Security News > 2021 > October > Credit card PINs can be guessed even when covering the ATM pad
Researchers have proven it's possible to train a special-purpose deep-learning algorithm that can guess 4-digit card PINs 41% of the time, even if the victim is covering the pad with their hands.
The attack requires the setting up of a replica of the target ATM because training the algorithm for the specific dimensions and key spacing of the different PIN pads is crucially important.
Next, the machine-learning model is trained to recognize pad presses and assign specific probabilities on a set of guesses, using video of people typing PINs on the ATM pad. For the experiment, the researchers collected 5,800 videos of 58 different people of diverse demographics, entering 4-digit and 5-digit PINs.
By using three tries, which is typically the maximum allowed number of attempts before the card is withheld, the researchers reconstructed the correct sequence for 5-digit PINs 30% of the time, and reached 41% for 4-digit PINs.
This experiment proves that covering the PIN pad with the other hand is not sufficient to defend against deep learning-based attacks, but thankfully, there are some countermeasures you can deploy.
Interestingly, the researchers used the experiment's video clips on a survey with 78 participants to determine if humans could also guess the concealed PINs and up to what point.