So, until some “velocity checks” (counters) are added to CVV2 validators, this is the lowest hanging card. The funny thing is that, since it only takes 6 seconds, changing the CVV every hour doesn’t really work, here, so the new Motion Code is not a good countermeasure.

Smart card hardliners will tell you that this isn’t a smart card issue. Sure, but it’s related, mostly because however high, there is always a lowest hanging card. Smart cards (with EMV) have been quite efficient at curbing card-present fraud, because the chip computes a dynamic verification code for every transaction. During the EMV rollout, fraud was taking place in countries where smart cards were not used. As this rollout is getting closer to completion, this opportunity is slowly going away.

The new lowest hanging fruit is online transactions. EMV doesn’t work online, mostly because all attempts to introduce card readers on normal PC’s have failed, so our smart cards are useless here. And because consumers haven’t been used to use their cards’ chips during online transactions, they won’t do it on mobile transactions either.

Sadly, commerce is moving online these days, so it is not good news to find the lowest hanging fruit there. The CVV2 check will be fixed, and more merchants will use 2-channel verification methods like “Verified by Visa”. Then, it is not obvious to know what will be the new lowest hanging fruit.

One solution is to use mobile payment, which offers a much better security these days. It works for in-person payments, and it is starting to work for online payments made on phones. I haven’t seen mobile payment used for to verify online transactions not made on a phone, but this would be very easy to do.

The first one is an attack on ATMs, with a thermal camera, hoping that your fingers stay on the keys long enough to heat them up. Well, it seems that if all conditions are good, the trick can work. The great thing about this attack is that it naturally captures the order (the warmest key is the last one). The attack even works well in optimal conditions (recovering half of the PIN codes after one minute), which sounds good, even a bit alarming.

Luckily, it is quite sensitive to various conditions, like the material in which the keys are made (plastic seems better for the attack than metal, which conducts heat away too easily). Having cold fingers also is a good security measure, since the amount of heat transferred is lower. The researchers haven’t tried it, but the temperature of the environment should also have some influence. So, against this attack, I guess that selecting an ATM in full sun, with metal keys (the authors’ recommendation) and wearing gloves should make it.

The second attack is about using a smartphone’s motion sensor to guess a PIN code typed on it. Of course, when you type on a smartphone while holding it, you apply some pressure on the screen, and the result in terms of movement depends on where you type. It doesn’t work as well as the previous attacks, but apparently, they get over 70% of the digits typed on a 10-digit keyboard.

The obvious countermeasure is to make sure that your phone is safely lying on a table, which will severely limit any movement. In terms of countermeasure, this also raises the bar for people who are developing systems that protect the touchscreen: well, you may as well protect the motion sensors, because if a hacker controls that, he may just get the PIN code that we want to protect. Of course, that ‘s until another attack comes, using another sensor.

For me, these two attacks have in common to be absolutely obvious. You just read the title of the paper and you think “Of course, this is nice”. And yet, they are quite practical, and they can become a real problem for real people. They also both rely on using a disruptive attack technology: PIN protection requirements usually don’t consider thermal cameras and motion sensors as potential threats, but they may in he future. This is another reminder that security is a wonderful job, because as soon as you have covered all known threats, new ones come up that you also need to cover.