As part of the transition to EMV-chip cards in the U.S., some issuers are adding PIN security to cards that used to require only a signature. But as technology advances, the PIN may not provide as much security as consumers believe.
For example, the Apple Store is selling a thermal imaging device that is designed to detect energy leaks and nocturnal wildlife, but the $149.95 device can also detect the heat left by consumers' fingers after they type a PIN on a keypad at the ATM or point of sale, according to SEC-TEC Ltd., a British research firm that published a report on the fraud technique last week.
The technology itself is not new, but the price and the ability for it to blend in as part of a common smartphone make it a bigger threat, particularly because the heat signature varies enough for each key press that it can reveal the sequence of the PIN's digits.
Finger presses heat up the keys when touched, and those keys immediately start cooling when the finger is removed. Thus, the thermal image of a keypad will show the relative temperature of each key; the coolest key in the image was the first one pressed, and the hottest was the last.
To a human being, the time difference between key presses may seem trivialespecially for customers who have committed their PIN to memory and can hit the keys very quicklybut it's slower than it might seem, said Dave Wray, an SEC-TEC principal consultant.
"The time is between releasing the buttons. People tend to watch for a visual response, waiting for the third star to appear," Wray said, adding that testing found the thermal approach to be frighteningly effective. "It's perfectly reasonable that this can be done."
Keypad makers can thwart the attack by keeping the keys heated to skin temperature, and at least one American lock manufacturer has already deployed this solution, he said.
The attack method isnt perfect. A critical part is the length of time a keypad will hold the heat. The heat signature will linger for about a minute, but the attacker might lose this opportunity if the victim had a long ATM transaction after the PIN authentication, giving the heat signature enough time to dissipate.
A keypad inside a retail store or bank branch should be fairly temperature-stable, but an outdoor keypad can be exposed to extreme temperatures that obscure the thermal readings or preserve them. However, in the winter, consumers are more likely to wear gloves, making this attack even more difficult.
Plastic and rubber keypads retain more heat, but metal keypads cost more (though metal keys are more durable). Customers can thwart this attack method by entering the PIN and, after it's accepted, resting their fingers on all of the keys, which would obscure their PIN digits.
But the best defense against this type of attack would be to move on entirely from card-and-PIN authentication, said Richard Crone, a payments analyst at Crone Consulting.
"Getting rid of the card is the ultimate way of getting rid of this risk," he said. "This is yet another reason to move more quickly to cardless cash access."
It would be better to allow a mobile device to handle the authentication before the customer even gets near the ATM or point of sale, he said. He cited recent cardless cash efforts from Wintrust Bank and Avidia Bank as examples that the industry should emulate. NCR and BMO Harris are also pushing cardless approaches.
Al Pascual, director of fraud and security analysis at Javelin, echoed Crone's thought that thermal imaging is not a long-term fraud concern. EMV security is designed to eliminate the business case for card counterfeiting; even if the thief is able to get a victim's PIN covertly, the original card would still be needed to make any fraudulent transactions.
As EMV kills the U.S. card clone business, Pascual said, "as a criminal, you're trying to find other ways to get paid."
Any fraudster devoted enough to use this technique would also have to become an expert pickpocket, purse snatcher or in the most extreme cases be willing to rob a cardholder at gunpoint.
Especially as EMV spreads, thermal imaging is "not the typical type of fraud that people are going to experience," Pascual said.
The problem with the thermal approach is that it works only on certain keypads in certain weather conditions and within a certain timeframe after the PIN is typed, said Scott Strumello, a consultant at Auriemma Consulting Group.
"Not all have the same mechanism. They don't all work the same way," Strumello said. "I see it as a potential risk, but it's still limited to a very finite universe."