Security News > 2021 > October > Credit card PINs can be guessed even when covering the ATM pad

Credit card PINs can be guessed even when covering the ATM pad
2021-10-18 12:00

Researchers have proven it's possible to train a special-purpose deep-learning algorithm that can guess 4-digit card PINs 41% of the time, even if the victim is covering the pad with their hands.

The attack requires the setting up of a replica of the target ATM because training the algorithm for the specific dimensions and key spacing of the different PIN pads is crucially important.

Next, the machine-learning model is trained to recognize pad presses and assign specific probabilities on a set of guesses, using video of people typing PINs on the ATM pad. For the experiment, the researchers collected 5,800 videos of 58 different people of diverse demographics, entering 4-digit and 5-digit PINs.

By using three tries, which is typically the maximum allowed number of attempts before the card is withheld, the researchers reconstructed the correct sequence for 5-digit PINs 30% of the time, and reached 41% for 4-digit PINs.

This experiment proves that covering the PIN pad with the other hand is not sufficient to defend against deep learning-based attacks, but thankfully, there are some countermeasures you can deploy.

Interestingly, the researchers used the experiment's video clips on a survey with 78 participants to determine if humans could also guess the concealed PINs and up to what point.


News URL

https://www.bleepingcomputer.com/news/security/credit-card-pins-can-be-guessed-even-when-covering-the-atm-pad/