Recommended + Security & Privacy

This Simple iPhone Case can be Used to Steal ATM PINs

Posted on September 15th, 2014 by

ATM
It’s a common wisecrack around the criminal community. This whole stealing ATM PINs thing would be a lot simple if a gadget would just do all the work.

Sounds like a crazy dream, right?

After all, what thief wouldn't love to steal ATM PINs via a handheld device?

This dream, frighteningly for us, may just come true with what appears to be an ordinary iPhone case.

It’s called the ‘FLIR One – Infrared Accessory’ and it fits the Apple iPhone 5 and 5s. The concept behind it is that the infrared camera on the case can pick up thermal heat signatures and translate them into dynamic color images.

While it’s initially created for security, home repairs and outdoor activities, thieves can use it to pick up the thermal heat signatures left behind after an individual punches in a PIN at the ATM or a bank code at the supermarket.

So an amateur ATM-code thief can now buy an iPhone case with infrared-scanning capabilities. Thermal imaging technology—normally reserved for military operations and for hunting—can be bought from online stores and retailers for just a few hundred dollars.

With infrared technology, thieves can scan a keypad that you have punched your PIN into. They don’t have to use their hands – just the infrared accessory on their phones.

The thermal imaging camera does all the work – capturing an image of the heat that is left by your fingertips when they touch the buttons to enter the PIN. Using the dynamic color image of the thermal signature, crooks can easily tell the order of the PIN numbers.

And if you’re wondering if criminals could cause any damage with access to just the PIN and not the physical card, they can! They only require a radio frequency identification scanner that can capture your details from your card, even from three feet away.

Thermal imaging and ATM PIN theft

This isn’t the first time thermal imaging has grabbed headlines when it comes to stealing ATM PINs. Research presented at the USENIX Security Symposium in 2011 showcased how thermal imaging has the ability to detect residual heat from keypresses unlike traditional video cameras.

Thermal image from research paper

Researchers who gave the presentation gathered volunteers to select random PIN numbers on a brushed metal PIN pad and a plastic PIN pad. The researchers found that the plastic PIN pad made it possible to determine the heat signatures of the numbers pressed as well as the number order.

The research also suggested that the thieves could adopt the use of thermal camera techniques in the future. It is easy for account robbers to hide such gadgets about their person, and they are inexpensive. The FLIR One case for example costs $350, which is a small investment for someone keen to access your account, steal your credit card data and find out your security codes.

How to protect yourself

Fortunately, there are some things you can do.

The design and science guru Mark Rober had made a video, showing how you can easily prevent thieves from using this new strategy to steal your PIN and information.

After you swipe an ATM card, rest a couple of fingers on other buttons while typing in your code.

This would leave a signature that even the savviest criminal with the best infrared camera/accessory won’t be able to detect. It’s all about the buttons you press on the machine.

Rober also points out that metal keypads won’t work well for this theft method as they tend to dissipate heat too quickly and are more conductive.

How do you protect yourself when you use an ATM? Leave a comment below.

About Graham Cluley

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats. Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security. Follow him on Twitter at @gcluley. View all posts by Graham Cluley →
  • Denise

    Are you saying I should type in my PIN using a pen, my keys, ie, some other object besides my fingers?

  • gregrg

    Good FLIR countermeasure advice, but you say “[criminals] only require a [RFID] scanner that can capture your details from your card.” Protect against that by refusing RFID (“wave and pay” or “contactless”) cards – or if you are bold, disabling them. Someone with a scanner may be able to make payments remotely from your card without needing the PIN at all.

  • Katie

    My mom just got 600$ stollen from her account after she used an atm at her bank and some guy at the atm next to her said ” does ur atm work?” My mom thinking nothing of it said yes and got her reciept made sure to end her session and went about her buisness the next morning she checked her bank cause she was suppose to pay rent and 600$ was gone just like that!!! Grrr this makes me so upset !! People should learn how to make their own money and stop stealing others hard earned cash luckly they caught everything on camera so hopefully this guys caught but its so upsetting. My mom works hard to pay her rent and barely makes it as it is an for some guy to come along and steal that from her is just wrong this all happened last week …

  • jayanta dey

    PIN is now old fashioned,Unlock your iPhone with your fingerprint even faster with second-generation Touch ID on iPhone 6S/6S Plus is more secured and fast.

Sign up For Our Newsletter

Get the latest Mac security news direct to your inbox.

{"url":"\/marketo\/json\/add-to-newsletter","data":"list_name=Blog Roadblock"}