Hand Me Your PIN! Inferring ATM PINs of Users Typing with a Covered Hand

by   Matteo Cardaioli, et al.

Automated Teller Machines (ATMs) represent the most used system for withdrawing cash. The European Central Bank reported more than 11 billion cash withdrawals and loading/unloading transactions on the European ATMs in 2019. Although ATMs have undergone various technological evolutions, Personal Identification Numbers (PINs) are still the most common authentication method for these devices. Unfortunately, the PIN mechanism is vulnerable to shoulder-surfing attacks performed via hidden cameras installed near the ATM to catch the PIN pad. To overcome this problem, people get used to covering the typing hand with the other hand. While such users probably believe this behavior is safe enough to protect against mentioned attacks, there is no clear assessment of this countermeasure in the scientific literature. This paper proposes a novel attack to reconstruct PINs entered by victims covering the typing hand with the other hand. We consider the setting where the attacker can access an ATM PIN pad of the same brand/model as the target one. Afterward, the attacker uses that model to infer the digits pressed by the victim while entering the PIN. Our attack owes its success to a carefully selected deep learning architecture that can infer the PIN from the typing hand position and movements. We run a detailed experimental analysis including 58 users. With our approach, we can guess 30 attempts – the ones usually allowed by ATM before blocking the card. We also conducted a survey with 78 users that managed to reach an accuracy of only 7.92 countermeasure that proved to be rather inefficient unless the whole keypad is shielded.


page 5

page 7

page 8

page 9

page 10

page 12

page 17

page 18


Adversarial Attacks on Remote User Authentication Using Behavioural Mouse Dynamics

Mouse dynamics is a potential means of authenticating users. Typically, ...

Your PIN Sounds Good! On The Feasibility of PIN Inference Through Audio Leakage

Personal Identification Numbers (PIN) are widely used as authentication ...

LTU Attacker for Membership Inference

We address the problem of defending predictive models, such as machine l...

Amnesiac Machine Learning

The Right to be Forgotten is part of the recently enacted General Data P...

Explainability-based Backdoor Attacks Against Graph Neural Networks

Backdoor attacks represent a serious threat to neural network models. A ...

Repttack: Exploiting Cloud Schedulers to Guide Co-Location Attacks

Cloud computing paradigms have emerged as a major facility to store and ...

Please sign up or login with your details

Forgot password? Click here to reset