Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Monday October 18 2021, @10:37PM   Printer-friendly
from the enter-your-PIN-using-your-nose dept.

Credit card PINs can be guessed even when covering the ATM pad:

Researchers have proven it's possible to train a special-purpose deep-learning algorithm that can guess 4-digit card PINs 41% of the time, even if the victim is covering the pad with their hands.

The attack requires the setting up of a replica of the target ATM because training the algorithm for the specific dimensions and key spacing of the different PIN pads is crucially important.

Next, the machine-learning model is trained to recognize pad presses and assign specific probabilities on a set of guesses, using video of people typing PINs on the ATM pad.

[...] This experiment proves that covering the PIN pad with the other hand is not sufficient to defend against deep learning-based attacks, but thankfully, there are some countermeasures you can deploy.


Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
  • (Score: 4, Interesting) by JoeMerchant on Monday October 18 2021, @10:39PM (20 children)

    by JoeMerchant (3937) on Monday October 18 2021, @10:39PM (#1188201)

    I had the same PIN on my ATM card from 1983 until about 2017 when the bank finally made me change it.

    Account hacks due to a 30+ year old PIN: zero.

    --
    🌻🌻 [google.com]
    • (Score: 3, Insightful) by Tork on Tuesday October 19 2021, @12:00AM (12 children)

      by Tork (3914) Subscriber Badge on Tuesday October 19 2021, @12:00AM (#1188219)

      Isn't the concern being help up at an ATM?

      --
      🏳️‍🌈 Proud Ally 🏳️‍🌈
      • (Score: 4, Insightful) by JoeMerchant on Tuesday October 19 2021, @12:22AM (10 children)

        by JoeMerchant (3937) on Tuesday October 19 2021, @12:22AM (#1188228)

        If you are being held up at an ATM for money still in the account, I assume they would beat the PIN out of you more likely than taking it by more clever methods.

        --
        🌻🌻 [google.com]
        • (Score: 2) by Tork on Tuesday October 19 2021, @12:33AM (8 children)

          by Tork (3914) Subscriber Badge on Tuesday October 19 2021, @12:33AM (#1188233)
          Right but wasn't there a push to make it so reversing your pin would effectively be like calling 911? Alternatively wouldn't the pin be needed for skimmers to work?
          --
          🏳️‍🌈 Proud Ally 🏳️‍🌈
          • (Score: 2) by Tork on Tuesday October 19 2021, @12:35AM (4 children)

            by Tork (3914) Subscriber Badge on Tuesday October 19 2021, @12:35AM (#1188234)
            Sorry I should have written a lil more before I submitted. I was under the impression the point was that ATMs are being staked out with cameras... so in the case of the reverse pin (if that's even real ... ) the would-be attacker would need to see it, and I'm pretty sure a credit card skimmer would also need the pin. That's not stored on the card as far as I understand.
            --
            🏳️‍🌈 Proud Ally 🏳️‍🌈
            • (Score: 0) by Anonymous Coward on Tuesday October 19 2021, @12:54AM

              by Anonymous Coward on Tuesday October 19 2021, @12:54AM (#1188237)

              Uh oh, my pin is a "palindrome". Does that mean the cops come out every time I withdraw cash?

            • (Score: 0) by Anonymous Coward on Tuesday October 19 2021, @01:18AM (2 children)

              by Anonymous Coward on Tuesday October 19 2021, @01:18AM (#1188248)

              Why would robbers rob you AT the ATM? You should probably stop watching so many movies, as you don't appear to have a solid grounding in reality.

              • (Score: 2) by Tork on Tuesday October 19 2021, @01:29AM

                by Tork (3914) Subscriber Badge on Tuesday October 19 2021, @01:29AM (#1188252)
                Google it.
                --
                🏳️‍🌈 Proud Ally 🏳️‍🌈
              • (Score: 0) by Anonymous Coward on Tuesday October 19 2021, @06:03PM

                by Anonymous Coward on Tuesday October 19 2021, @06:03PM (#1188481)

                "Cause that is where the money is."

          • (Score: 2) by JoeMerchant on Tuesday October 19 2021, @02:15AM (2 children)

            by JoeMerchant (3937) on Tuesday October 19 2021, @02:15AM (#1188267)

            So, the PIN might protect against skimmers... reverse the PIN for 911, um... doubt that would do much in real life, except invalidate palindromic pins.

            --
            🌻🌻 [google.com]
            • (Score: 2) by Immerman on Tuesday October 19 2021, @02:55AM (1 child)

              by Immerman (3985) on Tuesday October 19 2021, @02:55AM (#1188284)

              I don't know, it would give you a good argument that you're not responsible for the stolen money, and potentially allow the police to start tracking the criminal down immediately.

