The latest is this neat hack that came out of a method outlined by Michal Zalewski back in 2005:
Security researchers have found that thermal cameras can be combined with computer algorithms to automate the process of stealing payment card data processed by automatic teller machines.
At the Usenix Security Symposium in San Francisco last week, the researchers said the technique has advantages over more common ATM skimming methods that use traditional cameras to capture the PINs people enter during transactions. That’s because customers often obscure a camera’s view with their bodies, either inadvertently or on purpose. What’s more, it can take a considerable amount of time for crooks to view the captured footage and log the code entered during each session.
Thermal imaging can vastly improve the process by recovering the code for some time after each PIN is entered. Their output can also be processed by an algorithm that automates the process of translating it into the secret code.
The hack works extremely efficiently on ATMs using plastic keypads, it will not work on metal keypads and this method works up to 60 seconds after you’ve used the ATM.
I’m not sure about you guys but all the ATMs I’ve seen here are using metal keypads, so it wouldn’t work too well over here.
Either way it’s a fairly cool hack and I’m glad to see, so far there’s no proof of thieves using it in the wild.
The findings expand on 2005 research from Michal Zalewski, who is now a member of Google’s security team. The Usenix presenters tested the technique laid out by Zalewski on 21 subjects who used 27 randomly selected PINs and found the rate of success varied depending on variables including the types of keypads and the subjects’ body temperature.
“In summary, while we document that post-hoc thermal imaging attacks are feasible and automatable, we also find that the window of vulnerability is far more modest than some feared and that there are simple counter-measures (i.e., deploying keypads with high thermal conductivity) that can shrink this vulnerability further still,” the researchers wrote.
I wonder if we’ll see a spate of real life attacks based around this technique now the paper has been published publicly.
You can grab the paper discussing the technique here: Heat of the Moment: Characterizing the Efficacy of Thermal Camera-Based Attacks [PDF].
Source: The Register