The method works even when the client ATM covers the input panel with the hand.
Researchers in Italy and in the Netherlands have developed a method of machine learning that can detect a PIN code entered by a man at an atm. The new method works even when the client ATM covers the input panel with the hand.
The developed method includes the training of a neural network specific convolutional (CNN) and a form of short-term memory to long-term (LSTM) on the video recordings of the insertion of a PIN code that is covered by a hand. A system that monitors the movements and the positioning of the hands during the insertion of the PIN can predict 41% of the PIN is 4 digits, and the 30% of the PIN codes are 5 digits in three attempts (the maximum number of attempts allowed by the bank before blocking the account of a client). The tests involved 58 volunteers who have used PIN codes random.
Since it is unlikely that the screen of the ATM may be hidden during the PIN entry, the time of typing can be set by synchronizing the movements of the hand with the appearance of numbers “masked” (usually asterisks) that appear on the screen of ATM in response to a user request. The synchronization shows the exact position of the hands in the script “hidden” at the time of typing.
The data collection was carried out in two sessions using volunteers right-handed for the study. Each participant has typed 100 PIN codes to 5-digit randomly generated, ensuring that all ten of the possible sequences of keys are covered in a uniform way. Therefore, the researchers collected 5.800 single PIN entries.
The data sets were divided into training set, validation and test, with training conducted on an Intel Xeon processor running on a processor E5-2670 to 2.60 GHz with 128 GB of RAM. The data have been implemented in Keras2.3.0-tf (TensorFlow 2.2.0) and Python 3.8.6 on three GPU Tesla K20m with 5 GB of video memory each.
Considering the countermeasures to existing systems, the researchers believe that there are no means of protection is actually effective against such attacks. The increase in the minimum number of digits required in a PIN to make it difficult for the storage of numbers, the random order of the numeric keys on the virtual keyboard of the touch screen will also cause usability problems, and the screen protectors will not only be expensive to install on existing ATM, but maybe it will make the method of attack, even easier to implement. The researchers say that their attack is feasible, even when 75% of the keyboard is hidden (close to and more make it difficult for the user to enter text).