Oct 1, 2018
60 Views
0 0

How Scammers are using thermal cameras to steal ATM pins, passwords and other credentials

Written by

Well i just noticed that we don’t have any Article on social engineering or such attacks which are not about hard coding skills or exploitation skills rather are about your awareness of tools and understand of common mistakes of humans. I was just thinking about writing something which less people are aware of and then came up with the idea of writing this article.

Whenever you type something on the keyboard there will be some thermal residue left over which can be detected by a thermal (infrared) camera !

Note :  Though recently University of California, Irvine (UCI) team named such attacks as Thermanator  these attacks existed since long back.
At the USENIX Security Symposium in 2011 , researchers Keaton Mowery, Sarah Meiklejohn and Stefan Savage from the University of California at San Diego presented their paper “Heat of the Moment: Characterizing the Efficacy of Thermal Camera-Based Attacks.”     It covers experiments done to check accuracy of such attacks.

The main fact here lies that plastic and rubber pads are suffering from such attacks while mettalic ones are safe ( because in metal the heat will flow to other parts immediately) .
You can read the above pdf carefully and all things are mentioned there (that one is with plastic and metal ,rubber not included in that). The pressure with which the participant  pressed the button and his body pressure also varied the result.  Also note that in plastic pads it was even possible to detect the order of press of buttons (not just which buttons were pressed) because of the difference in radiations being emited by the buttons.  Also it depends upon when the attacker will do the attack. I mean say you pressed buttons and gave to attacker and its just 10 seconds passed now from pressing buttons then attacker will have more clear picture of radtions ( of course with time the intensity of heat being emited will keep falling). As the time elapsed to 45 seconds the the succes rate of predicted correct PIN fell to 60%.

READ ALSO  Rust: Difficult to Learn, but an Exciting Programming Language

However in one of the recent research it has been demonstrated that 30 seconds is a good time for which the attack is quite effective!
NOTE : This is the reason why modern atm machines have metallic keypads !

On rubber and plastic pads such attacks are easily possible and you must be aware of them.

Above image shows Thermal radiations after pressing buttons of door lock !

Above image shows Thermal radtions after pressing buttons of Payment terminal ! 

Note : You can’t see infrared with your normal cameras. Your normal cameras have IR blocking filters on sensor and even if you modify camera to remove these filters you can not see much of IR via them ( Infrared spectrum varies a lot ). You need thermal imaging camera for accuracy and experiments just like FLIR ONE, Seek thermal imaging camera etc !

There are several thermal cameras that can do the task.  In fact FLIR even launched a special cover case for iphone 5s which has a thermal camera to read Infrared . Such devices make create more problem in daily life as even if someone is carrying them in shops or other places people might not even notice that the guy’s phone can catch your password (say it could be an atm pin) after you are gone from there.

Above image shows Flir One Thermal Imaging Camera Case for iPhone 5s
Note : Such attacks are getting improved with time.  At ACM CHI Conference on Human Factors in Computing Systems, 2017  demonstrated a bit of better version of the attack was demonstrated.   Its quite lenghty video :  https://www.youtube.com/watch?v=QFQlCwtybqo   .  Let me mention some of the important points of this demonstation here :

READ ALSO  What is the concept behind SQL injection? How does SQL injection work?

Duplicate and Overlaps

As explianed earlier also with elapse of the time the attack becomes harder as heat intensity keeps falling.

Duplicates make the PINs less secure

Overlaps make the patterns more secure.

Most of the things these guys got in their research are in a way what we could visualise ourself.

Note: There are far advanced attacks for passwords grabbing related to mechanical vibrations, electromagnetic emanations etc We will see many advanced attacks later especially when we will study about Air-gap attacks !

From the above results you can conclude what type of passwords or patterns you should choose for sake of safety from such attacks. When using keypads made up of plastic or rubber you should try to place fingers on other buttons also while writing your pass so that there is heat emission becomes confusing for the attacker.

Article Tags:
· · · · · · · · · · · · ·
Article Categories:
Hacking · In-Depth Concepts · Information · Master Hack · Premium
http://techandsecurity.net

CEO & FOUNDER OF" FIVE RIVERS INCORPORATION - LEADING SOFTWARE & CYBER SECURITY DEVELOPMENT COMPANY" || CERTIFIED ETHICAL HACKER || FUTURE TRILLIONAIRE || FUTURISTIC || "DULL SCHOOL STUDENT" || (Follow this link to message me on WhatsApp: https://wa.me/13018426470)

Comments to How Scammers are using thermal cameras to steal ATM pins, passwords and other credentials

  • Hello very nice blog!! Guy .. Excellent ..
    Superb .. I will bookmark your blog and take the feeds additionally?
    I’m satisfied to find a lot of useful information right
    here within the submit, we need work out more
    techniques in this regard, thank you for sharing. . . . .
    . http://Wvbcreditrating.com/__media__/js/netsoltrademark.php?d=918.cafe%2Fdownloads%2F61-download-918kiss-scr888-ios-android

    918 Kiss October 31, 2018 12:52 pm Reply
  • My only regret reality I didn’t cancel it sooner.
    We bring into play the various arguments and ideas
    brought up by the author in that self-help book you are holding.
    Give a lot of merit to your gut feel when you
    meet with them. https://918kiss.host/72-918kiss-918-kiss-or-scr888

    scr888 download November 10, 2018 12:41 pm Reply
  • Incredible! This blog looks exactly like my old one!
    It’s on a entirely different topic but it has pretty much the same layout and design. Outstanding choice of colors! https://kasino.vin/home/918kiss-scr888

    online casino November 13, 2018 12:16 pm Reply
  • This site definitely has all the info I needed about this subject
    and didn’t know who to ask. https://kasino.vin/downloads/61-download-918kiss-scr888-android-iphones

    scr 888 November 17, 2018 3:48 am Reply
  • Way cool! Some extremely valid points! I appreciate you penning this write-up and the rest of the website is very good.

    t kiosk.scr888.com/login.aspx November 23, 2018 5:27 pm Reply
  • Amoxicillin Side Effects Dizziness Cheap Canadian Pfizer Viagra [url=http://buycheapciall.com]cialis prices[/url] Nebenwirkung Levitra 10 Mg Commander Du Viagra En Belgique Amoxicillin Price [url=http://cialionline.com]cialis canada[/url] Get 800 Mg Gabapentin Online Discount Macrobid Website Cash Delivery Cheap Real Fluoxetine Best Buy [url=http://lowpricecial.com]canadian cialis[/url] Free Samples Of Viagra

    JeaInorse December 27, 2018 2:04 am Reply
  • Predisone Pills For Sale From Canada [url=http://prilipills.com]cialis plux dapoxetine online ordering[/url] Viagra Rezeptfrei Bestellen De 3 Clomid Depuis Mois Deja Precio Viagra Con Receta Meshashringi [url=http://sildenaf50.com]viagra[/url] Dapoxetine Prix Where To Buy Prevacid 30 Mg Vente Propecia [url=http://truthaboutstaininggrid.com][/url] Is Keflex Sulfur Drug Kamagra Kaufen De Canadian Pharmacy Doxycycline Cytotec 200 Mg Viagra Online Overnight [url=http://sildenaf100.com]viagra[/url] Cialis Dosaggio 20 Mg 50 Mg Amitriptyline Without Rx Buy Doxycycline [url=http://xbmeds.com][/url] Cialis Professional Compared To Cialis

    JeaInorse January 14, 2019 11:30 am Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

Share