Researchers have been able to teach a special algorithm to guess 4-digit PIN-codes from bank cards when the victim works uses an ATM. The attack works in 41% of cases, even if the person covers the keyboard with his hand while typing.
Edition Bleeping Computer says that for more precise tuning algorithm will need a copy of the target ATM keypad as you must take into account the specific dimensions and spacing between the keys. On such a layout, using machine learning and a video of people entering PIN codes, the algorithm learns to recognize different keystrokes and assign certain probabilities to different sets of assumptions.
For their experiments, specialists collected 5,800 videos in which 58 different people from different demographic groups enter 4- and 5-digit PIN codes on the keyboard of ATMs. The machine running the prediction model was a Xeon E5-2670 with 128GB of RAM and three Tesla K20m with 5GB of RAM each.
After giving the algorithm three attempts (the maximum number of attempts to enter the PIN code, after which the card will be blocked at the ATM), the researchers were able to pick up a five-digit PIN code in 30% of cases, and were successful in 41% of cases with a four-digit PIN code. In this case, the algorithm can exclude from the assumptions the keys covered by a person’s hand, and guess other numbers, relying on the movements of the other hand and estimating the distance between the keys.
The researchers admit that the placement of the camera, which records attempts to dial the PIN, is of great importance in this case. Since shooting must be different for left and right-handers, hiding the camera at the top of the ATM was found to be optimal. If the camera can also record sound, the algorithm will be able to take advantage of this aspect, relying on the fact that the sound of pressing each key is slightly different from the others. This makes forecasting more accurate.
Based on the results obtained, experts conclude that simply covering the ATM keyboard with your hand is not enough. To protect against such attacks, they advise using the following countermeasures:
- use a five-digit PIN instead of a four-digit PIN, if possible;
- cover the keyboard with your hand more carefully, since the percentage of closing significantly reduces the accuracy of forecasts: if you cover 75% of the keyboard with your hand, the accuracy of each attempt will be 0.55, while a 100% covered input panel will reduce the accuracy of forecasts to 0.33;
- if possible, use a random virtual keyboard instead of a standard mechanical one.
Catch up on more stories here