Infrared cameras are moving from the domain of house inspectors and border guards into the hands of the general public. For $350 you can now buy one at the Apple Store. Like most technologies, we haven't fully considered the implications. But the bad guys have. They’re already snapping pictures of pin pads to steal your PIN number.
As explained by Mark Rober in an excellent video, the FLIR infrared (IR) camera attachment for the iPhone is good. So good that it can pick up which buttons you just pushed on a plastic or rubber pin pad. He illustrates by waving his iPhone over the PIN reader at a supermarket checkout. The telltale heat signature on the keys reveals the previous customer’s “secret” PIN number.
Losing your PIN number to a thief can be much worse than having your password hacked online. Somebody who breaks into your victoriasecret.com account can learn about your taste in undies and perhaps steal your credit card information. A thug who just grabbed your pin number might follow you to the parking lot to snatch your purse or wallet.
An even worse scenario: a predator might dash up behind your latchkey child and read the combination of your digital door lock. According to a research paper, even after a whole minute had passed, there was a 50% success rate in reading the numbers.
There are also legal reasons to worry about PIN theft. As credit card companies move to “chip and pin” technology, they often sneak in a subtle shift in liability. Because this method is more secure than signature-based verification, some credit card issuers are taking the position that a customer is now liable for anything done with their card and PIN.
Illustrating this point is the high profile case of a Toronto, Ontario man who was billed over $80,000 on his CIBC Visa card for a custom-built race car! Customer Jason Monaco denied making the purchase.
He sued the bank, which insisted that fraudulent PIN transactions are “impossible”. Maybe they’ll have to reconsider that position now that the IR camera hack is making the rounds. This will be an increasingly important issue in the future. In most of the world, chip and pin already prevails, and it will be coming to most US merchants by October 2015.
On a deeper level, the PIN-stealing hack illustrates some fundamental, and quite creepy, truths about technology. Just about anything can be used for good or evil, and people will put considerable effort into exploiting the dark side. Technologies almost always get cheaper, smaller, and less obtrusive. As Rober points out in his video, bringing a full-scale IR camera into the Von’s supermarket would attract a lot of attention. The FLIR attachment looks like an iPhone case. Soon, we’ll see infrared capability in Google Glass or a contact lens.
Another fundamental principle is that vulnerabilities like this are often best addressed not by laws, but by technology. In Technocreep I suggest that the pernicious U.S. mugshot-posting industry will eventually be shut down not by legislators but by Google downgrading mugshots in search results, and by credit card companies refusing to process mugshot-related transactions.
The technological fix for the pin hack is actually quite simple. Just rest your non-typing fingers on some other keys while entering your numbers. This will obscure the actual keystrokes for your PIN. Or, you could use the “tap and pay” technology, but, you guessed it, that comes with its own vulnerabilities.
Did anyone see this coming? One might say the banks did, since their pin pads are usually made of metal, which is not susceptible to this technique. Then again, they probably just wanted to make their ATM machines stronger. The reality is that when you give somebody a new tool, they will find all sorts of ways to use it, limited only by the human imagination.
In Technocreep I report that some breast implants have embedded RFID chips, and suggest that a rogue doctor might take the reader down to the bar to do some extracurricular research. Now, we know he wouldn’t need to do that at all. Just fire up the iPhone, because silicon bags definitely look different on infrared than human breasts!
Read more:
https://www.youtube.com/watch?v=8Vc-69M-UWk
https://cseweb.ucsd.edu/~kmowery/papers/thermal.pdf