PhotoYour passcodes and PINs (personal identification numbers) are at risk from a threat few people know about: cheap and ubiquitous thermal-imaging technology.

Thanks to thermal-imaging, any code you type into a push-button keypad — such as typing your PIN when you swipe your card at a cashier checkout or ATM, or typing an entry code into a push-button door lock — is easy for a thief with the right smartphone attachment to steal.

Luckily, it's just as easy to protect yourself from such PIN theft, and you don't even need any special technology to do it.

Former NASA engineer Mark Rober explained how this works in a four-minute video he posted on YouTube this weekend, demonstrating how very easy it is for an iPhone user with a FLIROne thermal-imaging attachment to steal your PIN by simply tracing the heat signature of your fingertips across the buttons.

“Thermal imaging” refers to the ability to literally see (or photograph) heat. Heat actually generates its own light — light which human eyes cannot detect, because we can't see infrared radiation: of all the many types of radiation in existence, we can only see the relatively tiny bit of the spectrum which we call “visible light.”

You're familiar with the so-called seven colors of the rainbow, the ROY G BIV spectrum: red, orange, yellow, green, blue, indigo and violet. Red and violet basically mark the two limits of the spectrum visible to us. We can't see what comes before red (infrared) or after violet (ultraviolet), but we can still feel their effects — we feel infrared radiation as heat, and get sunburned after too much exposure to ultraviolet.

Though our own eyes can't detect it, humanity has had the technological ability to “see” or detect heat/infrared light for more than a hundred years; the first camera capable of thermal imaging was invented in 1929. Until recently, thermal-imaging devices were large, bulky and incredibly expensive … but a FLIROne phone attachment costs less than $350 and looks like a smartphone case.

Holding the phone

In Rober's video, he went to the grocery store and demonstrated how easily he could steal the PIN of another woman in line ahead of him: she paid for her purchases by swiping her credit or debit card, then typing her PIN code into the keypad.

After she left, Rober casually held his phone over the keypad. (When you watch him do this in the video, he looks no different from someone merely “holding his phone” – no casual observer would guess he was actually taking a photograph or otherwise collecting data with it.)

The scene switched to Rober standing in his own living room. “So let me explain what just happened,” he said. He showed how the FLIROne attachment fit onto his phone, and gave a brief explanation of how thermal imaging works. The video then panned over the empty sofa where Rober had been sitting until 30 seconds before; a thermal imaging photo of the sofa clearly showed exactly where Rober had been sitting, a spot still glowing from the warmth of his body heat.

Over time, of course, that bright spot faded, as the leftover body heat in the sofa dissipated. But that's exactly why thermal imaging can be used to figure out your PIN: “Your fingers leave a thermal signature when you type your PIN code into a debit-card machine like this, and as you can see, in this case, the PIN code was 1-2-3-4-5.”

As Rober said this, the video showed his fingers under normal light pressing buttons on a debit-card machine; then it switched to a thermal image showing buttons 1 through 5 glowing with varying levels of heat-brightness.

Since heat fades over time, the most recently pressed button will shine the most brightly when viewed under thermal imaging, whereas the first button pressed will be the most dim, since it's had the most time to cool down. That's how someone can not only determine which buttons you pressed, but in which order.

This works better on some keypads than others. Metal keypads, such as the type found in most ATMs, tend to dissipate heat very quickly, so it's difficult to break your PIN with thermal imaging. But plastic or rubber buttons can be thermally read up to a minute after they were initially pressed.

Luckily, making your PIN code's heat signature unreadable to thermal-imaging cameras is very easy to do. Rober explained how on his video: “It is really easy to defend against this by simply resting your fingers on other buttons as you type in your code. As you can see here, this simple precaution makes a meaningless thermal signature.”

When Rober typed in his code while resting his fingers on other buttons, almost all of the buttons on the keypad glowed with bright heat signatures, making it impossible to figure out which buttons he actually pressed, or in which order. So anytime you press a code into a rubber or plastic keypad, remember to rest your fingers on other buttons at the same time, in case there's any thermal-imaging cameras you need to thwart.


Share your Comments