              Yeah, I know, ubiquitous surveillance is only for fighting theoretical crime. Asking authorities to use it to track down criminals in a timely fashion is offensive to their union. Never mind that that is *exetly* the argument used to implement it in the first place.

              Meanwhile, while 10% of 2- and 3-digit numbers are palindromes, only 1% of 4- and 5-digit numbers are, and that falls by another factor of 10 for each additional two digits. So there's not much loss there, regardless of whether you ban those pins or, or simply leave them out of the automated alert system.

              • (Score: 3, Informative) by JoeMerchant on Tuesday October 19 2021, @12:10PM

                by JoeMerchant (3937) on Tuesday October 19 2021, @12:10PM (#1188371)

                But palindromes are easier to remember.

                I, man, am Regal, a German am I
                Never odd or even
                If I had a Hi-Fi
                Madam, I'm Adam
                Too hot to hoot
                No lemons no melon
                Too bad I hid a boot
                Lisa Bonet ate no basil
                Warsaw was raw
                Was it a car or a cat I saw?

                Rise to vote, sir
                Do geese see God?
                Do nine men Interpret? Nine men I nod
                Rats live on no evil star
                Won't lovers revolt now?
                Race fast safe car
                Pa's a sap
                Ma is as selfless as I am
                May a moody baby doom a yam

                [Harmonica Solo]

                Ah Satan sees Natasha
                No devil lived on
                Lonely Tylenol
                Not a banana baton
                No X in Nixon
                O stone, be not so
                O Geronimo, no minor ego
                "Naomi" I moan
                A Toyota's a Toyota
                A dog, a panic, in a pagoda
                Oh no, Don Ho
                Nurse, I spy gypsies, run!
                Senile felines
                Now I see bees, I won
                UFO tofu
                We panic in a pew
                Oozy rat in a sanitary zoo
                God, a red nugget, a fat egg under a dog
                Go hang a salami, I'm a lasagna hog

                --
                🌻🌻 [google.com]
        • (Score: 3, Informative) by Gaaark on Tuesday October 19 2021, @07:19PM

          by Gaaark (41) on Tuesday October 19 2021, @07:19PM (#1188523) Journal

          John Galt is a selfish crybaby [huffpost.com].

          Love your sig: that is the worst book ever. Galt's "greatest ever speech" is 80ish pages long, with quotes like "A is A and B is B" and makes no sense whatever especially when put up against things like the government bailing out the banking industry and (in Canada) the bailing out of Alberta's oil industry, etc etc etc.

          Atlas Shrugged is a poor book altogether.

          --
          --- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
      • (Score: 2) by DannyB on Tuesday October 19 2021, @05:59PM

        by DannyB (5839) Subscriber Badge on Tuesday October 19 2021, @05:59PM (#1188479) Journal

        Isn't the concern being help up at an ATM?

        If they just hurry it up, so I am not delayed, then I won't be too concerned.

        Isn't the concern being help up at an ATM?

        If they don't hold me so high up so that I can still reach the keypad, then I won't be concerned.

        --
        People today are educated enough to repeat what they are taught but not to question what they are taught.
    • (Score: 2) by mcgrew on Tuesday October 19 2021, @01:46PM (4 children)

      by mcgrew (701) <publish@mcgrewbooks.com> on Tuesday October 19 2021, @01:46PM (#1188397) Homepage Journal

      Lucky you. Back in 2006 I used my debit card in a bar to get cash, and somebody saw me punch the number in, and somehow stole the card. If you have the card and the number, you have the account. The banks will not reimburse you. It cost me a couple thousand bucks.

      Needless to say, I will no longer have a debit card. There is no protection. OTOH if somebody steals your credit card, your loss is no more than fifty bucks.

      --
      mcgrewbooks.com mcgrew.info nooze.org
      • (Score: 3, Informative) by JoeMerchant on Tuesday October 19 2021, @03:00PM (3 children)

        by JoeMerchant (3937) on Tuesday October 19 2021, @03:00PM (#1188423)

        The solution we set up for our 18 year old is: debit card connected to one account with "spending money" in it. Transfer money in as needed, from a secure location.

        --
        🌻🌻 [google.com]
        • (Score: 2) by DannyB on Tuesday October 19 2021, @06:06PM

          by DannyB (5839) Subscriber Badge on Tuesday October 19 2021, @06:06PM (#1188483) Journal

          We have done something similar for some online services that need a card number. Use a debit card tied to a separate checking account with limited money in it.

