• Corpus ID: 239009713

Hand Me Your PIN! Inferring ATM PINs of Users Typing with a Covered Hand

  title={Hand Me Your PIN! Inferring ATM PINs of Users Typing with a Covered Hand},
  author={Matteo Cardaioli and Stefano Cecconello and Mauro Conti and Simone Milani and Stjepan Picek and Eugen Saraci},
Automated Teller Machines (ATMs) represent the most used system for withdrawing cash. The European Central Bank reported more than 11 billion cash withdrawals and loading/unloading transactions on the European ATMs in 2019. Although ATMs have undergone various technological evolutions, Personal Identification Numbers (PINs) are still the most common authentication method for these devices. Unfortunately, the PIN mechanism is vulnerable to shoulder-surfing attacks performed via hidden cameras… 


Your PIN Sounds Good! Augmentation of PIN Guessing Strategies via Audio Leakage
Results show that inter-keystroke timings can be extracted from audio feedback far more accurately than from previously explored sources, and this increase in accuracy translated to a meaningful increase in guessing performance.
Beware, Your Hands Reveal Your Secrets!
A new breed of side-channel attack on the PIN entry process on a smartphone which entirely relies on the spatio-temporal dynamics of the hands during typing to decode the typed text and is very likely to be adopted by adversaries who seek to stealthily steal sensitive private information.
PILOT: Password and PIN Information Leakage from Obfuscated Typing Videos
This paper developed an attack called Password and Pin Information Leakage from Obfuscated Typing Videos (PILOT), which extracts inter-keystroke timing information from videos of password masking characters displayed when users type their password on a computer, or their PIN at an ATM.
Stay Cool! Understanding Thermal Attacks on Mobile-based User Authentication
It is found that thermal attacks are indeed viable on mobile devices; overlapping patterns significantly decrease successful thermal attack rate from 100% to 16.67%, while PINs remain vulnerable even with duplicate digits, and recommends for users and designers of authentication schemes on how to resist thermal attacks.
Chip and Skim: Cloning EMV Cards with the Pre-play Attack
How the vulnerability was detected, a survey methodology developed to chart the scope of the weakness, evidence from ATM and terminal experiments in the field, and the implementation of proof-of-concept attacks are described, which discuss countermeasures.
Cracking Android Pattern Lock in Five Attempts
A novel video-based attack to reconstruct Android lock patterns from video footage filmed using a mobile phone camera using a computer vision algorithm to track the fingertip movements to infer the pattern.
ClearShot: Eavesdropping on Keyboard Input from Video
This paper presents a novel approach to automatically recovering the text being typed on a keyboard, based solely on a video of the user typing, and developed a number of novel techniques for motion tracking, sentence reconstruction, and error correction.
Thermanator: Thermal Residue-Based Post Factum Attacks on Keyboard Data Entry
The work introduces Thermanator, a new post factum insider attack based on heat transfer caused by a user typing a password on a typical external keyboard, and conducts a user study that collected thermal residues from 30 users entering 10 unique passwords on 4 popular commodity keyboards.
Timing Analysis of Keystrokes and Timing Attacks on SSH
A statistical study of users' typing patterns is performed and it is shown that these patterns reveal information about the keys typed, and that timing leaks open a new set of security risks, and hence caution must be taken when designing this type of protocol.
A systematic review of PIN-entry methods resistant to shoulder-surfing attacks
It is argued that a recording-based shoulder-surfing attack is a major threat to PIN-entry methods, and the lack of a standard evaluation framework should be addressed.