Researchers have proven that a deep learning algorithm can guess 4-digit card PIN codes, even if the victim covers them with his hands when entering the numbers at an ATM. The algorithm worked correctly in 41% of cases.
However, an attack using this algorithm requires obtaining an exact copy of the target ATM, since its training requires specific dimensions of the device and the distance between the keys.
The machine learning model is then trained to recognize the taps and assign specific typing probabilities using videos of people entering PIN codes. For the experiment, the researchers collected 5,800 videos of 58 representatives of different demographic groups entering 4- and 5-digit PIN codes.
The prediction model was run on a Xeon E5-2670 with 128 GB of RAM and three Tesla K20m with 5 GB of RAM each.
Using the three input attempts that ATMs typically provide, the researchers recovered the correct sequence for 5-digit PINs 30% of the time and for 4-digit PINs 41% of the time.
The model guesses the combination by estimating the topological distance between two keys. The placement of the camera that detects input attempts is key, especially when shooting left- or right-handed people. Hiding a pinhole camera at the top of the ATM has proven to be most effective.
If the camera is also capable of recording sound, the model can use audio feedback when pressed that is slightly different for each digit, making predictions much more accurate.
This experiment proves that covering the ATM panel with your hand while typing is not enough to protect against deep learning attacks, but some countermeasures can be taken. Researchers advise users to choose a five-digit PIN instead of a four-digit PIN if banks offer this option.
Another measure to counteract fraudsters could be to serve users using a virtual and randomized keyboard.
By the way, the researchers conducted a similar video experiment on humans. Only 7.92% were able to guess the typed sequence.
Previously, Sber began issuing unsecured loans of up to 5 million rubles for payroll clients directly through touch-screen ATMs. To receive a loan, you must log in to the ATM using a bank card, check your personal data, read the terms and conditions of the loan offer and confirm the application by entering the card PIN code. However, the bank did not specify whether it is possible to refuse such a loan if an attacker takes it, or to block this option.
However, an attack using this algorithm requires obtaining an exact copy of the target ATM, since its training requires specific dimensions of the device and the distance between the keys.
The machine learning model is then trained to recognize the taps and assign specific typing probabilities using videos of people entering PIN codes. For the experiment, the researchers collected 5,800 videos of 58 representatives of different demographic groups entering 4- and 5-digit PIN codes.
The prediction model was run on a Xeon E5-2670 with 128 GB of RAM and three Tesla K20m with 5 GB of RAM each.
Using the three input attempts that ATMs typically provide, the researchers recovered the correct sequence for 5-digit PINs 30% of the time and for 4-digit PINs 41% of the time.
The model guesses the combination by estimating the topological distance between two keys. The placement of the camera that detects input attempts is key, especially when shooting left- or right-handed people. Hiding a pinhole camera at the top of the ATM has proven to be most effective.
If the camera is also capable of recording sound, the model can use audio feedback when pressed that is slightly different for each digit, making predictions much more accurate.
This experiment proves that covering the ATM panel with your hand while typing is not enough to protect against deep learning attacks, but some countermeasures can be taken. Researchers advise users to choose a five-digit PIN instead of a four-digit PIN if banks offer this option.
Another measure to counteract fraudsters could be to serve users using a virtual and randomized keyboard.
By the way, the researchers conducted a similar video experiment on humans. Only 7.92% were able to guess the typed sequence.
Previously, Sber began issuing unsecured loans of up to 5 million rubles for payroll clients directly through touch-screen ATMs. To receive a loan, you must log in to the ATM using a bank card, check your personal data, read the terms and conditions of the loan offer and confirm the application by entering the card PIN code. However, the bank did not specify whether it is possible to refuse such a loan if an attacker takes it, or to block this option.
