For those who think time at ATM matters, consider a thermal camera like the one at the start of the video, concealed in the cabinet by fake panels. You enter your PIN, move your hand away to touch the screen seconds later, you're pwned. Thermal cam has your digits and vague sense of hand movements.
Cover the keypad with your other hand, take detours when moving your hand, and, now, pretend press a handful of random keys.
I will try inserting bogus numbers into my PIN ritual and pretend pressing them as part of entry. Should protect against hand movements and thermal imaging as well.
As does my list of potential sources for free thermal cameras.
That said - I’ve yet to find a skimmer, even though I check for them every time I use a terminal.
A better solution could be to heat the keys to about the same temperature as a human's finger tips, so that no heat is being transferred while entering a PIN.
>One potential risk-reduction pathway could be to make it illegal to sell thermal cameras without some kind of enhanced security included in their software.
Anyway perhaps now is a good time to get some 2fa hardware token.
https://www.cloudflare.com/learning/access-management/what-i... https://github.com/w3c/webauthn/issues/1255 https://github.com/w3c/webauthn/issues/1616
The ideal of authentication (to me) seems to be some kind of USB dongle with your private key baked in the hardware, that you can use to create digital signatures proving your identity. Short of stealing the dongle, there is no way anyone can steal your identity.
I guess these researchers haven't ever withdrawn money from an ATM.
> 86% of passwords when thermal images are taken within 20 seconds, and 76% when within 30 seconds
As far as keyboards, I really don't ever interact with computers that don't belong to me or aren't in a secure area, but I have a custom scripted "keyboard" USB circuit thing that emulates keypresses for me. I don't know what to even call it, but it's like a mini Arduino sorta thing that emulates a generic Microsoft keyboard to whatever you plug it into. It looks like a stick of RAM with a USB plug, kinda. I have a few preset buttons that'll type in my login info to automate logging into things. I made it as a hardware password manager.
That said, this is not a big problem for ATM pin pads with metal keys, because these conduct heat well and so a heat pattern is hard to detect after few seconds. See: https://www.youtube.com/watch?v=PJCfTlQ82Fw
https://www.reddit.com/r/mildlyinteresting/comments/bsx4ww/t...
A FLIR Lepton series[0], or similar, is much smaller, but still ~$160/ea., and even though it is "smaller", it's not as easy to hide in an ATM as a cheap pinhole camera. It is also much lower resolution and has lower thermal sensitivity. Which would most likely greatly reduce the places where you could deploy this equip in a leave-behind covert setup.
It looks like a neat proof of concept, but probably not a day to day risk the average person needs to be concerned about.
[0] https://www.digikey.com/en/products/detail/flir-lepton/500-0...
The IR camera is used to defeat obscured keypads only...
He managed to make it work from 30 feet distance a minute after the key was entered.
Which is not bad in itself, but sometimes there's no obvious immediate impact. That's the beauty of science. You do it to learn about something, and somebody may be interested in that something further down the line. E.g. MRI research came from hypercolliders / space research. It's unlikely particle smashers wrote "this could be used to generate medical images" in their conclusions section. At most they probably wrote "this could be used to create black holes and kill everybody" instead. (/s)
Having to come up with a half-baked impact case as an afterthought in the conclusion, often manages to ruin the entire paper for me. It's the case for this article too. I was like, "wow, wow, wow, interesting", until I reached the "this could be used to ban thermal cameras" part, at which point I was "no, no, no, God no".
Or maybe their fingers spent less time on keys