Skip to Content

Heat from Fingertips Could Help ATM Hackers

An infrared camera could record which keys you pressed.
August 30, 2011

The secret codes typed in by banking customers can be recorded using the residual heat left behind on the keypad, says a group of researchers from the University of California at San Diego.

Hot hacker: A typical ATM keypad is shown at top. Below is a thermal image taken immediately after it’s been used. The code in this case was 1485.

The group’s paper, presented earlier this month at the USENIX Workshop on Offensive Technologies, shows that a digital infrared camera can read the digits of a customer’s PIN number on the keypad more than 80 percent of the time if used immediately. And if the camera is used a minute later, says Keaton Mowery, a doctoral student in computer science at UCSD, it can still detect the correct digits about half the time.

The research, which Mowery conducted with fellow student Sarah Meiklejohn and professor Stefan Savage, is based on previous work by well-known security researcher Michal Zalewski, who in 2005 used an infrared camera to detect codes punched into a safe with a keypad lock. While Zalewski was able to detect the codes even after five minutes, the UCSD researchers found that the chance of extracting the proper digits dropped to about 20 percent after 90 seconds.

The infrared method can circumvent defensive strategies, such as shielding the keypad. However, an ATM user could evade this infrared surveillance merely by placing a hand over the entire keypad to warm all of the keys, says Mowery. And if an ATM also uses the keypads for entering other numbers, such as the amount of money to withdraw, it contributes additional noise, says Meiklejohn.

The method has other weaknesses as well. “With plastic keypads, we can reliably detect which buttons were pressed, but it is really difficult to determine the order,” Mowery says. Even if the image was recorded immediately after the user typed it in, the order of the digits was only detectable about 20 percent of the time.

And if the keypad is metal, fuhgeddaboudit. “Essentially, if you pointed the camera directly at the metal keypad, it would show you the thermal fingerprint of you, the camera operator, rather than of the keypad itself,” Meiklejohn says. “However, we didn’t push it, because the plastic keypad did work. It’s possible that someone else could solve those issues.”

Combine all of these shortcomings with the cost of the infrared camera—$2,000 a month to rent, about $18,000 to buy—and the likelihood of anyone attacking an ATM this way is low, says researcher Zalewski. “Miniature daylight cameras are a lot simpler and more reliable,” he says. “So is mugging.”

Keep Reading

Most Popular

A Roomba recorded a woman on the toilet. How did screenshots end up on Facebook?

Robot vacuum companies say your images are safe, but a sprawling global supply chain for data from our devices creates risk.

A startup says it’s begun releasing particles into the atmosphere, in an effort to tweak the climate

Make Sunsets is already attempting to earn revenue for geoengineering, a move likely to provoke widespread criticism.

10 Breakthrough Technologies 2023

Every year, we pick the 10 technologies that matter the most right now. We look for advances that will have a big impact on our lives and break down why they matter.

These exclusive satellite images show that Saudi Arabia’s sci-fi megacity is well underway

Weirdly, any recent work on The Line doesn’t show up on Google Maps. But we got the images anyway.

Stay connected

Illustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at customer-service@technologyreview.com with a list of newsletters you’d like to receive.