          But mostly we simply use credit cards for the rewards, and keep them paid off as we use them.

          If a debit card gets stolen in a hack, you may get your money back, but you might not be able to use that checking account for something like ten days.

          Credit cards are less of a problem and tend to get such problems resolved very quickly.

          --
          People today are educated enough to repeat what they are taught but not to question what they are taught.
        • (Score: 2) by mcgrew on Friday October 22 2021, @05:41PM (1 child)

          by mcgrew (701) <publish@mcgrewbooks.com> on Friday October 22 2021, @05:41PM (#1189669) Homepage Journal

          As long as there's less than $50 in the account it's as secure as a credit card, unless your bank pays overdrafts and then charges you a fee on top of it. The best thing is to teach your kids to use a checkbook.

          --
          mcgrewbooks.com mcgrew.info nooze.org
          • (Score: 2) by JoeMerchant on Friday October 22 2021, @06:17PM

            by JoeMerchant (3937) on Friday October 22 2021, @06:17PM (#1189683)

            This 18 year old has Autism, IQ tests out over 130 in some dimensions, under 50 in others... First time we went out shopping with his "swipe card" he quick-transferred all the money out of the checking account to savings before we left, then acted surprised when the card was denied - ponied up his own cash to cover though. I'm afraid of what he might try with paper checks.

            --
            🌻🌻 [google.com]
    • (Score: 2) by isostatic on Tuesday October 19 2021, @05:24PM (1 child)

      by isostatic (365) on Tuesday October 19 2021, @05:24PM (#1188468) Journal

      1077? Price of a cheese pizza and soda?

      • (Score: 2) by DannyB on Tuesday October 19 2021, @06:09PM

        by DannyB (5839) Subscriber Badge on Tuesday October 19 2021, @06:09PM (#1188485) Journal

        Just don't buy any anchovies.

        --
        People today are educated enough to repeat what they are taught but not to question what they are taught.
  • (Score: 2) by looorg on Monday October 18 2021, @10:59PM (5 children)

    by looorg (578) on Monday October 18 2021, @10:59PM (#1188206)

    The model can exclude keys based on the non-typing hand coverage, and deduces the pressed digits from the movements of the other hand by evaluating the topological distance between two keys.
    If the camera is capable of capturing audio too, the model could also use pressing sound feedback which is slightly different for each digit, thus making the predictions a lot more accurate.

    Why do they make sound? Most ATM machines here are outdoors so I guess it better be a pretty sensitive mic to pick that up cause it's not like it makes noise like an old phone.

    • (Score: 5, Interesting) by Immerman on Tuesday October 19 2021, @03:05AM

      by Immerman (3985) on Tuesday October 19 2021, @03:05AM (#1188287)

      >Why do they make sound?

      Because they are physically actuated machines, and thus can't avoid doing so. And since the exact sound is governed by the manufacturing imperfections, every key will make a unique sound. I seem to recall hearing about something similar done for keyboards years ago, where you have a (usually) quieter environment, but about 10x as many keys to uniquely identify by sound.

      You would need a sensitive mic, especially in noisy areas, but between directional mics and even mildly "advanced" acoustic signal processing, you'd likely be amazed at the results. A simple simple transform to a frequency-domain representation would quite possibly be enough to give each key a distinctive acoustic "fingerprint", and video establishes when the key was pressed, so you simply have to search the audio for that fraction of a second to determine which fingerprint was best matched. And if the video also gives you a decent guess as well, then between the two you can probably increase your accuracy dramatically.

    • (Score: 2) by stretch611 on Tuesday October 19 2021, @03:17AM (1 child)

      by stretch611 (6199) on Tuesday October 19 2021, @03:17AM (#1188289)

      Does making a sound even matter?

      The screen input field generally adds an asterisk '*' everytime you press a key. Someone capturing video would be able to use the screen to determine when you press a key. This would work in a situation where the camera is far away using zoom to capture your atm transaction as well.

      --
      Now with 5 covid vaccine shots/boosters altering my DNA :P
    • (Score: 2) by mcgrew on Tuesday October 19 2021, @01:49PM (1 child)

      by mcgrew (701) <publish@mcgrewbooks.com> on Tuesday October 19 2021, @01:49PM (#1188400) Homepage Journal

      They make sounds for the blind.

      --
      mcgrewbooks.com mcgrew.info nooze.org
      • (Score: 2) by looorg on Tuesday October 19 2021, @02:08PM

        by looorg (578) on Tuesday October 19 2021, @02:08PM (#1188408)

        I guess that I must have missed that, or I'm so old now I'm getting slightly deaf and can't hear the subtle beeps and boops.

