Skip to Content

Heat from Fingertips Could Help ATM Hackers

An infrared camera could record which keys you pressed.
August 30, 2011

The secret codes typed in by banking customers can be recorded using the residual heat left behind on the keypad, says a group of researchers from the University of California at San Diego.

Hot hacker: A typical ATM keypad is shown at top. Below is a thermal image taken immediately after it’s been used. The code in this case was 1485.

The group’s paper, presented earlier this month at the USENIX Workshop on Offensive Technologies, shows that a digital infrared camera can read the digits of a customer’s PIN number on the keypad more than 80 percent of the time if used immediately. And if the camera is used a minute later, says Keaton Mowery, a doctoral student in computer science at UCSD, it can still detect the correct digits about half the time.

The research, which Mowery conducted with fellow student Sarah Meiklejohn and professor Stefan Savage, is based on previous work by well-known security researcher Michal Zalewski, who in 2005 used an infrared camera to detect codes punched into a safe with a keypad lock. While Zalewski was able to detect the codes even after five minutes, the UCSD researchers found that the chance of extracting the proper digits dropped to about 20 percent after 90 seconds.

The infrared method can circumvent defensive strategies, such as shielding the keypad. However, an ATM user could evade this infrared surveillance merely by placing a hand over the entire keypad to warm all of the keys, says Mowery. And if an ATM also uses the keypads for entering other numbers, such as the amount of money to withdraw, it contributes additional noise, says Meiklejohn.

The method has other weaknesses as well. “With plastic keypads, we can reliably detect which buttons were pressed, but it is really difficult to determine the order,” Mowery says. Even if the image was recorded immediately after the user typed it in, the order of the digits was only detectable about 20 percent of the time.

And if the keypad is metal, fuhgeddaboudit. “Essentially, if you pointed the camera directly at the metal keypad, it would show you the thermal fingerprint of you, the camera operator, rather than of the keypad itself,” Meiklejohn says. “However, we didn’t push it, because the plastic keypad did work. It’s possible that someone else could solve those issues.”

Combine all of these shortcomings with the cost of the infrared camera—$2,000 a month to rent, about $18,000 to buy—and the likelihood of anyone attacking an ATM this way is low, says researcher Zalewski. “Miniature daylight cameras are a lot simpler and more reliable,” he says. “So is mugging.”

Keep Reading

Most Popular

This startup wants to copy you into an embryo for organ harvesting

With plans to create realistic synthetic embryos, grown in jars, Renewal Bio is on a journey to the horizon of science and ethics.

VR is as good as psychedelics at helping people reach transcendence

On key metrics, a VR experience elicited a response indistinguishable from subjects who took medium doses of LSD or magic mushrooms.

This nanoparticle could be the key to a universal covid vaccine

Ending the covid pandemic might well require a vaccine that protects against any new strains. Researchers may have found a strategy that will work.

Stay connected

Illustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at customer-service@technologyreview.com with a list of newsletters you’d like to receive.