Skip to Content

Heat from Fingertips Could Help ATM Hackers

An infrared camera could record which keys you pressed.
August 30, 2011

The secret codes typed in by banking customers can be recorded using the residual heat left behind on the keypad, says a group of researchers from the University of California at San Diego.

Hot hacker: A typical ATM keypad is shown at top. Below is a thermal image taken immediately after it’s been used. The code in this case was 1485.

The group’s paper, presented earlier this month at the USENIX Workshop on Offensive Technologies, shows that a digital infrared camera can read the digits of a customer’s PIN number on the keypad more than 80 percent of the time if used immediately. And if the camera is used a minute later, says Keaton Mowery, a doctoral student in computer science at UCSD, it can still detect the correct digits about half the time.

The research, which Mowery conducted with fellow student Sarah Meiklejohn and professor Stefan Savage, is based on previous work by well-known security researcher Michal Zalewski, who in 2005 used an infrared camera to detect codes punched into a safe with a keypad lock. While Zalewski was able to detect the codes even after five minutes, the UCSD researchers found that the chance of extracting the proper digits dropped to about 20 percent after 90 seconds.

The infrared method can circumvent defensive strategies, such as shielding the keypad. However, an ATM user could evade this infrared surveillance merely by placing a hand over the entire keypad to warm all of the keys, says Mowery. And if an ATM also uses the keypads for entering other numbers, such as the amount of money to withdraw, it contributes additional noise, says Meiklejohn.

The method has other weaknesses as well. “With plastic keypads, we can reliably detect which buttons were pressed, but it is really difficult to determine the order,” Mowery says. Even if the image was recorded immediately after the user typed it in, the order of the digits was only detectable about 20 percent of the time.

And if the keypad is metal, fuhgeddaboudit. “Essentially, if you pointed the camera directly at the metal keypad, it would show you the thermal fingerprint of you, the camera operator, rather than of the keypad itself,” Meiklejohn says. “However, we didn’t push it, because the plastic keypad did work. It’s possible that someone else could solve those issues.”

Combine all of these shortcomings with the cost of the infrared camera—$2,000 a month to rent, about $18,000 to buy—and the likelihood of anyone attacking an ATM this way is low, says researcher Zalewski. “Miniature daylight cameras are a lot simpler and more reliable,” he says. “So is mugging.”

Keep Reading

Most Popular

Workers disinfect the street outside Shijiazhuang Railway Station
Workers disinfect the street outside Shijiazhuang Railway Station

Why China is still obsessed with disinfecting everything

Most public health bodies dealing with covid have long since moved on from the idea of surface transmission. China’s didn’t—and that helps it control the narrative about the disease’s origins and danger.

individual aging affects covid outcomes concept
individual aging affects covid outcomes concept

Anti-aging drugs are being tested as a way to treat covid

Drugs that rejuvenate our immune systems and make us biologically younger could help protect us from the disease’s worst effects.

Europe's AI Act concept
Europe's AI Act concept

A quick guide to the most important AI law you’ve never heard of

The European Union is planning new legislation aimed at curbing the worst harms associated with artificial intelligence.

Stay connected

Illustration by Rose WongIllustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at customer-service@technologyreview.com with a list of newsletters you’d like to receive.