Recommended + Security & Privacy

This Simple iPhone Case can be Used to Steal ATM PINs

Posted on by

It’s a common wisecrack around the criminal community. This whole stealing ATM PINs thing would be a lot simple if a gadget would just do all the work.

Sounds like a crazy dream, right?

After all, what thief wouldn’t love to steal ATM PINs via a handheld device?

This dream, frighteningly for us, may just come true with what appears to be an ordinary iPhone case.

It’s called the ‘FLIR One – Infrared Accessory’ and it fits the Apple iPhone 5 and 5s. The concept behind it is that the infrared camera on the case can pick up thermal heat signatures and translate them into dynamic color images.

While it’s initially created for security, home repairs and outdoor activities, thieves can use it to pick up the thermal heat signatures left behind after an individual punches in a PIN at the ATM or a bank code at the supermarket.

So an amateur ATM-code thief can now buy an iPhone case with infrared-scanning capabilities. Thermal imaging technology—normally reserved for military operations and for hunting—can be bought from online stores and retailers for just a few hundred dollars.

With infrared technology, thieves can scan a keypad that you have punched your PIN into. They don’t have to use their hands – just the infrared accessory on their phones.

The thermal imaging camera does all the work – capturing an image of the heat that is left by your fingertips when they touch the buttons to enter the PIN. Using the dynamic color image of the thermal signature, crooks can easily tell the order of the PIN numbers.

And if you’re wondering if criminals could cause any damage with access to just the PIN and not the physical card, they can! They only require a radio frequency identification scanner that can capture your details from your card, even from three feet away.

Thermal imaging and ATM PIN theft

This isn’t the first time thermal imaging has grabbed headlines when it comes to stealing ATM PINs. Research presented at the USENIX Security Symposium in 2011 showcased how thermal imaging has the ability to detect residual heat from keypresses unlike traditional video cameras.

Thermal image from research paper

Researchers who gave the presentation gathered volunteers to select random PIN numbers on a brushed metal PIN pad and a plastic PIN pad. The researchers found that the plastic PIN pad made it possible to determine the heat signatures of the numbers pressed as well as the number order.

The research also suggested that the thieves could adopt the use of thermal camera techniques in the future. It is easy for account robbers to hide such gadgets about their person, and they are inexpensive. The FLIR One case for example costs $350, which is a small investment for someone keen to access your account, steal your credit card data and find out your security codes.

How to protect yourself

Fortunately, there are some things you can do.

The design and science guru Mark Rober had made a video, showing how you can easily prevent thieves from using this new strategy to steal your PIN and information.

After you swipe an ATM card, rest a couple of fingers on other buttons while typing in your code.

This would leave a signature that even the savviest criminal with the best infrared camera/accessory won’t be able to detect. It’s all about the buttons you press on the machine.

Rober also points out that metal keypads won’t work well for this theft method as they tend to dissipate heat too quickly and are more conductive.

How do you protect yourself when you use an ATM? Leave a comment below.

About Graham Cluley

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats. Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security. Follow him on Twitter at @gcluley. View all posts by Graham Cluley →