PetaPixel

Here’s How iPhone Thermal Cameras Can Be Used to Steal Your Pin Codes

There are a lot of great, fun, and interesting things people can do with an iPhone and that FLIR ‘predator vision’ infrared camera case we told you about at the beginning of this year. But, as it turns out, there is also a very bad thing people can do.

Using just an iPhone and the Thermal camera case, people can actually steal your PIN codes, be that for an ATM or that keypad on your car or garage door.

A newly-emerging security risk, you can see how easily it’s done in the video above by YouTuber Mark Rober. Without anybody being the wiser, he simply steps up to the pin pad after someone else has used it and snaps a thermal picture.

ir_2

Because someone JUST got done using it, the keys they pressed will be glowing. And what’s more, because the heat signature begins fading as time goes by (even after just a few seconds) the thief can tell what order the keys were pressed in.

Fortunately, there’s a way to protect yourself so the bad guy in this scenario can’t steal your garage door or front door code after you go in the house: just rest other fingers on the rest of the keypad while you type.

That way the picture comes out like this:

ir_1

It’s sad to think that making awesome camera tech accessible to all breeds creative new thievery, but as you can see, it doesn’t take much to protect yourself from it.

And now that you know that, you can go back to watching awesome IR footage like this Formula One car burnout video without worrying that the person behind you at the supermarket is there to pick up more than those mints.


 
  • Domitype

    Well, unless you leave your card in the ATM, having only the pin doesn’t do much good.

  • Jason Yuen

    Unless you get mugged on your way home after you leave the store.

  • Josh Zytkiewicz

    If they’re taking a picture of the keypad they can take a picture of your card.

  • Rob Elliott

    The card information is stored on a Chip or Magnetic Strip. Taking a picture of the card isn’t going to do anything.

  • Rob Elliott

    If a thief network is using modified Terminals that will read and copy Chip information, or Swipe information, then having a something like this will help them get that missing piece.

    It is uncommon to be successful, but it can make it worse if it happens. It is something to be aware of.

  • Mik Rose

    Ohhh, i didn’t know online shopping required the magnetic strip to purchase/process any products…….

  • Rob Elliott

    Online shopping doesn’t use your in store pin on a debt or credit card. (at least it doesn’t for me) You don’t need a FLIR camera for that.

    Your PIN (which in many places is 4 digits only) is almost always different from an online password used for Debt or Credit purchases online. As such getting your Pin in this manner without the physical card won’t do much. Unless they spoof the card.

  • http://www.flyingsuicide.net/ Oj0

    I first saw this years ago on a documentary where thieves broke into a safe using the same method of thermal imaging to get the code for the safe. Since then I’ve been wiping my fingers across the entire pad after entering my pin.

    Think I’m paranoid? The latest in South Africa is thieves (often petrol attendants, in South Africa we don’t have self service petrol stations) use a fake credit card machine to capture both the chip information and your pin when you enter it. The fake card machine then throws an error message on the screen and the thief will tell you the machine isn’t working and will fetch another, genuine machine for the transaction.

    Technology is a strange thing.

  • Noelani Lois

    Six months ago I lost my job and after that I was fortunate enough to stumble upon a great website which literally saved me. I started working for them online and in a short time after I’ve started averaging 15k a month… The best thing was that cause I am not that computer savvy all I needed was some basic typing skills and internet access to start… This is where to start>WagePress.com

  • MattB81

    While that’s a good thought when you first think of it, think again about how you swipe your card at a convenience store. Most machines are set up for right handed use, which means you swipe it with your right hand naturally putting your body between the card and whoever is next in line behind you.

    Take a look at the video and you’ll see by normal use there really is no opportunity to take a photo of the card.

    So even in this case you’re still missing the actual card number unless you (well really a partner) intend on lifting it off the owner at some point before they get to their car. It would have to be a partner because you’re still going to be paying for your item(s).

  • MattB81

    True online buying doesn’t require a card swipe, but they also (well lets say most but I’ve never seen it) don’t process debit transactions – you use a debit card backed by a credit provider (ie. Mastercard or Visa) and the transaction runs as credit. To do this you don’t need the pin, only the number, name and 3 digit security code.

    More of a concern are the modified machines where they put data readers on common places like gas pumps because the magnetic strip can then be cloned and credit cards can be taken – at that point even debit cards don’t need a pin because at time of purchase they can choose to run it as credit.

  • Rob Elliott

    i this case though (again at least in Canada) usually the number is a Virtual number that is different from your Debit card number for that very reason.

    Again.. as this article/video is about using a FLIR camera to get you personal PIN number.. and my comments have been about a PIN number being useless without the card.

    As I said in a different comment (as a different reply) the modified Machines mixed with the FLIR technologies could be an issue. Of course I’ve always left my fingers on the key pad while typing my pin. My fingers usually sit on the 456 and 9 key to help obscure my pin from people anyway so as it happens I’m naturally protected

  • D.G. Brown

    The good news is that most physical card info theft is from things like skimmers which wouldn’t be practical to use with a method like this. The point of a skimmer is to leave it and collect lots of data and pick it up later to diminish risk to the thief. Using FLIR would require the thief to keep viewing the keypad which would add way more risk.

    However, this does open up the interesting attack using the RFID on the cards. An RFID scanner combined with using FLIR to get the pin would allow someone to recreate your card (using the “tap” function) and then enter your pin. Still more likely to be a targeted attack, though, since it would be a little effort and seems risky (given that most checkout stands are under many security cameras). Banks actually spend a bit of effort to determine where cards are compromised, and someone using this technique seems pretty likely to get caught.

    Oh yeah, and if you use the stylus that’s on most keypads (or bring your own), you don’t have to worry about heat transfer to the keys ;-)

    And if you fear RFID scanners, get a Faraday wallet :)

  • Sam M.

    Online shopping doesn’t require your PIN either. Just the CVV (which is the most ridiculous security feature ever, it’s one protection feature is being on the OTHER SIDE of the card).

  • Gene Warren

    Unless you’re using Amex, in which case it’s also on the front. :(