Researchers have proven that they can learn a special deep learning algorithm that can guess a four-digit card PIN number with a 41% probability, even when the user covers the pad with their hand.
As a general security mechanism, devices such as ATMs (Automated Teller Machines) and POS (Point of Sale) rely on security provided by PINs (Personal Identification Numbers).
This attack requires the installation of a replica of an ATM. This is because it is crucial to train the algorithm to match the dimensions and key spacing of different PIN pads.
Next, using a video of a person entering a PIN into an ATM pad, we train a machine learning model to recognize how the pad is pressed and assign a specific probability to the sequence of guesses.
In our experiment, we collected 5,800 videos in which 58 people with diverse demographics entered their 4- and 5-digit PINs.
The machines on which we ran the predictive model were three Xeon E5-2670s with 128GB of RAM and three Tesla K20m with 5GB of RAM each.
The researchers reproduced the correct sequence 30% of the time for 5-digit PINs and 41% of the time for 4-digit PINs, using three trials, the maximum number of times allowed before the card is put on hold.
This model can exclude keys based on the extent of the non-typing hand, and guess the number pressed from the movement of the other hand by evaluating the logical distance between the two keys.
The placement of the camera to capture the action of pressing the button plays an important role, especially when recording left-handed or right-handed people; hiding a pinhole camera above the ATM was determined to be the best way for an attacker to do this.
Also, if the camera has the ability to record audio, the feedback of the slightly different press sounds for each number can be used to make more accurate predictions.
This experiment proves that simply covering the PIN pad with your other hand is not enough to protect against deep learning-based attacks, but thankfully, there are some countermeasures that can be taken.
First of all, if your bank gives you the option of a 5-digit PIN instead of a 4-digit PIN, choose the longer one. It may be harder to remember, but you will be much more secure against this type of attack.
Next, the coverage of the moves greatly reduces the prediction accuracy. With 75% coverage, the accuracy of each try is 0.55, but with total coverage (100%), the accuracy drops to 0.33.
The third measure is to provide the user with a virtual, randomized keypad instead of a standardized mechanical keypad.
This inevitably comes with a lack of usability, but it is an excellent security measure.