Research: Metal ATM keypads can thwart snooping

Automated teller machine (ATM) users wary of snooping attacks by thieves may want to avoid using machines with plastic keypads in favor of those with metal ones instead. Researchers found that while criminals can use thermal cameras to “decode" a personal identification number based on ATM users’ heat signatures, they cannot do so if the keypad is metal. “The researchers discovered that the metal pad made the attack nearly impossible to implement, but with the plastic PIN pad, it was even possible to determine from the heat signatures not only the numbers pressed but also the number order," computer security firm Sophos said in a blog post. It said researchers Keaton Mowery, Sarah Meiklejohn and Stefan Savage from the University of California at San Diego presented their findings at the USENIX Security Symposium last week. For their study, the researchers had gathered 21 volunteers and had them test 27 randomly selected PINs using both plastic and brushed metal PIN pads. Earlier studies had indicated it would be easier for a criminal to snoop on ATM PINs using a thermal (infrared) camera to detect residual heat from keypresses, than current techniques using traditional video cameras. “With the plastic PIN pad, the custom software the researchers wrote to automate the (keypress) analysis had approximately an 80 percent success rate at detecting all digits from a frame 10 seconds after the person entered their PIN. The success rate was still over 60 percent using a frame 45 seconds after the PIN was entered," Sophos quoted the researchers as saying. It added the study also showed the automation software used in analyzing keypresses “performs more accurately than the humans looking at the video." “While thermal cameras are a bit expensive, this research suggests that thieves could adopt this technique in the future. It’s easier to place and hide the camera, allows automated analysis and could return enough useful results to be profitable," it said. Sophos said that while this attack has not been used in the wild, “the cautious among us could opt to use ATMs with metal PIN pads to reduce the risk of becoming a victim." — TJD, GMA News