Watch out! Attackers Can Guess Your Credit Card PIN Even If You Are Covering the ATM Pad
Experts Advise People to Choose a 5-digit PIN Instead of a 4-digit One. Longer Pin Guarantees Better Protection.
Security experts have shown that a special-purpose deep-learning algorithm can be instructed to guess four-digit credit card PINs 41% of the time, even when the target is trying to cover the pad with their hands.
How Does It Work?
The attack requires the establishment of an exact copy of the target ATM. This is due to the importance of training the algorithm to match the dimensions and key spacing of various PIN pads.
Using videos of individuals entering PINs on the ATM pad, the replica is then taught to identify pad presses and assign precise probabilities to a set of guesses.
Below you can see the entire chain of the attack:
For this test, security specialists have gathered roughly 5,800 videos of 58 different individuals from various demographics, typing 4-digit and 5-digit PINs.
The machines on which the experts ran the predictive model were a Xeon E5-2670s with 128GB of RAM and three Tesla K20m with 5GB of RAM each.
Using three tries, which is usually the maximum number of times allowed before the card is temporarily suspended, the experts were able to recreate the correct succession for 5-digit PINs 30% of the time and 41% of the time for 4-digit PINs.
According to BleepingComputer, the algorithm can rule out keys based on non-typing hand coverage and guess typed digits based on the actions of the other hand by calculating the topological space between two keys.
The positioning of the camera that captures the attempts is crucial, especially when recording left or right-handed people. Security experts decided that hiding a pinhole camera at the top of the ATM is the best method for an attacker.
If the camera can record audio as well, the model could use pressing sound feedback that is a bit different for each digit, making the forecasts much more precise.
What Can You Do to Avoid Having Your PIN Stolen?
This experiment shows that solely covering the PIN pad with your other hand is insufficient to protect against deep learning-based threats, but here is what else you can do:
- If you have the option, pick a 5-digit PIN instead of a 4-digit one. A longer pin guarantees better protection. You might have some trouble remembering it, but it’s a safer choice.
- Try and cover the PIN pad as much as you can. The percentage of hand coverage significantly reduces prediction accuracy. A coverage percentage of 75% results in an accuracy of 0.55 for each attempt, whereas total coverage (100%) results in an accuracy of 0.33.
The researchers who conducted this experiment used the videos on a group of 78 people to see if humans could predict the hidden PINs as well, and if so, to what extent.
As showed by BleepingComputer, the participants responded with a 7.92 % accuracy, which is not enough when conducting this kind of attack.