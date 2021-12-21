The secret number of credit cards can be guessed by observing the user’s hands when typing, even when the user covers the keyboard. A team of researchers from the Italian University of Padua has shown that it is possible to train a specialized deep learning algorithm to guess the four-digit PIN of credit cards, achieving a rate of one 41% success.

This is not a straightforward attack, as it would require creating a replica of the target ATM. The algorithm training needs to work with the specific dimensions, specifically the key spacing of the different PIN keyboards is of vital importance. The machine learning model then trains itself with the information received to recognize keystrokes and assign specific probabilities that a movement corresponds to a certain key, all based on videos of people entering their PINs. on the ATM keypad.

For the experiment, the researchers collected 5,800 videos of 58 different people from various demographics, entering four- and five-digit codes. The computers on which the prediction model was run were a Xeon E5-2670 with 128GB of RAM and three Tesla K20m with 5GB of RAM each. The authors point out that these are upper-middle-range systems, but that they are within a reasonable economic spectrum.

Five digits better than four

The model deduces the digits pressed from the movements of the hand, evaluating the topological distance between two keys. Camera placement playing a critical role – concealing a pinhole camera on top of the ATM was determined to be the most effective approach for the attacker.

Using three attempts (usually the maximum number allowed before the card is retained) the researchers reconstructed the correct sequence for the five-digit PINs 30% of the time and 41% of the time for the four-digit PIN.

And the authors emphasize that, if the camera were able to also capture the audio, the model could use the feedback of the sound of the pulse, which is slightly different for each digit, with what the predictions would be much more accurate.

Cautions

Fortunately, there are some steps you can take to reduce your risk. First of all, if your bank gives you the option to choose a Five digit PIN instead of one of four, choose the longest. Although it may be more difficult to remember, it is much safer against attacks of this type.

Second, the authors explain that the space you cover with your hand greatly decreases the accuracy of the prediction. With a 75% coverage, a precision of 0.55 was obtained in each attempt, while a total coverage reduces it to 0.33. A third measure to be implemented by banks would be to serve users with a virtual and random keyboard instead of a standardized mechanical one. That inevitably comes with usability drawbacks, but it’s an excellent security measure.

As a comparison, the researchers used the videos of the experiment in a survey of 78 participants to determine whether humans could also guess the hidden PINs. On average, the survey participants responded with an accuracy of only 7.92%, which is very inefficient for carrying out attacks of this type.