majority of cases of this are identity theft (which isn't pin theft). If someone did steal my PIN, they'd also need my wallet. My wallet was only stolen in an armed robbery by people who made no attempt to use my cards.

And what evidence of tampering are you looking for? Wires hanging out? Screws not flush? Seriously, wtf does this even mean?

Didn't Mozy do that on White Collar? (0)

Anonymous Coward | more than 3 years ago | (#37120838)

Yeah, this isn't exactly new or news.

If i see (1)

hesaigo999ca (786966) | more than 3 years ago | (#37120866)

If i see someone hunched over the ATM i just finished using, with this thermal camera, guess what I will be doing....
smashing that camera to pieces in front of him.....

Seriously though, I think whether you dust for prints or heat or etc..... there is always a way to find the pin, which is why i subscribe to the new sms identification method gmail/facebook/hotmail uses, they should use that for banks and for credit cards

just wear gloves (0)

Anonymous Coward | more than 3 years ago | (#37120946)

...it's more sanitary anyway.

I type with the back of my nails (1)

ace37 (2302468) | more than 3 years ago | (#37121004)

I typically type two of the four numbers with the back of my fingernails. It won't help videocameras unless I would try to obfuscate it further, but for any type of fingerprinting, thermal, oil, or other attempts to duplicate my PIN that I've seen on Hollywood movies or CSI, it's hard enough to figure out that the imaginary criminal would probably just jack the next guy instead. Plus it gives my wife something to make fun of if she ever catches it.

But honestly, if you manage to steal a card and get the PIN, all you could get is repeated $500 draws until the account is empty, and for most of us, that account balance isn't anything to retire on. If you want to steal money using cards on a small-time scale, it's easier to just work at any restaurant or small business for a few weeks.

The really capable criminals go after larger scale heists than snooping at the ATM, copying credit cards, or offering cash swaps with Nigerian princes. I think typically we elect them or have them appointed.

Michael Zalewski did it first (0)

Anonymous Coward | more than 3 years ago | (#37121020)

"Cracking safes with thermal imaging" http://lcamtuf.coredump.cx/tsafe/

chase fingerprints (0)

Anonymous Coward | more than 3 years ago | (#37121046)

Well chase is making it harder at least. They are installing covers to the numberpad so that its harder for a camera to see what you are typing.

work around (1)

scharkalvin (72228) | more than 3 years ago | (#37121108)

After you are finished with the ATM just press all the buttons on the keypad in random order leaving your finger on each key for a long hard press to really soak up your body heat. Kinda like scrambling the combination on a lock.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?