Hacking wearable devices could compromise ATM security: Internet Scambusters #726
ATM security has always been at risk from scammers -- by trapping cards and using cameras to read PIN numbers.
Now researchers have shown how they could even steal PINs by hacking into users' wearable devices and tracking their hand movements as they use the keyboard.
But there's a simple tactic to sidestep this threat, as we explain in this week's issue.
Let's get started...
New Threat to ATM Security
We've written several times in the past about ATM security risks -- in particular, how scammers can capture your cash, your card and, using hidden cameras, your Personal Identification Number or PIN.
Today's ATM card crooks have begun to use heat detectors which can tell the order in which the PIN number pad is pressed by how much heat remains on the keys -- the warmest one being the last number pressed and so on.
They can check the keypad as soon as you leave and, if they've also set a trap to catch your card, they're got everything they need to drain your bank account.
But now an even more alarming possibility has been discovered -- researchers have shown how PINs can be captured via wearable fitness devices and smart watches.
It sounds far-fetched but it isn't. Many wearable devices contain components called embedded sensors -- accelerometers and gyroscopes -- that basically detect movement of the wearer.
The researchers demonstrated how they can track even the most minute hand movements, down to the nearest millimeter.
Using a clever piece of software to interpret data from the devices, they were able to recreate hand movements over a PIN number pad.
In 5,000 tests, they were able to correctly read PINs between 80% and 90% of the time.
We ought to stress that, so far at least, crooks are not yet using this trick because it requires that the device has been previously infected with malware, which has to collect the data and relay it back to the hacker.
Alternatively, a small transmitter is placed somewhere near the keypad to "sniff" or communicate with the device.
But, as we've previously noted in Wearable Devices Could Pose Security Threat, security is not as tight as it could be on some wearable devices, which collect a lot of leakable data, so who knows how long it will be before criminals find a way in.
In their paper entitled Friend or Foe?: Your Wearable Devices Reveal Your Personal PIN, the researchers at Binghamton University noted: "The threat is real, although the approach is sophisticated."
The Asia Conference on Computer Communications Security, which revealed the discovery a few months ago, described it as "a serious security breach."
In fact, the technology would theoretically be capable of translating hand movements over any keyboard, enabling it to capture long sequences of keystrokes.
The ability of thermal imaging equipment to use key heat to reveal PIN sequences has been known for a couple of years.
You can see an explanatory video of the technology in action below.
This number-stealing tactic actually works better with rubber and plastic keys than it does with metal -- and fortunately, most ATM keys are made of metal, which dissipates heat very quickly.
The good news is that both of these new tactics can be easily defeated with just a bit of forethought.
In the case of wearable devices, the logical and obvious thing to do is to get into the habit of keying in your PIN with the opposite hand to the one with the wearable device.
Security experts are also recommending that device makers incorporate "noise" technology that interferes with the signals they emit.
With heat detection, you can simply rest your fingers on other keys (without pressing them) both while you enter your PIN and after.
In the meantime, we're likely to see continued use of hidden cameras to read PINs so don't let your guard down at ATMs. Always shield the keypad with your other hand (the one with the wearable device!) as you type in the number.
You can also follow some of the tips in our earlier issue about ATM security: ATM Theft: 8 Tips to Protect Yourself From the 5 Most Common ATM Scams.
It's easy to feel a sense of outrage or even fear about the way crooks are able to exploit modern technology -- but we must realize this type of criminal activity is not going to go away.
In fact, it's likely to become even more widespread and we, as consumers, have to learn how to beat it, whether it's an attack on your ATM security or a snooper watching your smart TV.
Alert of the Week
A few weeks ago, we warned of the risk of flood-damaged cars being offered for sale in the wake of the severe flooding and storms in Louisiana.
Now, car data firm Carfax says it estimates more than 271,000 flood-damaged vehicles are back in use and therefore, potentially to be offered for sale.
We've warned before about flood-damaged autos and the tricks scammers use to try to disguise their history: Scammers Dump Flooded Cars on Unsuspecting Buyers.
This time around there's a free and easy (but not totally foolproof) way of checking any vehicle you're considering buying.
Just collect the vehicle's identity number (VIN) usually visible on or through the windshield and enter it at flood.carfax.com.
(Note: You're also required to enter your email address for the result of the check and this sets up an account at Carfax.
There's no charge but you may want to use a one-off email address or one you've set up specially for this type of registration).
Time to conclude for today -- have a great week!