Protect Your PIN Number from Infrared Camera Theft

You Won't Believe How Easy It Is to Steal Your PIN Number

Since none of us use cash anymore (except for that one guy in accounting), often your PIN code is the only thing standing between a would-be thief and the piles of treasure you have stashed in your checking account.

Actually, the card plus PIN number is a reasonably good, if simple, implementation of the “something you have” plus “something you know” principle of security. Neither the card nor the PIN number is much good without the other. (We’re ignoring the fact that most debit cards can also be processed as credit cards for the moment.)

Obviously, hanging on to the card itself is a good start, so that covers the “something you have” side of the equation. But sleight of hand, accidental drops, and old-fashioned purse-snatching still happen today.

So that leaves us with the “something you know“ piece: your PIN.

Why Be Concerned About Infrared PIN Theft?

Being a security-minded person, I’m sure you’re already in the habit of covering your fingers when entering PIN numbers. After all, it takes only a tiny bit of effort, and it prevents cameras and sneaky eyes from catching what you’re entering, right?

You Won't Believe How Easy It Is to Steal Your PIN Number

But what about heat?

You did know your fingers transferred heat to those keys, right?

And since heat dissipates at a linear rate, the heat signature reveals not just which keys got pressed, but also the order in which they were pressed!

But that’s not really a problem, right? After all, who has equipment that can detect heat?

Until recently, the ability to walk up to a PIN pad and detect which buttons had just been pressed required an expensive (and bulky!) infrared camera that would pick up the heat signature left by your fingers.

But with the advent of relatively inexpensive ($349) iPhone attachments,  infrared smartphone camera technology is easily within reach of a ne’er-do-well… especially since they might recoup that much or more in just one ATM transaction. But even for one who’s looking for something less expensive (or who uses an Android device instead of an iPhone), there’s this Kickstarter project, or even a tutorial on how to build one with an old floppy disk! (…for the Macgyver types, evidently).

In other words: stealing your PIN even up to 1 minute after you enter it is pretty easy these days.

So What’s the Solution?

It’s pretty simple, really. Just touch your fingers to several buttons and hold them there while you’re entering your PIN.

Heat multiple buttons up, obfuscate the ones you pressed.

Not so sure about all of this? Mark Rober made this video to demonstrate:

Oh yeah… and don’t use PINs that are easy to guess!

RIP: PayPal Plug-In – No More Single Use Debit Cards

PayPal Plug-In: Single Use Debit Cards
PayPal Plug-In: Single Use Debit Cards

Recently, I received word from PayPal that they’ve decided to discontinue the incredibly useful PayPal Plug-in.

As the final day approaches, PayPal doesn’t seem to be backing down from its impending termination. September 22, 2010 is officially the last day to use the tool.

It’s a sad day. This has been, by far, one of PayPal’s most valuable features.

What Are Single Use Debit Cards?

To anyone who makes online purchases, having the ability to generate a valid, disposable card number is a dream come true. If you’ve ever had a debit card number compromised — either because of bank error, security breaches, or just jerks who get lucky with their random card number software — you know how painful it is to clean up the process. You get to contact the issuing bank, cancel the card, go without usage of it for days or even weeks while they replace it, and deal with the whole issue of getting your money back from whomever may have successfully nabbed some.

What a mess!

It’s like “Identity Theft Lite.”

A couple of years ago, we went through a nasty streak of these problems at my house. On multiple issuing banks, we had several business and personal debit cards compromised. In some cases, there were fraudulent charges (or in some cases, just authorizations). In other cases, we were informed by the bank that there was a breach of security and they recommended immediate replacement.

It’s not a fun situation. Especially when you have meticulous habits (as we do in my house) around using card numbers at reputable sites only, always verifying SSL status before punching a card number in, using firewalls when surfing at public hotspots, etc…

It seems that you can’t be too careful. And even when you’re doing your best, you can get stung through no fault of your own.

So, imagine my delight when I discovered that PayPal was offering a free piece of software that permitted me to generate a brand new card number on demand. There was no physical card attached at all. It was merely a valid card number, complete with its own expiration date (usually about 2 months from the date it was generated), valid CVV digits, and billed to the billing address on my PayPal account. And the best thing? It could only be used once.

So… about to make a purchase from an online retailer that wants to store your credit card information (for your convenience, of course!)? Just open the plug-in, login to PayPal with your password, and in a click or two and about as many seconds on the clock, you’d have a card number that would be approved right away for your purchase… but would forever be declined thereafter.

They even gave me an option of creating multiple use card numbers for recurring billing purposes. Need to be able to track charges from a certain retailer, vendor, or supplier? No problem. Just generate the a multiple-use card number for that vendor, and you’re in full control. You can cancel the number at any time to stop them from charging you… without having to go through the hassle of replacing your physical card and getting stuck without the ability to use it in the meantime.

Don’t have your wallet close by while you’re trying to check out of a website with a purchase? No problem. Just open up another browser window and crank out a valid card number on the spot.

I could go on and on. The usefulness of this fantastic service seemed to grow by the day.

In All Fairness…

The software itself left something to be desired. Originally, I installed the plug-in on my Firefox browser. Over time, as Firefox was updated, the plug-in didn’t get along with it so well. So… I ended up having to install it on the dreaded Internet Explorer. That was a pain… especially since I trust Internet Explorer as far as I can throw it. (Ever tried to throw a piece of software?)

But… despite the rather clunky user interface, and the annoying and odd fact that there was no way to get to your previously generated cards, receipts inbox or the other nifty features of this tool from the main PayPal website (the only way to open that part of their site was to use the plug-in… which took you to that magical part of the site), the tool was still nothing short of invaluable.

What To Do?

Honestly, I don’t know. I’m searching for “Virtual Debit Cards,” or “Secure Debit Card Generator,” or “Single Use Debit Cards,” or “Disposable Debit Card” online. Nothing so far seems to be a good match. I’ve found a number of complaints in the PayPal community forums where users like me are publicly lamenting the loss of this tool. There are some complaints from international users that they never had access to the tool to begin with (apparently it was only for US customers).

But nothing that looks like it could serve as a replacement for this valuable tool.

I can’t help but suspect that I’ll be using PayPal less and less. And I’ll probably be more inclined to move any balance in my PayPal account much more quickly into my main business checking account. I’m sure I’ll still use the PayPal debit card that I carry for my business… but probably less often.

Will that hurt PayPal? Probably not much. I’m certainly only one business owner… and I’m guessing that adoption of this tool wasn’t very widespread (otherwise they’d be more aggressively announcing alternative features). So… I’m sure they calculated the risk associated with cancelling the tool and decided it was worthwhile for whatever reason.

But I’ll be moving at least some of my PayPal business once I find a replacement solution.