I remember about 10 years ago the bank I was using changed the sequence of cash withdrawals, instead of giving the card back then the cash they started giving cash then the card. After withdrawing some money I was about 10 feet from the ATM before I realized that I didn’t have my card, when I turned around the next person in line was already on the withdraw cash screen. That was the closest I have ever come to having my bank account compromised.
Turns out that criminals now have some additional tricks they can play with. In Canada there seems to be a huge campaign telling people to shield the entry of their PIN at grocery stores etc. Well this new technique doesn’t need to see your code as it is pressed, rather it just needs access to the keypad shortly after the code was entered. Of course this PIN alone is meaningless unless the crooks have physical access to your card or were able to get a swipe of the magnetic strip. I wonder if we might see some banks swapping out the regular plastic keypads for metal ones which are apparently not susceptible to this exploit. I personally would be more concerned about this venerability being used to get codes for door access keypads and safe codes.
“The research, which Mowery conducted with fellow student Sarah Meiklejohn and professor Stefan Savage, is based on previous work by well-known security researcher Michal Zalewski, who in 2005 used an infrared camera to detect codes punched into a safe with a keypad lock. While Zalewski was able to detect the codes even after five minutes, the UCSD researchers found that the chance of extracting the proper digits dropped to about 20 percent after 90 seconds.”
With this process being about 80 percent accurate I am thinking we might see some very smart card skimmers come out within the next few years that use accelerometers to determine what keys were pressed with similar accuracies. This technique has been shown to work by Georgia Tech graduate student Arunabh Verma, Georgia Tech Ph.D. student Henry Carter and Philip Marquardt of the MIT Lincoln Laboratory. They used an iPhone on a desk beside a computer keyboard to detect the keys being typed and were able to determine what was being typed with an 80% accuracy level.