Visible to the public Impact of Video Surveillance Systems on ATM PIN Security

TitleImpact of Video Surveillance Systems on ATM PIN Security
Publication TypeConference Paper
Year of Publication2020
AuthorsSeneviratne, Piyumi, Perera, Dilanka, Samarasekara, Harinda, Keppitiyagama, Chamath, Thilakarathna, Kenneth, De Soyza, Kasun, Wijesekara, Primal
Conference Name2020 20th International Conference on Advances in ICT for Emerging Regions (ICTer)
KeywordsATM security, Cameras, Computer vision-based attacks, Guidelines, Human Behavior, Inferring keyboard inputs, Interviews, Metrics, Online banking, PIN security, Pins, pubcrawl, Resiliency, security, shoulder surfing, side-channel attacks, Side-Channel vulnerabilities, surveillance, surveillance camera, threat modeling, video analysis, video surveillance
AbstractATM transactions are verified using two-factor authentication. The PIN is one of the factors (something you know) and the ATM Card is the other factor (something you have). Therefore, banks make significant investments on PIN Mailers and HSMs to preserve the security and confidentiality in the generation, validation, management and the delivery of the PIN to their customers. Moreover, banks install surveillance cameras inside ATM cubicles as a physical security measure to prevent fraud and theft. However, in some cases, ATM PIN-Pad and the PIN entering process get revealed through the surveillance camera footage itself. We demonstrate that visibility of forearm movements is sufficient to infer PINs with a significant level of accuracy. Video footage of the PIN entry process simulated in an experimental setup was analyzed using two approaches. The human observer-based approach shows that a PIN can be guessed with a 30% of accuracy within 3 attempts whilst the computer-assisted analysis of footage gave an accuracy of 50%. The results confirm that ad-hoc installation of surveillance cameras can weaken ATM PIN security significantly by potentially exposing one factor of a two-factor authentication system. Our investigation also revealed that there are no guidelines, standards or regulations governing the placement of surveillance cameras inside ATM cubicles in Sri Lanka.
Citation Keyseneviratne_impact_2020