The PIN code of the cash card can be guessed even if the ATM keypad is hidden by hand.
When withdrawing money from an ATM using a credit card or cash card, you need to enter your own PIN. A cautious person may cover the keypad with his hand as he enters it so that no one else knows his PIN, but 'using a machine learning model, even if you hide the keypad with your hand,' It is possible to guess the PIN with reasonable accuracy. '
[2110.08113] Hand Me Your PIN! Inferring ATM PINs of Users Typing with a Covered Hand
Credit card PINs can be guessed even when covering the ATM pad
https://www.bleepingcomputer.com/news/security/credit-card-pins-can-be-guessed-even-when-covering-the-atm-pad/
'Entering a PIN' is widely used as an authentication method when withdrawing money from an ATM using a card, but there is a criminal method of stealing a PIN by setting a small camera near the ATM. For this reason, many security conscious people will probably hide the keypad with their other hand when entering their PIN.
The newly submitted pre-reviewed paper on the preprint server arXiv said, 'I shot a video of people entering a 4- or 5-digit PIN with an ATM keypad and used a machine-learning model to enter the keys. This is a study of the attack method of 'guessing.' 'Although ATM users believe that hiding their keypad by hand is an effective defense against PIN-stealing attacks, there is no scientific literature that clearly evaluates this defense method,' the research team said. doing.
The research team first created a replica of the attacked ATM that mimicked keypad dimensions and key spacing. Next, using the video of entering the PIN code with the ATM replica, guess which key was pressed from the movement of the hand on the keypad, and assign the probability to each key in the model. I trained. The training used 5800 videos of 58 subjects from different demographic backgrounds entering 4- or 5-digit PINs.
Then, in order to confirm the accuracy of the trained machine learning model, we conducted an experiment to guess the 4-digit or 5-digit PIN from the video of actually inputting the PIN with the ATM keypad. As a result, the probability of accurately guessing the PIN within the number of '3' trials where the card is locked due to a typo reaches 30% for the 5-digit PIN and 41% for the 4-digit PIN. Did.
In order to guess the PIN, the machine learning model first excludes the keys that are not hidden by the non-entering hand, and infers the keys based on the movement of the input hand and the distance between the keys. It is said that there is. Therefore, the position of the camera that shoots the key input played an important role, and the research team pointed out that hiding the pinhole camera at the 'top of the ATM' was the best approach for the attacker. doing. Also, if the camera can also record voice, it seems that the prediction accuracy can be further improved by taking advantage of the fact that the sound when pressing each key is slightly different.
Bleeping Computer, a computer-related media, states that the following measures can be developed based on the results of this research.
• If your bank offers the option to choose a PIN that is 5 or more digits instead of 4 digits, set a longer PIN.
-Since the ratio of the non-input hand covering the keypad affects the accuracy of estimating the PIN code, cover the entire keypad as much as possible.
-If you can select 'Virtual keypad with randomly arranged numbers' on the computer screen, select the virtual keypad instead of the built-in keypad.
In addition, when the research team showed a video of keypad input to 78 human subjects instead of a machine learning model and asked them to guess a 5-digit PIN, the average accuracy was only 7.92%. That is.
Related Posts:
