Start Submission Become a Reviewer

Reading: Don’t Forget to Include that Camera in the Threat Model: Vulnerability of ATM Systems due to...

Download

A- A+
Alt. Display

Articles

Don’t Forget to Include that Camera in the Threat Model: Vulnerability of ATM Systems due to Surveillance Cameras

Authors:

Piyumi Seneviratne ,

University of Colombo School of Computing, LK
X close

Dilanka Perera,

University of Colombo School of Computing, LK
X close

Harinda Samarasekara,

University of Colombo School of Computing, LK
X close

Chamath Keppitiyagama,

University of Colombo School of Computing, LK
X close

Kasun De Soyza,

University of Colombo School of Computing, LK
X close

Kenneth Thilakarathna,

University of Colombo School of Computing, LK
X close

Primal Wijesekera

University of California, US
X close

Abstract

Video Surveillance Systems (VSS) that are used to provide physical protection to assets and personnel of organizations open up new information channels, but they are often not considered an integral part of the organization's information system. Therefore, more often than not, VSS is not considered when designing and evaluating organizations' information security. Hence, a VSS may weaken the information security of an organization while strengthening physical security. We present such a threat that the VSS used in ATM kiosks of Sri Lankan banks can severely weaken the ATM PIN security due to the ad hoc placement of cameras. While we have observed that in some installations, the video camera directly captures the PIN-pad, we show that forearm movements' visibility is sufficient to infer PINs with a significant level of accuracy. We used a mock-up of an ATM kiosk for our analysis, and we show that a human observer can guess a PIN with 22.5% accuracy within 3 attempts without the PIN Pad's visuals. A computer can infer the PIN using the same footages with an accuracy of 50% using a straightforward algorithm. Critical processes in the banks, such as authentication, are built around the assumption of the confidentiality of the PIN thus invest heavily in the PIN generation process. This well-protected PIN is exposed to the VSS when entering the PIN, thus violating a crucial assumption. However, this violation has hitherto gone unnoticed by the banks' security audits because VSS is not considered an inalienable component of the information system.
How to Cite: Seneviratne, P., Perera, D., Samarasekara, H., Keppitiyagama, C., De Soyza, K., Thilakarathna, K. and Wijesekera, P., 2021. Don’t Forget to Include that Camera in the Threat Model: Vulnerability of ATM Systems due to Surveillance Cameras. International Journal on Advances in ICT for Emerging Regions (ICTer), 14(3), pp.24–35. DOI: http://doi.org/10.4038/icter.v14i3.7229
Published on 04 Aug 2021.
Peer Reviewed

Downloads

  • PDF (EN)

    comments powered by Disqus