They unveiled a technique to determine a teller's PIN, even if the digits are covered by hand

Few days ago a group of researchers from the universities of Padua (Italy) and Delft (Netherlands) made it known by publishing information about a method of using machine learning to recreate a PIN code entered from a video recording of an entrance area at an ATM covered by a hand.

When entering a 4-digit PIN, the probability of predicting the correct code is estimated at 41%, given the possibility of making three attempts before blocking. For 5-digit PIN codes, the prediction probability was 30%.

In addition, another experiment was conducted in which 78 volunteers tried to predict the PIN code from similar recorded videos. In this case, the probability of a successful prediction was 7,92% with three attempts.

In the description of the method used, it is mentioned that When the digital panel of the ATM is covered with the palm of the hand, the part of the hand being entered remains uncovered, which is enough to predict clicks changing the position of the hand and the displacement of the fingers not completely covered.

ATMs represent the most used in the cash withdrawal system. The European Central Bank reported more than 11 billion cash withdrawals and upload / download transactions at European ATMs in 2019.
Although ATMs have undergone various technological evolutions, personal identification numbers (PINs) are still the most common authentication methods for these devices.

Unfortunately, the PIN mechanism is vulnerable to attacks made through hidden cameras installed near the ATM to trap the keypad. 

When analyzing the input of each digit, the system excludes keys that cannot be pressed, taking into account the position of the covering hand, and it also calculates the most likely pressure variants based on the position of the pressing hand, relative to the location of the keys. To increase the probability of detecting an input, a clicking sound can also be recorded, which is slightly different for each key.

The experiment used a machine learning system based on the application of a convolutional neural network (CNN) and a recurrent neural network based on the LSTM (Long Short Term Memory) architecture. CNN was responsible for extracting spatial data for each frame, and LSTM used this data to extract patterns that vary over time. The model was trained on PIN code entry video recordings by 58 different people using the entry coverage methods chosen by the participants (each participant entered 100 different codes, that is, 5800 entry examples were used for the training). Over the course of the training, it was revealed that most users use one of the three main ways to hide the entry.

To train the machine learning model, a server based on a Xeon E5-2670 processor with 128 GB of RAM and three Tesla K20m cards with 5 GB of memory each were used. The software part is written in Python using the Keras library and the Tensorflow platform. Since ATM entry panels are different and the prediction result depends on characteristics such as key size and topology, separate training is required for each type of panel.

As a measure to protect yourself against the proposed attack method, it is recommended to use 5-digit PIN codes instead of 4 if possible, and also try to cover most of the entrance space with your hand (The method is still effective if approximately 75% of the entrance area is covered by hand). It is recommended that ATM manufacturers use special protective screens that hide the entrance, as well as non-mechanical, but tactile entrance panels, the position of the numbers in which it changes randomly.

Finally, if you are interested in knowing more about it, you can consult the details In the following link.


Be the first to comment

Leave a Comment

Your email address will not be published. Required fields are marked with *

*

*

  1. Responsible for the data: AB Internet Networks 2008 SL
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.