Heat from keypresses can be used to work out PINs Researchers have documented a method for working out ATM PIN numbers using residual traces of heat left on keypads after they have been touched by a person’s fingers.The technique described (note: slow download) by Keaton Mowery, Sarah Meiklejohn and Stefan Savage of the University of California at San Diego explains how a thermal imaging camera could be used to visually record the heat left on each key as a way of snooping PINs.Using this simple principle it would be possible to record the numbers entered, including their exact order (more recent keypresses appearing as warmer), for up to a minute after they are entered. Even without being able to detect the precise order of the PIN entered, just knowing which four numbers were involved would reduce the number of PINs from 10,000 combinations to only 24.According to the researchers, if used in large-scale attacks the technique would in some cases outperform the tradition criminal method of shoulder-surfing PINs or recording them from a distance. The limitations of the attack included the weight with which the keys were pressed by a user (only heavier presses left enough heat) and the material from which it was made with plastic keypads relatively easy to detect and metal ones resisting the attack.“Based on our current results, the obvious approach to prevent our (and essentially any thermal-camera-based) attack would be to use metal keypads exclusively,” conclude the researchers. The air temperature culd also play a part in the success of detecting keypresses on metal ATM keypads, which could reduce the security advantage of using this defence in some circumstances.The research (credit to Chester Wisniewski of Sophos for noticing it on USENIX) was inspired by a 2005 study in which white hat researcher Michael Zalewski who tested the thermal imaging principle against safe keypad security. Related content news Okta confirms recent hack affected all customers within the affected system Contrary to its earlier analysis, Okta has confirmed that all of its customer support system users are affected by the recent security incident. By Shweta Sharma Nov 30, 2023 3 mins Data Breach Cyberattacks Cybercrime news Top cybersecurity product news of the week New product and service announcements from Wiz, Palo Alto Networks, Sophos, SecureAuth, Kasada, Lacework, Cycode, and more. By CSO staff Nov 30, 2023 17 mins Generative AI Security feature How to maintain a solid cybersecurity posture during a natural disaster Fire, flood, eathquake, hurricane, tornado: natural disasters are becoming more prevalent and they’re a threat to cybersecurity that isn’t always on a company’s radar. Here are some ways to prepare for the worst. By James Careless Nov 30, 2023 8 mins Security Operations Center Data and Information Security Security Practices news analysis Attackers could abuse Google's SSO integration with Windows for lateral movement Compromised Windows systems can enable attackers to gain access to Google Workspace and Google Cloud by stealing access tokens and plaintext passwords. By Lucian Constantin Nov 30, 2023 8 mins Multi-factor Authentication Single Sign-on Remote Access Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe