iTnews

Cheap thermal imagers can steal user PINs

By Juha Saarinen on Aug 21, 2015 9:45AM
Cheap thermal imagers can steal user PINs

Metallic keys on PIN pads recommended.

A British infosec company has found that cheap thermal imaging accessories for smartphones can be used to glean personal identification numbers entered on push-button security devices on bank ATMs..

Thermal imaging devices used to be bulky and expensive, but Sec-Tec told iTnews they can now be bought cheaply as compact iPhone accessories - for instance, the FLIR One, which retails for US$249 (A$340).

The company tested several PIN pads in ATMs, locks and safes with the thermal imagers and found they could "leak" the digits entered by legimate users for longer than a minute after use.

Demonstration of thermal imaging attack on PIN pad. Source: Sec-Tec.

Sec-Tec said it had succeded in defeating two-factor door locks by combining the thermal imaging attack vector with radio-frequency identification (RFID) cloning equipment.

While it was easy to work out which keys were pressed, it was much harder to figure out the order in which they were entered, Sec-Tec. It devised two methods that assisted considerably in identifying the key ordering, butthe firm did not disclose them.

Even if the key press ordering is not identified, Sec-Tec said few devices have a lock-out mechanism to stop repeated PIN entries -  meaning it's easy to test all combinations of four-digit codes.

Preventing PIN disclosure through thermal imaging is relatively easy, the company said. Users can palm the keypad after use which, even after just a few seconds, makes thermal imaging attacks impossible.

Using metallic keys in PIN pads also defeats thermal imaging attacks, Sec-Tec said.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
atm banking pin security thermal imaging

Partner Content

One way SD-WAN can save business leaders' time
Partner Content One way SD-WAN can save business leaders' time
Tackling cybersecurity in 2021
Partner Content Tackling cybersecurity in 2021
Shut the door on ransomware
Promoted Content Shut the door on ransomware
Why companies fail at picking cloud modernisation partners
Promoted Content Why companies fail at picking cloud modernisation partners

Sponsored Whitepapers

DevSecOps: A framework for digital innovation
DevSecOps: A framework for digital innovation
Encryption: Protect your most critical data
Encryption: Protect your most critical data
Overcoming data security challenges in a hybrid, multicloud world
Overcoming data security challenges in a hybrid, multicloud world
Move beyond passwords
Move beyond passwords
The top 5 tech trends to deliver business outcomes
The top 5 tech trends to deliver business outcomes

Events

  • On-Demand Webinar: How Poly and Microsoft are Embracing Future Work Environments
By Juha Saarinen
Aug 21 2015
9:45AM
0 Comments

Related Articles

  • NAB ramps up control of privileged system access
  • APRA targets cyber hygiene and board oversight with new security strategy
  • Critical SAP Sybase ASE bugs allowed full system takeover
  • ABS rebuilds incident response ahead of 2021 Census
Share on Twitter Share on Facebook Share on LinkedIn Share on Whatsapp Email A Friend

Most Read Articles

CBA becomes first 'Big 4' data recipient under CDR

CBA becomes first 'Big 4' data recipient under CDR

NSW Police green-lights Mark43 for $1bn COPS overhaul

NSW Police green-lights Mark43 for $1bn COPS overhaul

Urgent patches out for exploited Exchange Server zero-days

Urgent patches out for exploited Exchange Server zero-days

NBN Co to start consulting on gigabit speeds for FTTC

NBN Co to start consulting on gigabit speeds for FTTC

You must be a registered member of iTnews to post a comment.
Log In | Register
All rights reserved. This material may not be published, broadcast, rewritten or redistributed in any form without prior authorisation.
Your use of this website constitutes acceptance of nextmedia's Privacy Policy and Terms & Conditions.