  • (Score: 4, Funny) by Rosco P. Coltrane on Monday October 18 2021, @11:17PM

    by Rosco P. Coltrane (4757) on Monday October 18 2021, @11:17PM (#1188211)

    Ah! I pay everything with contactless NFC payment cards. No PIN needed. Try to guess MY PIN hackers! Who's clever now eh?

  • (Score: 5, Interesting) by sonamchauhan on Monday October 18 2021, @11:36PM (2 children)

    by sonamchauhan (6546) Subscriber Badge on Monday October 18 2021, @11:36PM (#1188215)

    Simulate a couple of fake keypresses over the keypad with a few hand twitches. Easy enough to do while blocking access to the viewscreen so a camera cannot detect if a key is being pressed. 2 fake keypresses gives the hacker a 1 in 360 chance (permutation: '6P4') of getting the right pin (3 fake moves reduces their odds to 1 in 840). So they'll likely be locked out after a few tries.

    • (Score: 3, Touché) by PiMuNu on Tuesday October 19 2021, @07:02AM (1 child)

      by PiMuNu (3823) on Tuesday October 19 2021, @07:02AM (#1188330)

      Beep beep ---- beep ---- beep

      • (Score: 3, Interesting) by sonamchauhan on Tuesday October 19 2021, @07:59AM

        by sonamchauhan (6546) Subscriber Badge on Tuesday October 19 2021, @07:59AM (#1188339)

        Hahah...yes, a security hole. But this experiment didn't use a microphone -- apparently, those are hard to distinguish in noisy backgrounds. Also, some ATMs don't beep (but I could be wrong, will notice next time).

        Sometimes, I use two hands for entry. This complicates the cracker's setup - they'll need two remote cameras

  • (Score: -1, Offtopic) by Anonymous Coward on Monday October 18 2021, @11:46PM

    by Anonymous Coward on Monday October 18 2021, @11:46PM (#1188217)

    turn it off and on.

  • (Score: 3, Insightful) by bzipitidoo on Tuesday October 19 2021, @12:11AM (9 children)

    by bzipitidoo (4388) on Tuesday October 19 2021, @12:11AM (#1188225) Journal

    When ATMs first appeared, banks tried to charge, for the convenience. It saved them money every time a customer used an ATM instead of a human teller, but the latter was free. So I have never used an ATM. Pay $2 to withdraw $20? F. U., banks!

    • (Score: 5, Informative) by JoeMerchant on Tuesday October 19 2021, @12:25AM (2 children)

      by JoeMerchant (3937) on Tuesday October 19 2021, @12:25AM (#1188230)

      I tried to use banks a few times over the last 40 years, never could get past the fees - still using the Credit Union account I opened when I was 12.

      --
      🌻🌻 [google.com]
      • (Score: 0) by Anonymous Coward on Tuesday October 19 2021, @03:33AM (1 child)

        by Anonymous Coward on Tuesday October 19 2021, @03:33AM (#1188295)

        Yeah, this. I think CUs used to be mostly tied to special groups like teachers, military, etc.; but I know plenty of them are based simply on where you live. I think in most major metros there's likely to be a CU for which you can qualify, and you generally don't lose membership unless you decide to terminate it.

        I've had Navy FCU from my Dad since I was a teen. I had San Mateo CU for a while and closed it when I moved away. There's another local I could get now if I wanted it, but I don't because any ATM displaying the "Co-Op Network" symbol is fee-free.

        I simply don't get why anybody uses a bank for their personal finance.

        • (Score: 2) by MIRV888 on Tuesday October 19 2021, @07:54AM

          by MIRV888 (11376) on Tuesday October 19 2021, @07:54AM (#1188338)

          I showed my DD-214 and I get free atm's for life,
          and a free lock box @ said bank.
          My bank typically pays 12-20 bucks a month for me using out of network atm's.
          It's like buttah.

    • (Score: 2) by Thexalon on Tuesday October 19 2021, @03:30AM (1 child)

      by Thexalon (636) on Tuesday October 19 2021, @03:30AM (#1188293)

      You should be able to use your own bank's ATMs for free, while the fees come into play only when you're using somebody else's. The fees are supposed to go to the company responsible for maintaining the ATM. It's not completely nutty, since ATMs aren't free to operate - you have to get the armored car in with cash periodically, for instance.

      And lots of retailers will let you get a modest amount of change at no extra charge with any pinned debit transaction.

