Researchers taught the algorithm to guess PIN-codes from bank cards
The researchers, with the support of information security companies, managed to teach a special algorithm to guess 4-digit PIN-codes from bank cards when a victim works with an ATM. The attack works in 41% of cases, even if the person covers the keyboard with his hand while typing.
Bleeping Computer says that to fine-tune the algorithm, reseacyers will need a copy of the keyboard of the target ATM, since it is necessary to take into account the specific dimensions and spacing of the keys. On such a layout, using machine learning and a video of people entering PIN codes, the algorithm learns to recognize different keystrokes and assign certain probabilities to different sets of assumptions.
For their experiments, specialists collected 5,800 videos in which 58 different people from different demographic groups enter 4- and 5-digit PIN codes on the keyboard of ATMs. The machine running the prediction model was a Xeon E5-2670 with 128GB of RAM and three Tesla K20m with 5GB of RAM each. After giving the algorithm three attempts (the maximum number of attempts to enter the PIN code, after which the card will be blocked at the ATM), the researchers were able to pick up a five-digit PIN code in 30% of cases, and were successful in 41% of cases with a four-digit PIN code.
In this case, the algorithm can exclude from the assumptions the keys covered by the person’s hand, and guess other numbers, relying on the movements of the other hand and estimating the distance between the keys.
The researchers acknowledge that the placement of the camera, which records attempts to dial the PIN, is of great importance in this case. Since the shooting should be different for left and right-handers, hiding the camera at the top of the ATM was found to be optimal. If the camera can also record sound, the algorithm will be able to take advantage of this aspect, relying on the fact that the sound of pressing each key is slightly different from the others. This makes forecasting more accurate.
Based on the results obtained, experts conclude that simply covering the ATM keyboard with the hand is not enough. To protect against such attacks, they advise using the following countermeasures:
- use a five-digit PIN instead of a four-digit PIN, if possible;
- cover the keyboard with your hand more carefully, since the percentage of closing significantly reduces the accuracy of predictions: if you close 75% of the keyboard with your hand, the accuracy of each attempt will be 0.55, while a 100% covered input panel will reduce the accuracy of predictions to 0.33;
- if possible, use a random virtual keyboard instead of a standard mechanical one.
Let me remind you that I also talked about the fact that Kaspersky Password Manager generated weak passwords due to a bug.