Computer security researchers have developed an algorithm capable of becoming the PIN code of your credit card, even if you protect yourself with your hand. In 41% of cases, researchers manage to obtain the precious sesame.
Even if phishing remains one of the preferred methods of hackers to obtain your bank details, like this fake Chronopost SMS or these fake ticket notices, some crooks still try to get straight to the point by trying to spy on you at the cash machine (ATM). The fact remains that this operating mode is not necessarily the most profitable, since it requires generally to have set up a replica of the targeted ATM to maximize the chances of success.
But computer security researchers have found another way to get a user’s PIN code. Indeed, they have developed an algorithm capable of becoming a customer’s PIN code from an ATM. Thanks to machine learning, this algorithm shows promising and worrying results at the same time: it manages to get the correct 4-digit PIN code in 41% of cases.
To do this, it is still necessary to have installed a replica of the targeted DAB again and again, as the algorithm takes into account the specific dimensions of the DAB and the spacing between the keys to refine its results. He is then trained to recognize keypad presses, and assigns specific probabilities to a set of assumptions.
Also read: Apple Pay, Google Pay – payment apps can leak your bank details
This algorithm guesses your PIN code in less than two
For the purposes of the experiment, the researchers collected 5,800 videos of 58 different people entering 4- or 5-digit PIN codes on the ATM tampered with for the occasion. By allowing themselves three tries, the maximum number of tries before blocking the card, the researchers reconstructed the correct sequence for a 5-digit PIN in 30% of cases, and in 41% of cases for a 4-digit PIN.
Note that the researchers are also using a camera positioned on the upper part of the ATM to film and analyze the customer’s hands. The algorithm can thus exclude hits based on the cover of the non-typing hand, and deduce the numbers pressed from the movements of the other hand by evaluating the distance between two keys. And if the camera in question is capable of capturing sound, the model could also recognize and remember the sound of each key when a user presses it, so as to make the predictions even more precise.
To defend against this kind of particularly elaborate attack, researchers advise above all systematically opt for a 5-digit PIN code if your bank allows it. Also, they recommend trying to cover the keyboard as much as possible with your other hand (the more your hand covers the area, the lower the accuracy of the predictions will be). A third countermeasure would be to equip ATMs with virtual keyboards instead of standard mechanical keyboards.
Source: Bleeding Computer