      --
      The only thing that stops a bad guy with a compiler is a good guy with a compiler.
      • (Score: 2) by bzipitidoo on Tuesday October 19 2021, @12:02PM

        by bzipitidoo (4388) on Tuesday October 19 2021, @12:02PM (#1188368) Journal

        Yes, cash back. A very few times, I've bought one little something, like a pack of gum, just so I could get cash back.

        I use credit cards far more often than I use cash. Cash only when I want a bit of anonymity, for instance, for over-the-counter meds, or I want a tip to have a better chance of going where I want it to go, which is not into the restaurant owner's hands, nor the tax man.

    • (Score: 0) by Anonymous Coward on Tuesday October 19 2021, @08:39AM (1 child)

      by Anonymous Coward on Tuesday October 19 2021, @08:39AM (#1188351)

      Are you sure about that? I thought all the first ATMs were completely free. They were cheaper than building a branch nearby thus they were cost saving measures. After ATMs were put everywhere, then they started charging fees because the view of saving on branches faded thus ATMs became expenses that required upkeep and thus needed funds. Of course if that didn't happened there'd be fees now anyway. Fees are everywhere today. Even ATMs and gas stations show you ads.

      There are plenty of banks which refund you ATM fees. USAA is one. Military service isn't required for their checking/savings accounts. They used to double-refund you the fees so you actually made a little money. I don't remember if they stopped that or not, but they have limited the max amount of refunds (5 per month?).

      • (Score: 2) by bzipitidoo on Tuesday October 19 2021, @12:20PM

        by bzipitidoo (4388) on Tuesday October 19 2021, @12:20PM (#1188376) Journal

        That honeymoon/grace period was not long, as I recall. Banks are always looking for excuses to impose fees. For a very short time, they tried "universal default", in which they charged a late fee for you being late on some other bill that had nothing whatsoever to do with them. The outrage was great and fierce, and they all soon backed off that one.

        One of the weirdest things about banking in the US is this wholly artificial distinction between a "checking" and a "savings" account. I gather that you can't earn interest on the money in a checking account. While a savings account is limited to just 6 payments per month, 3 if they're not electronic. So what banks do is set customers up with one of each kind, and then, charge an outrageous fee to automatically move money from the savings to the checking account each time a debit would cause the checking to drop below $0, but the savings has enough to cover it. The charge is something like 10x or more the interest the savings earns, worse in these days of almost 0% interest rates, so that you might as well not have a savings account. A couple of times, I didn't get a 1099 form because the savings account hadn't earned $10 in interest over the year.

    • (Score: 2) by isostatic on Tuesday October 19 2021, @05:19PM

      by isostatic (365) on Tuesday October 19 2021, @05:19PM (#1188465) Journal

      ATMs in the UK are typically free (there are some small ones in shops which aren't free, but there's a big warning on them). Current/Saving accounts are free, sending money to other banks in the UK is free (and instant). Indeed banks will pay you to join them (https://www.santander.co.uk/landing/current-accounts/everyday-current-account for example - $180 if you move your main bank account to Santander)

      My understanding is that in the US banking system these things are not normal.

    • (Score: 2) by DannyB on Tuesday October 19 2021, @06:11PM

      by DannyB (5839) Subscriber Badge on Tuesday October 19 2021, @06:11PM (#1188486) Journal

      Pay $2 to withdraw $20? F. U., banks!

      I never had a problem with that. At pay day, I would withdraw all the cash I needed in that pay period for that same $2 withdrawal fee.

      Why oh why do people withdraw $20 at a time?

      --
      People today are educated enough to repeat what they are taught but not to question what they are taught.
  • (Score: 0) by Anonymous Coward on Tuesday October 19 2021, @08:15AM (2 children)

    by Anonymous Coward on Tuesday October 19 2021, @08:15AM (#1188342)

    Someone that steals your card can also use a wrench or even ask you "nicely" for the PIN. What's the point of deep-learning anything in this case? The card can't readily be duplicated anyway.

    • (Score: 2) by DannyB on Tuesday October 19 2021, @06:13PM

      by DannyB (5839) Subscriber Badge on Tuesday October 19 2021, @06:13PM (#1188488) Journal

      The point of deep learning is so that you don't know you're robbed until later. The wrench kind of gives away the surprise.

      --
      People today are educated enough to repeat what they are taught but not to question what they are taught.
    • (Score: 0) by Anonymous Coward on Wednesday October 20 2021, @01:39PM

      by Anonymous Coward on Wednesday October 20 2021, @01:39PM (#1188747)

      The point? Violence isn't actually used to commit crime in the way you're thinking all that often. The type of people with the balls for kidnapping, torture, racketeering, aren't going to waste their effort stealing traceable accounts that likely only have a few grand in them.

(1)