The Gizmondo newswire notes that the UCSD researchers were able to point their thermal cameras towards both plastic and metal ATN PINpads and concluded that whilst metal pads were secure against this type of attack, the success rate of detecting all the digits on plastic pads was around 80% after 10 seconds and 60% after 45 seconds.
“If you think about your average ATM trip, that's a pretty wide window and an embarrassingly high success rate for thieves to take advantage of,” says the newswire.
Thermal cameras, adds the newswire, are better suited at pilfering PINs than video cameras because they work even when a person shields her hand.
“The person's body temperature, the strength of the button presses and the length of the press all helped thermal cams figure out the person's PIN and sequence. I think it's time to start pressing random numbers at the ATM before criminals and thieves realize how awesome thermal cams can be for their line of work”, notes Gizmondo .
According to Chester Wiesniewski, a security researcher with Sophos Canada, meanwhile, the UCSD researchers presented their research at the Usenix security symposium earlier this month, along with a paper entitled "Heat of the Moment: Characterizing the Efficacy of Thermal Camera-Based Attacks."
“Unlike with traditional cameras, visually masking the PINpad does not defeat the attack, and the ability to automate PIN harvesting using computer software further simplifies the task”, he says in his latest security posting, adding that the researchers gathered 21 volunteers and had them test 27 randomly selected PIN numbers using both plastic and brushed metal pads.
The strength of the participants' button presses and their body temperature, says the Sophos Canada researcher, were shown to affect the results to a certain degree.
The researchers also, he adds, compared human analysis of the video footage to their automation software and it revealed that not only does the software work, but it often performs more accurately than the humans looking at the video.
“While thermal cameras are a bit expensive, this research suggests that thieves could adopt this technique in the future. It's easier to place and hide the camera, allows automated analysis and could return enough useful results to be profitable”, Wiesniewski explained in his latest posting.
“As far as we know, this attack hasn't been used in the wild, but the cautious among us could opt to use ATMs with metal PIN pads to reduce the risk of becoming a victim”, he concluded.