Now there's another reason to keep your cash under your mattress — criminals can steal your ATM PIN using thermal cameras.
Researchers from the University of California, San Diego carried out a series of proof-of-concept attacks using a thermal camera mounted above a traditional ATM pinpad. Reading images captured by the camera of residual heat left on keys, the researchers were able to detect the numbers that were pressed.
In some cases, depending on the size of the thermal imprint, the researchers could even detect in which order the keys were pressed, the security firm Sophos reported.
Researchers Keaton Mowery, Sarah Meiklejohn and Stefan Savage presented their paper, "Heat of the Moment: Characterizing the Efficacy of Thermal Camera-Based Attacks" at last week's USENIX Security Symposium in San Francisco.
Their tests, using 27 randomly selected four-digit codes on both plastic and brushed metal PIN pads, revealed that, although the metal PIN pad made thermal detection attacks almost impossible, the plastic PIN pads with rubber keys are a goldmine for potential thieves, because they are able to detect a person's keystrokes after he's left the ATM.
Unlike metal keys, which retain heat for only a few seconds due to their high conductivity, rubber keys retain heat much longer. Long enough to cause a serious problem: The researchers detected PINs with approximately 80 percent accuracy 10 seconds after the person entered their PIN. Forty-five seconds after being pressed, the thermal cameras were still able to determine PINs with 60 percent accuracy. By this time, the target is presumably driving away as his bank account is being raided.
Traditional cameras used in ATM skimming attacks won't get the job done if the target blocks the camera's line of sight using their forearm or hand, for example. Thermal cameras, however, bypass such obstruction techniques by capturing the heat left over after the potential victim has left.
"Using a thermal camera instead provides an attacker the ability to recover the code even in the cases where, for example, a user's body is blocking the keypad throughout the transaction, or he just covers the keypad with his hand as he types in the PIN," the researchers wrote.
For now, there are no reports of thermal-camera based attacks, which could have something to do with the cost — the researchers' camera cost $1,950 per monthly rental and $17,950 to buy. But when the potential reward of this hack is so high, it's only a matter of time before these heat-seeking cameras become part of an ATM thief's arsenal.
In the meantime, it's a good idea to stick to metal ATM keypads, or, better yet, go right to the bank teller. And if you're banking from your mobile phone or computer, make sure your bank's website is typed correctly and the URL is highlighted in green, meaning you've set up a secure, encrypted HTTPS connection.