They are comparing this with (good ol') card skimmers, but with those you get BOTH the data on the card (magnetic stripe or chip/whatever, i.e. you can - in theory - clone the card at leisure) AND the PIN, with these attack you ONLY get the PIN (possibly 4 times out of 10), so you need to somehow rob the user "on the spot" either by dexterity or at - say - gunpoint to get the card, it would be easier to just go for the money the customer just got from the ATM, you will have 10/10 success.
You'd be impressed how good some people are at stealing items off you in plain sight. There was a dude on a DEFCON talk I believe who could steal the watch right off of people's wrists and most people only noticed like a minute later - and they were paying attention. A skilled pickpocket could steal a card and be able to withdraw cash up to your limit at a back alley ATM compared.
Theft is easy to conceal and deny, robbery (esp. armed robbery) is the exact opposite. As for skimmers, do any ATMs these days even accept magstripe? EMV cards are extremely difficult to clone so skimmers seem a bit useless.
Rest assured, I have some familiarity with pickpocketing[1], at least here (Italy) there is a hard limit on ATM's draws (it depends on the actual card of course) typically 500 Euro per day on ATM's of the same bank that issued the card or 250 on other banks.
So you go to the ATM and draw 500 Euro from it, I then can choose, after having setup the camera, the AI (or whatever), a powerful computer to run it, etc. between pickpocketing the card, and then be able to draw - on average - 40% of either 250 or 500 Euro or pickpocketing the 500 Euro directly. (of course I cannot wait "tomorrow" as in the meantime you will have realized that you card is missing and blocked it).
So, as I see it, this approach is only somehow an advantage if you draw less than or around 40% of 250 Euro, 100 Euro or so.
[1] not direct experience but it was more or less "invented" in Italy, the first (unofficial) official school for pickpocketing assertedly dating back to 1864:
Depends on where you are I guess. Italy has a lot of tourists (in big cities at least) who often carry large amounts of cash, so taking cash does make sense. But I doubt most other people carry 500 € on them. In my experience most people regularly carry st most 50 € in cash, so going for cards makes sense. As you said, ATM limits of a 250-500€ are common, but that still beats the contactless limit of 25€ (not to mention you get cash and it's easier to conceal your identity at an ATM than a store).
So up to 50€ in cash and 25€ in stuff vs up to 550 € in cash (on hand + ATM limit) sounds worth the effort to me.
My (simplicistic but simple) "get the money (and card, but without PIN) and run" approach is working 100% of cases (if you are a good pickpocketer).
Your "get the money and the card and then use a sophisticated computerized method" is - at most - working 40% of cases (and you need to be BOTH a good pickpocketer AND a computer expert OR have a computer expert as accomplice[1]).
If we imagine that 1/3 of people are like you say (with just 50 Euro), 1/3 is like I say (500 Euro) and 1/3 are mid-way (let's say 250 Euro), on average 12 "jobs" I have (let's exclude the 25 contactless, as they are the same in both cases:
4x50x100%=200
4x250x100%=1000
4x550x100%=2200
Total 3400
vs.
12x550x40%=2640
I am still ahead, if we have 1/2 at 50, 1/4 at 200 and 1/4 at 500:
6x50x100%=300
3x200x100%=600
3x550x100%=1650
Total 2550
we are roughly on par (I have no expenses for the computers, camera's etc.).
BTW, "my" method is old, proved, always worked and will always work, "your" is going to have a hit now that these scientists told everyone about the method, people will start using "finger movements concealing devices"[2].
[1] in this latter case you will also have another person to divide profits with
[2] the effectiveness of which might be the topic of a new article, besides the title of a new US patent application
>This works even if the person is covering the pad with their hands.
That is incredible! It's not just ATM PINs this could apply to. It's not a stretch of the imagination to expect a state intelligence agency monitoring an embassy or a dissenter's apartment keypad and applying techniques like this
IIRC there was a paper on recovering text, including passwords, from the keypress sound variation recorded by a microphone on the table next to the keyboard (e.g. in a compromised phone).
Well, if the numbers were scrambled, then the user would need to look at them - so a video from the same perspective would record both the numbers and how they get entered, and it would not help in any way.
The surveyed users had an accuracy of 8% doing the prediction manually in the same settings on an 5 digit pin. So scrambling seems like a good idea if you are going to use a PIN.
Because it would cost a great deal of money to add Apple Pay functionality to ATMs?
Because adding other options increases the surface area of potential attacks - with technologies that are not within the scope of control of the ATM industry?
And why just Apple Pay? Why not other options?
When it comes to the financial system, consumer convenience is one of the lowest priorities.
I remember there being an app which could do the same for your phone using the Accelerometer/IMU readings & another approach which used the mics as well to pick up touch events
They are comparing this with (good ol') card skimmers, but with those you get BOTH the data on the card (magnetic stripe or chip/whatever, i.e. you can - in theory - clone the card at leisure) AND the PIN, with these attack you ONLY get the PIN (possibly 4 times out of 10), so you need to somehow rob the user "on the spot" either by dexterity or at - say - gunpoint to get the card, it would be easier to just go for the money the customer just got from the ATM, you will have 10/10 success.