Using thermal scanners to steal PIN codes

At the USENIX Security Symposium, researchers at the University of California presented a report on “Hot Moment: An Investigation of the Effectiveness of Attacks Using Thermal Scanners.”

Inspired by the publications of Michael Zalewski , they suggested that it would be much easier for criminals to steal the PIN codes of bank cards using the technology of warm (infrared) scanning, rather than using traditional video cameras.

This method has many advantages. In contrast to the use of conventional cameras, the system goes unnoticed, and the ability to automate the process with the help of software greatly simplifies the task.
')
Researchers with 21 volunteers studied the quality of readability of the thermal pattern under the conditions: the PIN-pad buttons are made of plastic and polished metal. It turned out that the attack is almost impossible if the PIN-pad buttons are made of metal, in the case when the buttons are made of plastic, it was even possible to read the code entry sequence easily.
With the help of specially developed software, it was possible to achieve 80% success when scanning a thermal pattern in the first ten seconds. In case the image was scanned within 45 seconds, the PIN recognition success was still great - 60%.

Questions remain unsolved in the work, what is the success of recognition in the case of the presence of duplicate numbers in the sequence; is it possible to recognize the code if the user enters additional information, such as the amount of the transaction, the recipient, etc.

To date, there are no data on attacks using heat scanners, but experts suggest that in the future such schemes of theft of PIN codes are possible, despite the high cost of equipment.

Report text