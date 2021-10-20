When you type your PIN code on an ATM, it is generally advisable to cover the keypad with the other hand, in order to guard against possible pirate cameras which could film the entry without your knowledge. Unfortunately, researchers from the University of Padua (Italy) and Delft (Netherlands) have just shown that it is still possible to guess a certain number of PIN codes, thanks to artificial intelligence.

Indeed, even if we do not see the keyboard, it suffices to analyze the movements of the hand to have an indication of the key which has been struck. To confirm this theory, the academics filmed 58 people each typing a hundred random PIN codes. Each key press has been isolated, cropped and rendered in black and white, in order to obtain identically labeled and calibrated sequences. These then fed a convolutional neural network to create a model capable of guessing the typed number from the movement of the hand.





Result: The system is able to retrieve between 10% and 40% of the four-digit PIN codes, depending on the training conditions of the neural network. Prediction performance is lowest if learning was from any dispenser keypad. It can go up to 35% if it is the same keyboard as for the targeted victims. And it is maximum if both types of keyboards have been used. Obviously, the performance decreases with the number of digits used for PIN codes. For five digits, an accuracy of around 30% is achieved at best.

The means of protection against this attack are not simple. The number of digits in the PIN could be increased, but it would be more difficult for users to remember it. We could implement virtual keyboards where the location of the numbers is random, but this is expensive and complicates the user experience, especially since the latter often retain the code according to the gestures performed. In general, the risk of piracy is still relatively low. Hackers should not only perform this image analysis, but also get their hands on the bank cards in question.

Source: Research report