Researchers have devised a deep-learning algorithm that can effectively guess ATM PINs even if the user types the PIN while hiding the keypads. All it takes for an attacker is to know the target ATM machine’s keypad setup and spacing.
New Algorithm Can Guess ATM PINs Even With Keypads Covered
Researchers from the University of Padua, Italy, and the Delft University of Technology, The Netherlands, have developed a novel strategy to recreate ATM PINs. Specifically, they have devised a new algorithm to guess an ATM PIN even if the user covers the keypads.
Generally, it is recommended to cover ATM keypads when typing the PINs to prevent other persons nearby from knowing the PINs. This practice mainly helps in preventing ATM cards thefts. Likewise, the security cameras in ATM spaces are installed in a way to avert focus at the ATM keypad to ensure users’ privacy. Besides, the thermal cameras are also not good in themselves to capture keystrokes.
However, the newly devised algorithm strives to bypass these measures. As elaborated in their research paper, this algorithm detects the hand movements and positions of the individual while typing. Then, knowing the target ATM’s brand, model, etc., can let the attacker deduce the digits pressed on the machine via user videos. What matters here is replicating the target ATM’s keypad.
To demonstrate the theory, the researchers conducted their study with 58 participants in a simulated ATM. They then tested the algorithm for varying levels of covering keypads (25%, 50%, 75%, and 100% covered).
In real-time scenarios, an attacker can place hidden cameras beside a target ATM to record videos. Aside from solely relying on this algorithm, an attacker can also couple it with other ATM attack strategies, such as card skimming, contactless card relay attack, or physical card theft.
The following image illustrates the attack model step-by-step.
Source: Cardaioli et al.
The researchers have also shared their code and datasets here for the research community to devise possible solutions.
Suggested Countermeasures
The attack typically aims at bypassing the hand-coverage strategy that prevents shoulder surfing. The researchers demonstrated that it could effectively guess ATM PINs even with 75% coverage. Consequently, the only possibility of failing the algorithm is 100% coverage since it hides all the movements of the typing hand.
Technically, there can be numerous countermeasures to prevent this attack. But most of them require alternations with ATMs that may interfere with users’ experience.
The simplest strategy for the users to avoid such threats is to cover their typing hand with the non-typing one or any other object. Specifically, they should ensure maximal coverage from above (the over position) instead of shielding from the sides. Doing so will significantly hide hand movements, thus reducing the possibilities for the algorithm to detect digits from the videos.