Page 28 - index
P. 28
Thermal Imaging Smartphone Accessory Leaves Millions of cash
Machine Users at Risk
Once The Sole Preserve of Only The Best-Equipped Attacker
by Dave Wray Principal Consultant at Sec-Tec
UK security consultancy firm Sec-Tec has warned consumers that a readily available smartphone
accessory can be used to steal customers’ PIN numbers within seconds.
The thermal imaging device is worryingly being sold across the Internet as an iPhone accessory
costing less than £200. Once the sole preserve of the best-equipped spies in blockbuster movies,
the technology has created an increased risk for millions of push-button security devices from door
entry systems to safes.
The device has its advantages for criminals, as traditional ATM fraudsters are often impeded by
customers blocking the keypad with their hand, making the skimmed data more or less useless.
With this new accessory, the heat from a person’s fingertips can leave a heat trace on the keypad
for around a minute.
But while identifying the keys pressed is straightforward, knowing the order in which they were
pressed is considerably more difficult for fraudsters. However, the security firm has created various
undisclosed methods that considerably aid the identification of key ordering, although most keypad
devices have no lock-out mechanism; meaning that only a set number of possible combinations of
the four digit code are correct.
Sec-Tec has identified two simple techniques that anyone can implement to stop the device
successfully recording the heat trace – namely, using a metal object such as a key to press the
buttons, or rubbing the full keypad as a way of ‘erasing’ the trace history .
"The thermal imaging device exposes millions of push button locks & ATMs around the world as the
digital security arms race gets ever more sophisticated" said David Wray, Principal Consultant at
Sec-Tec.
About The Author
Dave Wray is the Principal Consultant at London-based security consultancy, Sec-Tec ltd. The
company was formed in 1999 and provides penetration testing and vendor independent information
security services to a wide range of public and private sector clients including global law firms and
FTSE 250 financials. Our vendor agnostic approach enables the objective delivery of security
services without any hidden agenda. Sec-Tec is currently ISO9001 and ISO27001 certified and
employs Tigerscheme (http://www.tigerscheme.org/) certified staff.
Dave Wray can be reached online at the company website https://www.sec-tec.co.uk/
28 Cyber Warnings E-Magazine – September 2015 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
