Using thermal scanners to steal PIN codes

At the USENIX Security Symposium, researchers at the University of California presented a report on Hot Moment: Investigating the Effectiveness of Attacks Using Thermal Scanners.

Inspired by the publications of Michael Zalewski , they suggested that it would be much easier for criminals to steal bank card PIN codes using warm (infrared) scanning technology rather than using traditional video cameras.

This method has many advantages. Unlike using conventional cameras, the system goes unnoticed, and the ability to automate the process using software greatly simplifies the task.

Researchers with 21 volunteers studied the readability of the thermal pattern under the following conditions: PIN-pad buttons are made of plastic and polished metal. It turned out that an attack is almost impossible if the buttons of the PIN-pad are made of metal, in the case when the buttons are made of plastic, it was even possible to easily read the code entry sequence.
Using specially developed software, it was possible to achieve 80% success when scanning a thermal pattern in the first ten seconds. In the event that the pattern was scanned within 45 seconds, the PIN code recognition success was still great - 60%.

Unresolved questions remain in the work, what is the success of recognition in the case of the presence of repeated digits in the sequence; Is code recognition possible if the user enters additional information, such as transaction amount, recipient, etc.

To date, there is no data on attacks using thermal scanners, but experts suggest that in the future similar schemes of theft of PIN codes are possible, despite the high cost of equipment.

Report Text