iTnews
  • Home
  • News
  • Technology
  • Security

Cheap thermal imagers can steal user PINs

By Juha Saarinen on Aug 21, 2015 9:45AM
Cheap thermal imagers can steal user PINs

Metallic keys on PIN pads recommended.

A British infosec company has found that cheap thermal imaging accessories for smartphones can be used to glean personal identification numbers entered on push-button security devices on bank ATMs..

Thermal imaging devices used to be bulky and expensive, but Sec-Tec told iTnews they can now be bought cheaply as compact iPhone accessories - for instance, the FLIR One, which retails for US$249 (A$340).

The company tested several PIN pads in ATMs, locks and safes with the thermal imagers and found they could "leak" the digits entered by legimate users for longer than a minute after use.

Demonstration of thermal imaging attack on PIN pad. Source: Sec-Tec.

Sec-Tec said it had succeded in defeating two-factor door locks by combining the thermal imaging attack vector with radio-frequency identification (RFID) cloning equipment.

While it was easy to work out which keys were pressed, it was much harder to figure out the order in which they were entered, Sec-Tec. It devised two methods that assisted considerably in identifying the key ordering, butthe firm did not disclose them.

Even if the key press ordering is not identified, Sec-Tec said few devices have a lock-out mechanism to stop repeated PIN entries -  meaning it's easy to test all combinations of four-digit codes.

Preventing PIN disclosure through thermal imaging is relatively easy, the company said. Users can palm the keypad after use which, even after just a few seconds, makes thermal imaging attacks impossible.

Using metallic keys in PIN pads also defeats thermal imaging attacks, Sec-Tec said.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
atmbankingpinsecuritythermal imaging

Partner Content

Security: Understanding the fundamentals of governance, risk & compliance
Promoted Content Security: Understanding the fundamentals of governance, risk & compliance
How to turn digital complexity into competitive advantage
Promoted Content How to turn digital complexity into competitive advantage
Why Genworth Australia embraced low-code software development
Promoted Content Why Genworth Australia embraced low-code software development
Why rethinking your CMS is crucial for customer retention
Promoted Content Why rethinking your CMS is crucial for customer retention

Sponsored Whitepapers

Free eBook: Digital Transformation 101 – for banks
Free eBook: Digital Transformation 101 – for banks
Why financial services need to tackle their Middle Office
Why financial services need to tackle their Middle Office
Learn: The latest way to transfer files between customers
Learn: The latest way to transfer files between customers
Extracting the value of data using Unified Observability
Extracting the value of data using Unified Observability
Planning before the breach: You can’t protect what you can’t see
Planning before the breach: You can’t protect what you can’t see

Events

  • Forrester Technology & Innovation Asia Pacific 2022
By Juha Saarinen
Aug 21 2015
9:45AM
0 Comments

Related Articles

  • NAB automates DR management to recover its systems faster
  • PEXA buys into AI fintech Elula
  • Australia's banks wanted more control over consumer devices
  • ASIC moves to shut some recourse avenues for scam victims
Share on Twitter Share on Facebook Share on LinkedIn Share on Whatsapp Email A Friend

Most Read Articles

Telstra deregisters 900MHz sites “hindering” Optus 5G rollout

Telstra deregisters 900MHz sites “hindering” Optus 5G rollout

Aussie Broadband nears end of NBN PoI fibre rollout

Aussie Broadband nears end of NBN PoI fibre rollout

Defence, DEWR drop $160m on Microsoft software, Azure

Defence, DEWR drop $160m on Microsoft software, Azure

Transport for NSW exits Global Switch data centre

Transport for NSW exits Global Switch data centre

Digital Nation

Personalisation strategies need to be built from the ground up
Personalisation strategies need to be built from the ground up
COVER STORY: Multiple cloud models make security more complex
COVER STORY: Multiple cloud models make security more complex
COVER STORY: What happens when Google changes its algorithm?
COVER STORY: What happens when Google changes its algorithm?
Case Study: Multicloud business drivers at MLC Life Insurance
Case Study: Multicloud business drivers at MLC Life Insurance
Case Study: Swinburne University overhauls student management system
Case Study: Swinburne University overhauls student management system
All rights reserved. This material may not be published, broadcast, rewritten or redistributed in any form without prior authorisation.
Your use of this website constitutes acceptance of nextmedia's Privacy Policy and Terms & Conditions.